!347 openEuler-22.03-LTS-SP3: Fix CVE-2024-38797

From: @dhjgty 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw

0093-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236-Rela.patch

@@ -0,0 +1,87 @@
+From 780535ba9e0d2a81db5ae17374fdfa8cb5e80d91 Mon Sep 17 00:00:00 2001
+From: ShenYage <shenyage1@huawei.com>
+Date: Fri, 28 Feb 2025 16:04:22 +0800
+Subject: [PATCH 1/2] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Relared
+ Patch
+
+BUG: Tianocore's EDK2 TCP implementation generates ISNs using fixed
+increments from a fixed base value and thus is uceptible to TCP session injection
+and session hijack attacks.
+
+This commit is a patch for CVE-2023-45236. Generates ISNs using RngLib to get a high-quality random number.
+
+Signed-off-by: ShenYage <shenyage1@huawei.com>
+---
+ NetworkPkg/TcpDxe/TcpDxe.inf | 1 +
+ NetworkPkg/TcpDxe/TcpMain.h  | 1 +
+ NetworkPkg/TcpDxe/TcpMisc.c  | 9 ++++++++-
+ NetworkPkg/TcpDxe/TcpTimer.c | 7 ++++++-
+ 4 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
+index c0acbdc..9281f90 100644
+--- a/NetworkPkg/TcpDxe/TcpDxe.inf
++++ b/NetworkPkg/TcpDxe/TcpDxe.inf
+@@ -67,6 +67,7 @@
+   DpcLib
+   NetLib
+   IpIoLib
++  RngLib
+ 
+ 
+ [Protocols]
+diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
+index 35f12a1..ef35fa7 100644
+--- a/NetworkPkg/TcpDxe/TcpMain.h
++++ b/NetworkPkg/TcpDxe/TcpMain.h
+@@ -16,6 +16,7 @@
+ #include <Library/IpIoLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/RngLib.h>
+ 
+ #include "Socket.h"
+ #include "TcpProto.h"
+diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
+index 73ed33d..1249ae6 100644
+--- a/NetworkPkg/TcpDxe/TcpMisc.c
++++ b/NetworkPkg/TcpDxe/TcpMisc.c
+@@ -522,7 +522,14 @@ TcpGetIss (
+   VOID
+   )
+ {
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
++  UINT32  RandomVal;
++
++  if (GetRandomNumber32(&RandomVal)) {
++    mTcpGlobalIss += RandomVal;
++  } else {
++    mTcpGlobalIss += TCP_ISS_INCREMENT_1;
++  }
++
+   return mTcpGlobalIss;
+ }
+ 
+diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
+index 106d947..6a9dab3 100644
+--- a/NetworkPkg/TcpDxe/TcpTimer.c
++++ b/NetworkPkg/TcpDxe/TcpTimer.c
+@@ -495,9 +495,14 @@ TcpTickingDpc (
+   LIST_ENTRY      *Next;
+   TCP_CB          *Tcb;
+   INT16           Index;
++  UINT32          RandomVal;
+ 
+   mTcpTick++;
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
++  if (GetRandomNumber32(&RandomVal)) {
++    mTcpGlobalIss += RandomVal;
++  } else {
++    mTcpGlobalIss += TCP_ISS_INCREMENT_2;
++  }
+ 
+   //
+   // Don't use LIST_FOR_EACH, which isn't delete safe.
+-- 
+2.33.0
+

0094-NetworkPkg-DxeNetLib-SECURITY-PATCH-CVE-2023-45237-R.patch

@@ -0,0 +1,69 @@
+From cc8e518d327b7ee851e28060b95a06edfcfc4400 Mon Sep 17 00:00:00 2001
+From: ShenYage <shenyage1@huawei.com>
+Date: Fri, 28 Feb 2025 16:18:39 +0800
+Subject: [PATCH 2/2] NetworkPkg: DxeNetLib: SECURITY PATCH CVE-2023-45237
+ Relared Patch
+
+This commit is a patch for CVE-2023-45237. Using RngLib to generate a stronger pseudoRandom number for NetRandomInitSeed().
+
+Signed-off-by: ShenYage <shenyage1@huawei.com>
+---
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.c   | 22 ++++++++++++++--------
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.inf |  1 +
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+index 2a555a7..f0b5ed8 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+@@ -31,6 +31,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/DevicePathLib.h>
+ #include <Library/PrintLib.h>
+ #include <Library/UefiLib.h>
++#include <Library/RngLib.h>
+ 
+ #define NIC_ITEM_CONFIG_SIZE   (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE)
+ #define DEFAULT_ZERO_START     ((UINTN) ~0)
+@@ -908,14 +909,19 @@ NetRandomInitSeed (
+   EFI_TIME                  Time;
+   UINT32                    Seed;
+   UINT64                    MonotonicCount;
+-
+-  gRT->GetTime (&Time, NULL);
+-  Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
+-  Seed ^= Time.Nanosecond;
+-  Seed ^= Time.Year << 7;
+-
+-  gBS->GetNextMonotonicCount (&MonotonicCount);
+-  Seed += (UINT32) MonotonicCount;
++  UINT32                    RandomVal;
++
++  if (GetRandomNumber32(&RandomVal)) {
++    Seed = RandomVal;
++  } else {
++    gRT->GetTime (&Time, NULL);
++    Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
++    Seed ^= Time.Nanosecond;
++    Seed ^= Time.Year << 7;
++  
++    gBS->GetNextMonotonicCount (&MonotonicCount);
++    Seed += (UINT32) MonotonicCount;
++  }
+ 
+   return Seed;
+ }
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+index 8145d25..ce90aa5 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+@@ -43,6 +43,7 @@
+   MemoryAllocationLib
+   DevicePathLib
+   PrintLib
++  RngLib
+ 
+ 
+ [Guids]
+-- 
+2.33.0
+

0095-Fix-timing-side-channel-CVE-2024-13176.patch

@@ -0,0 +1,121 @@
+From 364614adb972bc64e4174031a026d14896b22463 Mon Sep 17 00:00:00 2001
+From: hy <12444214+dhjgty@user.noreply.gitee.com>
+Date: Wed, 26 Feb 2025 01:13:34 +0800
+Subject: [PATCH] Fix timing side-channel in ECDSA signature computation There
+ is a timing signal of around 300 nanoseconds when the top word of the
+ inverted ECDSA nonce value is zero. This can happen with significant
+ probability only for some of the supported elliptic curves. In particular the
+ NIST P-521 curve is affected. To be able to measure this leak, the attacker
+ process must either be located in the same physical computer or must have a
+ very fast network connection with low latency.
+
+Attacks on ECDSA nonce are also known as Minerva attack.
+
+Fixes CVE-2024-13176
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+---
+ .../OpensslLib/openssl/crypto/bn/bn_exp.c     | 21 +++++++++++++------
+ .../OpensslLib/openssl/crypto/ec/ec_lib.c     |  8 +++----
+ .../OpensslLib/openssl/include/crypto/bn.h    |  3 +++
+ 3 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+index 9531acf..58b8058 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+@@ -589,7 +589,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+  * out by Colin Percival,
+  * http://www.daemonology.net/hyperthreading-considered-harmful/)
+  */
+-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                               const BIGNUM *m, BN_CTX *ctx,
+                               BN_MONT_CTX *in_mont)
+ {
+@@ -606,10 +606,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     unsigned int t4 = 0;
+ #endif
+ 
+-    bn_check_top(a);
+-    bn_check_top(p);
+-    bn_check_top(m);
+-
+     if (!BN_is_odd(m)) {
+         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
+         return 0;
+@@ -1112,7 +1108,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+             goto err;
+     } else
+ #endif
+-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
++    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
+         goto err;
+     ret = 1;
+  err:
+@@ -1126,6 +1122,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     return ret;
+ }
+ 
++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont)
++{
++    bn_check_top(a);
++    bn_check_top(p);
++    bn_check_top(m);
++    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
++        return 0;
++    bn_correct_top(rr);
++    return 1;
++}
++
+ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
+                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+index 3554ada..0e0b643 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+@@ -12,7 +12,7 @@
+ 
+ #include <openssl/err.h>
+ #include <openssl/opensslv.h>
+-
++#include "crypto/bn.h"
+ #include "ec_local.h"
+ 
+ /* functions for EC_GROUP objects */
+@@ -1154,10 +1154,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
+     if (!BN_sub(e, group->order, e))
+         goto err;
+     /*-
+-     * Exponent e is public.
+-     * No need for scatter-gather or BN_FLG_CONSTTIME.
++     * Although the exponent is public we want the result to be
++     * fixed top.
+      */
+-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
++    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
+         goto err;
+ 
+     ret = 1;
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+index b5f36fb..12cb709 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+  */
+ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                           BN_MONT_CTX *mont, BN_CTX *ctx);
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont);
+ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+ int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+-- 
+2.33.0
+

0096-Free-the-read-buffers-CVE-2024-4741.patch

@@ -0,0 +1,70 @@
+From f40c84cc031796e0469c6294abbf945455084627 Mon Sep 17 00:00:00 2001
+From: hy <12444214+dhjgty@user.noreply.gitee.com>
+Date: Mon, 24 Feb 2025 22:50:29 +0800
+Subject: [PATCH] fix CVE-2024-4741
+Only free the read buffers if we're not using them
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+---
+ .../Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h | 1 +
+ CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c       | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+index 3baf8207..99602b6b 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+index 234656bf..b60f71c8 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index 5d57f5d2..ac4ae41e 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -5489,6 +5489,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.0
+

0097-Harden-BN_GF2m_poly2arr-against-misuse.patch

@@ -0,0 +1,187 @@
+From 2a0fa58af18f2ab5435ee2cefa6a02cacfb18818 Mon Sep 17 00:00:00 2001
+From: hy <941973499@qq.com>
+Date: Fri, 28 Mar 2025 22:48:57 +0800
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. The
+ BN_GF2m_poly2arr() function converts characteristic-2 field (GF_{2^m}) Galois
+ polynomials from a representation as a BIGNUM bitmask, to a compact array
+ with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+---
+ .../OpensslLib/openssl/crypto/bn/bn_gf2m.c    | 28 +++++++---
+ .../openssl/test/ec_internal_test.c           | 51 +++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_gf2m.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_gf2m.c
+index 304c2ea0..65e9958c 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_gf2m.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1134,16 +1135,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1161,12 +1172,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/ec_internal_test.c b/CryptoPkg/Library/OpensslLib/openssl/test/ec_internal_test.c
+index 8c2cd056..484cbb2a 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/ec_internal_test.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++ static int ec2m_field_sanity(void)
++ {
++     int ret = 0;
++     BN_CTX *ctx = BN_CTX_new();
++     BIGNUM *p, *a, *b;
++     EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++     TEST_info("Testing GF2m hardening\n");
++
++     BN_CTX_start(ctx);
++     p = BN_CTX_get(ctx);
++     a = BN_CTX_get(ctx);
++     if (!TEST_ptr(b = BN_CTX_get(ctx))
++         || !TEST_true(BN_one(a))
++         || !TEST_true(BN_one(b)))
++         goto out;
++
++     /* Even pentanomial value should be rejected */
++     if (!TEST_true(BN_set_word(p, 0xf2)))
++         goto out;
++     if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++         TEST_error("Zero constant term accepted in GF2m polynomial");
++
++     /* Odd hexanomial should also be rejected */
++     if (!TEST_true(BN_set_word(p, 0xf3)))
++         goto out;
++     if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++         TEST_error("Hexanomial accepted as GF2m polynomial");
++
++     /* Excessive polynomial degree should also be rejected */
++     if (!TEST_true(BN_set_word(p, 0x71))
++         || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++         goto out;
++     if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++         TEST_error("GF2m polynomial degree > %d accepted",
++                    OPENSSL_ECC_MAX_FIELD_BITS);
++
++     ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++  out:
++     EC_GROUP_free(group1);
++     EC_GROUP_free(group2);
++     EC_GROUP_free(group3);
++     BN_CTX_end(ctx);
++     BN_CTX_free(ctx);
++
++     return ret;
++ }
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+-- 
+2.33.0
+

0098-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch

@@ -0,0 +1,185 @@
+From ce37675db65a37c5a746d6ba6e3755f0feefc64c Mon Sep 17 00:00:00 2001
+From: hy <941973499@qq.com>
+Date: Sun, 27 Apr 2025 20:54:06 +0800
+Subject: [PATCH] SecurityPkg: Out of bound read in HashPeImageByType() In
+ HashPeImageByType(), the hash of PE/COFF image is calculated. This function
+ may get untrusted input.
+
+Inside this function, the following code verifies the loaded image has
+the correct format, by reading the second byte of the buffer.
+
+```c
+  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+  	...
+  }
+```
+
+The input image is not trusted and that may not have the second byte to
+read. So this poses an out of bound read error.
+
+With below fix we are assuring that we don't do out of bound read. i.e,
+we make sure that AuthDataSize is greater than 1.
+
+```c
+  if (AuthDataSize > 1
+      && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
+    ...
+  }
+```
+
+AuthDataSize size is verified before reading the second byte.
+So if AuthDataSize is less than 2, the second byte will not be read, and
+the out of bound read situation won't occur.
+
+Tested the patch on real platform with and without TPM connected and
+verified image is booting fine.
+
+Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+---
+ .../DxeImageVerificationLib.c                 | 37 ++++++++++---------
+ SecurityPkg/SecurityFixes.yaml                | 15 ++++++++
+ .../SecureBootConfigImpl.c                    | 37 +++++++++++--------
+ 3 files changed, 55 insertions(+), 34 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index d8b7b15..6060f93 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -607,6 +607,7 @@ Done:
+   @param[in]  AuthDataSize        Size of the Authenticode Signature in bytes.
+ 
+   @retval EFI_UNSUPPORTED             Hash algorithm is not supported.
++  @retval EFI_BAD_BUFFER_SIZE         AuthData provided is invalid size.
+   @retval EFI_SUCCESS                 Hash successfully.
+ 
+ **/
+@@ -618,28 +619,28 @@ HashPeImageByType (
+ {
+   UINT8                     Index;
+ 
+-  for (Index = 0; Index < HASHALG_MAX; Index++) {
++  //
++  // Check the Hash algorithm in PE/COFF Authenticode.
++  //    According to PKCS#7 Definition:
++  //        SignedData ::= SEQUENCE {
++  //            version Version,
++  //            digestAlgorithms DigestAlgorithmIdentifiers,
++  //            contentInfo ContentInfo,
++  //            .... }
++  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
++  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
++  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
++  //
++  if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+     //
+-    // Check the Hash algorithm in PE/COFF Authenticode.
+-    //    According to PKCS#7 Definition:
+-    //        SignedData ::= SEQUENCE {
+-    //            version Version,
+-    //            digestAlgorithms DigestAlgorithmIdentifiers,
+-    //            contentInfo ContentInfo,
+-    //            .... }
+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
++    // Only support two bytes of Long Form of Length Encoding.
+     //
+-    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+-      //
+-      // Only support two bytes of Long Form of Length Encoding.
+-      //
+-      continue;
+-    }
++    return EFI_BAD_BUFFER_SIZE;
++  }
+ 
++  for (Index = 0; Index < HASHALG_MAX; Index++) { 
+     if (AuthDataSize < 32 + mHash[Index].OidLength) {
+-      return EFI_UNSUPPORTED;
++      continue;
+     }
+ 
+     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index ceaaa25..0b24844 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -34,3 +34,18 @@ CVE_2022_36764:
+   - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
+   links:
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
++CVE_2024_38797:
++  commit-titles:
++    - "SecurityPkg: Out of bound read in HashPeImageByType()"
++    - "SecurityPkg: Improving HashPeImageByType () logic"
++    - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"
++  cve: CVE-2024-38797
++  date_reported: 2024-06-04 12:00 UTC
++  description: Out of bound read in HashPeImageByType()
++  note:
++  files_impacted:
++    - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c
++    - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=2214
++    - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
+diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+index 4f01a2e..a363ab2 100644
+--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
++++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+@@ -2063,30 +2063,35 @@ HashPeImageByType (
+ {
+   UINT8                     Index;
+   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;
++  UINT32                    PkcsCertSize;
+ 
+   PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir->Offset);
++  PkcsCertSize = mSecDataDir->SizeOfCert;
+ 
+-  for (Index = 0; Index < HASHALG_MAX; Index++) {
++  //
++  // Check the Hash algorithm in PE/COFF Authenticode.
++  //    According to PKCS#7 Definition:
++  //        SignedData ::= SEQUENCE {
++  //            version Version,
++  //            digestAlgorithms DigestAlgorithmIdentifiers,
++  //            contentInfo ContentInfo,
++  //            .... }
++  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
++  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
++  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
++  //
++  if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
+     //
+-    // Check the Hash algorithm in PE/COFF Authenticode.
+-    //    According to PKCS#7 Definition:
+-    //        SignedData ::= SEQUENCE {
+-    //            version Version,
+-    //            digestAlgorithms DigestAlgorithmIdentifiers,
+-    //            contentInfo ContentInfo,
+-    //            .... }
+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
++    // Only support two bytes of Long Form of Length Encoding. 
+      //
+-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+-      //
+-      // Only support two bytes of Long Form of Length Encoding.
+-      //
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  for (Index = 0; Index < HASHALG_MAX; Index++) {
++    if (PkcsCertSize < 32 + mHash[Index].OidLength) {
+       continue;
+     }
+ 
+-    //
+     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
+       break;
+     }
+-- 
+2.33.0
+

edk2.spec

@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 22
+Release: 27
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -134,6 +134,20 @@ Patch0091: 0091-VirtioBlk-split-large-IO-according-to-segment_size_m.patch
 # Fix CVE-2024-38796
 patch0092: 0092-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
 
+# Fix CVE-2023-45236、CVE-2023-45237
+patch0093: 0093-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236-Rela.patch
+patch0094: 0094-NetworkPkg-DxeNetLib-SECURITY-PATCH-CVE-2023-45237-R.patch
+
+# Fix CVE-2024-13176、CVE-2024-4741
+patch95: 0095-Fix-timing-side-channel-CVE-2024-13176.patch
+patch96: 0096-Free-the-read-buffers-CVE-2024-4741.patch
+
+# Fix CVE-2024-9143
+patch97: 0097-Harden-BN_GF2m_poly2arr-against-misuse.patch
+
+# Fix CVE-2024-38797
+patch98: 0098-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
 
 %description
@@ -334,6 +348,21 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Sun Apr 27 2025 huyu<huyu70@h-partners.com> - 202011-27
+- fix CVE-2024-38797
+
+* Fri Mar 28 2025 huyu<huyu70@h-partners.com> - 202011-26
+- fix CVE-2024-9143
+
+* Sun Mar 9 2025 shenyage<shenyage1@huawei.com> - 202011-25
+- fix bugs for CVE-2023-45236、CVE-2023-45237
+
+* Wed Feb 26 2025 huyu<huyu70@h-partners.com> - 202011-24
+- fix CVE-2024-13176、CVE-2024-4741
+
+* Mon Oct 14 2024 shenyage<shenyage1@huawei.com> - 202011-23
+- fix CVE-2023-45236、CVE-2023-45237
+
 * Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202011-22
 - fix CVE-2024-38796