Bug#1086762: marked as done (bullseye-pu: package edk2/2020.11-2+deb11u3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 05 Nov 2024 18:38:33 +0000
with message-id <d53d7dc251e73fdfc226d2c9e7edc779d0e18b5e.camel@adam-barratt.org.uk>
and subject line Re: Bug#1086762: bullseye-pu: package edk2/2020.11-2+deb11u3
has caused the Debian Bug report #1086762,
regarding bullseye-pu: package edk2/2020.11-2+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1086762: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086762
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bullseye-pu: package edk2/2020.11-2+deb11u3
• From: dann frazier <dannf@dannf.org>
• Date: Tue, 05 Nov 2024 06:31:32 -0700
• Message-id: <[🔎] 173081349298.1007379.1870682761197600648.reportbug@xps13.dannf>

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: edk2@packages.debian.org
Control: affects -1 + src:edk2
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
The security team has asked me to prepare a stable update that resolves
2 non-critical security issues.

[ Impact ]
Users remain vulnerable to these security issues.

[ Tests ]
I don't have reproducers for these issues. I regression tested using the
autopkgtests. The regression tests should exercise the PE/COFF Loader.

[ Risks ]
This modifies code in the PE/COFF loader, so a regression could cause
certain binaries to fail to load/execute. It also modifies code in the
S3 Resume Path, so a regression could lead to issues with Suspend/Resume.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
These are backports of upstream fixes that only required context changes to
apply.

diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog
--- edk2-2020.11/debian/changelog	2024-02-13 18:22:25.000000000 -0700
+++ edk2-2020.11/debian/changelog	2024-11-05 06:13:20.000000000 -0700
@@ -1,3 +1,14 @@
+edk2 (2020.11-2+deb11u3) bullseye; urgency=medium
+
+  * Fix overflow condition in PeCoffLoaderRelocateImage(), CVE-2024-38796:
+    - d/p/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+    - d/p/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+    (Closes: #1084055)
+  * Fix potential UINT32 overflow in S3 ResumeCount. CVE-2024-1298:
+    - d/p/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
+
+ -- dann frazier <dannf@debian.org>  Tue, 05 Nov 2024 06:13:20 -0700
+
 edk2 (2020.11-2+deb11u2) bullseye-security; urgency=medium
 
   * Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
diff -Nru edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
--- edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,29 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+Last-Update: 2024-11-04
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {

+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
diff -Nru edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
--- edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,30 @@
+From e73ec569429ba72fbb6829518d6c192b4cd3346f Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 30 Sep 2024 12:54:30 -0700
+Subject: [PATCH] MdePkg: Improving readability of CVE patch for
+ PeCoffLoaderRelocateImage
+
+This change adds parantheses to the if condition detecting overflow in
+the PeCoffLoaderRelocateImage function to improve readability.
+
+Follow on change for:
+    REF!: https://github.com/tianocore/edk2/pull/6249
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/e73ec569429ba72fbb6829518d6c192b4cd3346f
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084055
+Last-Update: 2024-11-04
+
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {

++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && ((RelocDir->Size - 1) < (MAX_UINT32 - RelocDir->VirtualAddress))) {

+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
diff -Nru edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
--- edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch	2024-11-05 06:13:20.000000000 -0700
@@ -0,0 +1,43 @@
+From 284dbac43da752ee34825c8b3f6f9e8281cb5a19 Mon Sep 17 00:00:00 2001
+From: Shanmugavel Pakkirisamy <shanmugavelx.pakkirisamy@intel.com>
+Date: Mon, 6 May 2024 17:53:09 +0800
+Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+Attacker able to modify physical memory and ResumeCount.
+System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+Last-Updated: 2024-11-04
+
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -110,11 +110,15 @@
+   //
+   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+   AcpiS3ResumeRecord->ResumeCount++;
+-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++  if (AcpiS3ResumeRecord->ResumeCount > 0) {

++    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);

++    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));

++  } else {

++    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));

++  }

+ 
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
+-  DEBUG ((EFI_D_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));

++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));

+ 
+   //
+   // Update S3 Suspend Performance Record.
diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series
--- edk2-2020.11/debian/patches/series	2024-02-13 18:22:25.000000000 -0700
+++ edk2-2020.11/debian/patches/series	2024-11-05 06:13:20.000000000 -0700
@@ -8,3 +8,6 @@
 0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch
 0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch
 Disable-the-Shell-when-SecureBoot-is-enabled.patch
+0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+0002-MdePkg-Improving-readability-of-CVE-patch-for-PeCoff.patch
+MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch

--- End Message ---

--- Begin Message ---

• To: dann frazier <dannf@dannf.org>, 1086762-done@bugs.debian.org
• Subject: Re: Bug#1086762: bullseye-pu: package edk2/2020.11-2+deb11u3
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Tue, 05 Nov 2024 18:38:33 +0000
• Message-id: <d53d7dc251e73fdfc226d2c9e7edc779d0e18b5e.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 173081349298.1007379.1870682761197600648.reportbug@xps13.dannf>
• References: <[🔎] 173081349298.1007379.1870682761197600648.reportbug@xps13.dannf>

Hi,

On Tue, 2024-11-05 at 06:31 -0700, dann frazier wrote:
> The security team has asked me to prepare a stable update that
> resolves 2 non-critical security issues.

bullseye has been handled by the LTS Team since the 11.11 point release
in August (although I see we didn't make that quite as obvious in the
announcement as we did for the buster equivalent). Please co-ordinate
any further updates to bullseye with them.

Regards,

Adam

--- End Message ---