[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1086762: bullseye-pu: package edk2/2020.11-2+deb11u3

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: edk2@packages.debian.org
Control: affects -1 + src:edk2
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
The security team has asked me to prepare a stable update that resolves
2 non-critical security issues.

[ Impact ]
Users remain vulnerable to these security issues.

[ Tests ]
I don't have reproducers for these issues. I regression tested using the
autopkgtests. The regression tests should exercise the PE/COFF Loader.

[ Risks ]
This modifies code in the PE/COFF loader, so a regression could cause
certain binaries to fail to load/execute. It also modifies code in the
S3 Resume Path, so a regression could lead to issues with Suspend/Resume.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
These are backports of upstream fixes that only required context changes to
apply.

diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog
--- edk2-2020.11/debian/changelog	2024-02-13 18:22:25.000000000 -0700
+++ edk2-2020.11/debian/changelog	2024-11-05 06:13:20.000000000 -0700
@@ -1,3 +1,14 @@
+edk2 (2020.11-2+deb11u3) bullseye; urgency=medium
+
+  * Fix overflow condition in PeCoffLoaderRelocateImage(), CVE-2024-38796:
+    - d/p/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+    - d/p/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+    (Closes: #1084055)
+  * Fix potential UINT32 overflow in S3 ResumeCount. CVE-2024-1298:
+    - d/p/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
+
+ -- dann frazier <dannf@debian.org>  Tue, 05 Nov 2024 06:13:20 -0700
+
 edk2 (2020.11-2+deb11u2) bullseye-security; urgency=medium
 
   * Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
diff -Nru edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
--- edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,29 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+Last-Update: 2024-11-04
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {

+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
diff -Nru edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
--- edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,30 @@
+From e73ec569429ba72fbb6829518d6c192b4cd3346f Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 30 Sep 2024 12:54:30 -0700
+Subject: [PATCH] MdePkg: Improving readability of CVE patch for
+ PeCoffLoaderRelocateImage
+
+This change adds parantheses to the if condition detecting overflow in
+the PeCoffLoaderRelocateImage function to improve readability.
+
+Follow on change for:
+    REF!: https://github.com/tianocore/edk2/pull/6249
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/e73ec569429ba72fbb6829518d6c192b4cd3346f
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+Last-Update: 2024-11-04
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {

++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && ((RelocDir->Size - 1) < (MAX_UINT32 - RelocDir->VirtualAddress))) {

+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
diff -Nru edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
--- edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,43 @@
+From 284dbac43da752ee34825c8b3f6f9e8281cb5a19 Mon Sep 17 00:00:00 2001
+From: Shanmugavel Pakkirisamy <shanmugavelx.pakkirisamy@intel.com>
+Date: Mon, 6 May 2024 17:53:09 +0800
+Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+Attacker able to modify physical memory and ResumeCount.
+System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+Last-Updated: 2024-11-04
+
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -110,11 +110,15 @@
+   //
+   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+   AcpiS3ResumeRecord->ResumeCount++;
+-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++  if (AcpiS3ResumeRecord->ResumeCount > 0) {

++    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);

++    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));

++  } else {

++    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));

++  }

+ 
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));

++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));

+ 
+   //
+   // Update S3 Suspend Performance Record.
diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series
--- edk2-2020.11/debian/patches/series	2024-02-13 18:22:25.000000000 -0700
+++ edk2-2020.11/debian/patches/series	2024-11-05 06:13:20.000000000 -0700
@@ -8,3 +8,6 @@
 0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch
 0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch
 Disable-the-Shell-when-SecureBoot-is-enabled.patch
+0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
Reply to: