Fix CVE-2024-13176、CVE-2024-4741

2025-02-26 00:19:23 +08:00 · 2025-02-26 00:19:23 +08:00 · 3f98777660
commit 3f98777660
parent 14c137cd27
3 changed files with 199 additions and 1 deletions
--- a/0095-Fix-timing-side-channel-CVE-2024-13176.patch
+++ b/0095-Fix-timing-side-channel-CVE-2024-13176.patch
@ -0,0 +1,121 @@
 From 364614adb972bc64e4174031a026d14896b22463 Mon Sep 17 00:00:00 2001
 From: hy <12444214+dhjgty@user.noreply.gitee.com>
 Date: Wed, 26 Feb 2025 01:13:34 +0800
 Subject: [PATCH] Fix timing side-channel in ECDSA signature computation There
 is a timing signal of around 300 nanoseconds when the top word of the
 inverted ECDSA nonce value is zero. This can happen with significant
 probability only for some of the supported elliptic curves. In particular the
 NIST P-521 curve is affected. To be able to measure this leak, the attacker
 process must either be located in the same physical computer or must have a
 very fast network connection with low latency.
 Attacks on ECDSA nonce are also known as Minerva attack.
 Fixes CVE-2024-13176
 Reviewed-by: Tim Hudson <tjh@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 ---
 .../OpensslLib/openssl/crypto/bn/bn_exp.c     | 21 +++++++++++++------
 .../OpensslLib/openssl/crypto/ec/ec_lib.c     |  8 +++----
 .../OpensslLib/openssl/include/crypto/bn.h    |  3 +++
 3 files changed, 22 insertions(+), 10 deletions(-)
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
 index 9531acf..58b8058 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
 +++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
@@ -589,7 +589,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
  * out by Colin Percival,
  * http://www.daemonology.net/hyperthreading-considered-harmful/)
  */
 -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                               const BIGNUM *m, BN_CTX *ctx,
                               BN_MONT_CTX *in_mont)
 {
@@ -606,10 +606,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     unsigned int t4 = 0;
 #endif
 -    bn_check_top(a);
 -    bn_check_top(p);
 -    bn_check_top(m);
 -
     if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
         return 0;
@@ -1112,7 +1108,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
             goto err;
     } else
 #endif
 -    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
 +    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
         goto err;
     ret = 1;
  err:
@@ -1126,6 +1122,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     return ret;
 }
 +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 +                              const BIGNUM *m, BN_CTX *ctx,
 +                              BN_MONT_CTX *in_mont)
 +{
 +    bn_check_top(a);
 +    bn_check_top(p);
 +    bn_check_top(m);
 +    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
 +        return 0;
 +    bn_correct_top(rr);
 +    return 1;
 +}
 +
 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 {
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
 index 3554ada..0e0b643 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
 +++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
@@ -12,7 +12,7 @@
 #include <openssl/err.h>
 #include <openssl/opensslv.h>
 -
 +#include "crypto/bn.h"
 #include "ec_local.h"
 /* functions for EC_GROUP objects */
@@ -1154,10 +1154,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
     if (!BN_sub(e, group->order, e))
         goto err;
     /*-
 -     * Exponent e is public.
 -     * No need for scatter-gather or BN_FLG_CONSTTIME.
 +     * Although the exponent is public we want the result to be
 +     * fixed top.
      */
 -    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
 +    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
         goto err;
     ret = 1;
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
 index b5f36fb..12cb709 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
 +++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
  */
 int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                           BN_MONT_CTX *mont, BN_CTX *ctx);
 +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 +                              const BIGNUM *m, BN_CTX *ctx,
 +                              BN_MONT_CTX *in_mont);
 int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
                          BN_CTX *ctx);
 int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
 -- 
 2.33.0
--- a/0096-Free-the-read-buffers-CVE-2024-4741.patch
+++ b/0096-Free-the-read-buffers-CVE-2024-4741.patch
@ -0,0 +1,70 @@
 From f40c84cc031796e0469c6294abbf945455084627 Mon Sep 17 00:00:00 2001
 From: hy <12444214+dhjgty@user.noreply.gitee.com>
 Date: Mon, 24 Feb 2025 22:50:29 +0800
 Subject: [PATCH] fix CVE-2024-4741
 Only free the read buffers if we're not using them
 If we're part way through processing a record, or the application has
 not released all the records then we should not free our buffer because
 they are still needed.
 CVE-2024-4741
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 ---
 .../Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++
 CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h | 1 +
 CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c       | 3 +++
 3 files changed, 13 insertions(+)
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
 index 3baf8207..99602b6b 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
 +++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
 }
 +int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
 +{
 +    if (rl->rstate == SSL_ST_READ_BODY)
 +        return 1;
 +    if (RECORD_LAYER_processed_read_pending(rl))
 +        return 1;
 +    return 0;
 +}
 +
 /* Checks if we have decrypted unread record data pending */
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
 {
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
 index 234656bf..b60f71c8 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
 +++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
 int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
 int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
 +int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
 int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
 diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
 index 5d57f5d2..ac4ae41e 100644
 --- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
 +++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
@@ -5489,6 +5489,9 @@ int SSL_free_buffers(SSL *ssl)
     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
         return 0;
 +    if (RECORD_LAYER_data_present(rl))
 +        return 0;
 +
     RECORD_LAYER_release(rl);
     return 1;
 }
 -- 
 2.33.0
--- a/edk2.spec
+++ b/edk2.spec
@ -5,7 +5,7 @@
 Name: edk2
 Version: %{stable_date}
-Release: 23
+Release: 24
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@ -139,6 +139,10 @@ patch0093: 0093-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
 patch0094: 0094-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
 # Fix CVE-2024-13176、CVE-2024-4741
 patch95: 0095-Fix-timing-side-channel-CVE-2024-13176.patch
 patch96: 0096-Free-the-read-buffers-CVE-2024-4741.patch
 %description
 EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. 
@ -337,6 +341,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 %changelog
 * Wed Feb 26 2025 huyu<huyu70@h-partners.com> - 202011-24
 - fix CVE-2024-13176、CVE-2024-4741
 * Mon Oct 14 2024 shenyage<shenyage1@huawei.com> - 202011-23
 - fix CVE-2023-45236、CVE-2023-45237