Bug#1086761: patch
diff -Nru edk2-2022.11/debian/changelog edk2-2022.11/debian/changelog
--- edk2-2022.11/debian/changelog 2024-02-12 13:43:50.000000000 -0700
+++ edk2-2022.11/debian/changelog 2024-11-05 06:10:49.000000000 -0700
@@ -1,3 +1,14 @@
+edk2 (2022.11-6+deb12u2) bookworm; urgency=medium
+
+ * Fix overflow condition in PeCoffLoaderRelocateImage(), CVE-2024-38796:
+ - d/p/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+ - d/p/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+ (Closes: #1084055)
+ * Fix potential UINT32 overflow in S3 ResumeCount. CVE-2024-1298:
+ - d/p/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
+
+ -- dann frazier <dannf@debian.org> Tue, 05 Nov 2024 06:10:49 -0700
+
edk2 (2022.11-6+deb12u1) bookworm-security; urgency=medium
* Cherry-pick security fixes from upstream:
diff -Nru edk2-2022.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch edk2-2022.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
--- edk2-2022.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-2022.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch 2024-11-05 06:10:49.000000000 -0700
@@ -0,0 +1,28 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1015,7 +1015,7 @@
+ RelocDir = &Hdr.Te->DataDirectory[0];
+ }
+
+- if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+ RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+ RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+ ImageContext,
diff -Nru edk2-2022.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch edk2-2022.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
--- edk2-2022.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-2022.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch 2024-11-05 06:10:49.000000000 -0700
@@ -0,0 +1,29 @@
+From e73ec569429ba72fbb6829518d6c192b4cd3346f Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 30 Sep 2024 12:54:30 -0700
+Subject: [PATCH] MdePkg: Improving readability of CVE patch for
+ PeCoffLoaderRelocateImage
+
+This change adds parantheses to the if condition detecting overflow in
+the PeCoffLoaderRelocateImage function to improve readability.
+
+Follow on change for:
+ REF!: https://github.com/tianocore/edk2/pull/6249
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/e73ec569429ba72fbb6829518d6c192b4cd3346f
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1015,7 +1015,7 @@
+ RelocDir = &Hdr.Te->DataDirectory[0];
+ }
+
+- if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && ((RelocDir->Size - 1) < (MAX_UINT32 - RelocDir->VirtualAddress))) {
+ RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+ RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+ ImageContext,
diff -Nru edk2-2022.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch edk2-2022.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
--- edk2-2022.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-2022.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch 2024-11-05 06:10:49.000000000 -0700
@@ -0,0 +1,48 @@
+From 284dbac43da752ee34825c8b3f6f9e8281cb5a19 Mon Sep 17 00:00:00 2001
+From: Shanmugavel Pakkirisamy <shanmugavelx.pakkirisamy@intel.com>
+Date: Mon, 6 May 2024 17:53:09 +0800
+Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+Attacker able to modify physical memory and ResumeCount.
+System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+Last-Updated: 2024-11-02
+
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+index 2f2b2a80b2..2ba9215226 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
+ //
+ S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+ AcpiS3ResumeRecord->ResumeCount++;
+- AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++ if (AcpiS3ResumeRecord->ResumeCount > 0) {
++ AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++ DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
++ } else {
++ DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
++ }
+
+- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = %d\n", AcpiS3ResumeRecord->ResumeCount));
+- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = %ld\n", AcpiS3ResumeRecord->FullResume));
+- DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
++ DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume = 0x%x\n", AcpiS3ResumeRecord->FullResume));
+
+ //
+ // Update S3 Suspend Performance Record.
+--
+2.45.2
+
diff -Nru edk2-2022.11/debian/patches/series edk2-2022.11/debian/patches/series
--- edk2-2022.11/debian/patches/series 2024-02-12 13:43:50.000000000 -0700
+++ edk2-2022.11/debian/patches/series 2024-11-05 06:10:49.000000000 -0700
@@ -29,3 +29,6 @@
0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
Disable-the-Shell-when-SecureBoot-is-enabled.patch
+0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
Reply to: