From 73a888e47886178bd2050e830f319d80be65f179 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 26 Nov 2024 20:48:47 -0800 Subject: [PATCH] [AUTO-CHERRYPICK] Fix CVE-2024-5535 in hvloader - branch main (#11232) Co-authored-by: joejoew <111843948+joejoew@users.noreply.github.com> --- .../hvloader-signed/hvloader-signed.spec | 5 +- SPECS/hvloader/CVE-2024-5535.patch | 94 +++++++++++++++++++ SPECS/hvloader/hvloader.spec | 6 +- 3 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 SPECS/hvloader/CVE-2024-5535.patch diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec index cf8371cce40..2218c90aad6 100644 --- a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec +++ b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec @@ -6,7 +6,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: hvloader-signed-%{buildarch} Version: 1.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +69,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Mon Nov 25 2024 Zhichun Wan - 1.0.1-6 +- Update version for consistency with hvloader spec + * Wed Jun 19 2024 Archana Choudhary - 1.0.1-5 - Update version for consistency with hvloader spec diff --git a/SPECS/hvloader/CVE-2024-5535.patch b/SPECS/hvloader/CVE-2024-5535.patch new file mode 100644 index 00000000000..f5d90a79430 --- /dev/null +++ b/SPECS/hvloader/CVE-2024-5535.patch @@ -0,0 +1,94 @@ +From 7a96ccee7892abe6ee1d8b8b42d293bd5261c2ef Mon Sep 17 00:00:00 2001 +From: Zhichun Wan +Date: Tue, 26 Nov 2024 01:49:38 +0000 +Subject: [PATCH] patches + +--- + .../Library/OpensslLib/openssl/ssl/ssl_lib.c | 63 ++++++++++++------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +index 47adc321..0dca8e69 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.45.2 + diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index 6d154ce2daf..67cf716a91c 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -4,7 +4,7 @@ Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -16,6 +16,7 @@ Source1: https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}. Source2: target-x86.txt Patch0: CVE-2024-1298.patch Patch1: CVE-2023-0464.patch +Patch2: CVE-2024-5535.patch BuildRequires: bc BuildRequires: gcc BuildRequires: build-essential @@ -60,6 +61,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Mon Nov 25 2024 Zhichun Wan - 1.0.1-6 +- Add patch to resolve CVE-2024-5535 + * Wed Jun 19 2024 Archana Choudhary - 1.0.1-5 - Add patch to resolve CVE-2023-0464