fix CVE-2024-38796

2024-10-09 16:21:32 +08:00 · 2024-10-09 16:21:32 +08:00 · 7040a837bb
commit 7040a837bb
parent 123b2a8e26
2 changed files with 39 additions and 1 deletions
--- a/0092-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+++ b/0092-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
@ -0,0 +1,32 @@
+From c95233b8525ca6828921affd1496146cff262e65 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 27 Sep 2024 12:08:55 -0700
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 1102833..7fa4714 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -991,7 +991,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
+  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *) PeCoffLoaderImageAddress (ImageContext,
+                                                                             RelocDir->VirtualAddress + RelocDir->Size - 1,
+-- 
+2.43.0
+
--- a/edk2.spec
+++ b/edk2.spec
@ -5,7 +5,7 @@

 Name: edk2
 Version: %{stable_date}
-Release: 21
+Release: 22
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@ -131,6 +131,9 @@ Patch0089: 0089-VirtioDxe-add-support-of-MMIO-Bar-for-virtio-devices.patch
 Patch0090: 0090-Virtio-wait-virtio-device-reset-done.patch
 Patch0091: 0091-VirtioBlk-split-large-IO-according-to-segment_size_m.patch

+# Fix CVE-2024-38796
+patch0092: 0092-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command

 %description
@ -331,6 +334,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif

 %changelog
+* Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202011-22
+- fix CVE-2024-38796
+
 * Wed Sep 18 2024 jiangdongxu<jiangdongxu1@huawei.com> - 202011-21
 - vdpa: support vdpa blk/scsi device boot