import edk2-20220126gitbb1bba3d77-6.el8_9.3

9 months ago · 9578819e23
parent 72ca64a9b8
commit 9578819e23
5 changed files with 282 additions and 4 deletions
--- a/.edk2.metadata
+++ b/.edk2.metadata
@ -1,2 +1,2 @@
 ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
-df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
+85388ae6525650667302c6b553894430197d9e0d SOURCES/openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/edk2-bb1bba3d77.tar.xz
-SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
+SOURCES/openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
--- a/SOURCES/old.patch
+++ b/SOURCES/old.patch
@ -0,0 +1,47 @@
+From 2dbfc91269fd944aeb82e0f9178e0ab278ccf0da Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 9 Jan 2024 12:29:01 +0100
+Subject: [PATCH 1/2] OvmfPkg/VirtNorFlashDxe: stop accepting gEfiVariableGuid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 41: OvmfPkg/VirtNorFlashDxe: sanity-check variables
+RH-Jira: RHEL-20351
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Commit: [1/2] c39aca9d2933518dff4216f585fdfcc492f08673
+
+Only accept gEfiAuthenticatedVariableGuid when checking the variable
+store header in ValidateFvHeader().
+
+The edk2 code base has been switched to use the authenticated varstore
+format unconditionally (even in case secure boot is not used or
+supported) a few years ago.
+
+Suggested-by: László Érsek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20240109112902.30002-3-kraxel@redhat.com>
+(cherry picked from commit ae22b2f136bcbd27135a5f4dd76d3a68a172d00e)
+---
+ ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+index db8eb595f4..904605cbbc 100644
+--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+@@ -210,8 +210,7 @@ ValidateFvHeader (
+   VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + FwVolHeader->HeaderLength);
+ 
+   // Check the Variable Store Guid
+-  if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) &&
+-      !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) {
+  if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) {
+     DEBUG ((EFI_D_INFO, "%a: Variable Store Guid non-compatible\n",
+       __FUNCTION__));
+     return EFI_NOT_FOUND;
+-- 
+2.41.0
+
--- a/SOURCES/old2.patch
+++ b/SOURCES/old2.patch
@ -0,0 +1,216 @@
+From bfdee279c563129ad1847a081e9b675e322e0788 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 9 Jan 2024 12:29:02 +0100
+Subject: [PATCH 2/2] OvmfPkg/VirtNorFlashDxe: sanity-check variables
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 41: OvmfPkg/VirtNorFlashDxe: sanity-check variables
+RH-Jira: RHEL-20351
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Commit: [2/2] da1ecd33775421c2cd77e3b0c1bea94de3aca22d
+
+Extend the ValidateFvHeader function, additionally to the header checks
+walk over the list of variables and sanity check them.
+
+In case we find inconsistencies indicating variable store corruption
+return EFI_NOT_FOUND so the variable store will be re-initialized.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20240109112902.30002-4-kraxel@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+[lersek@redhat.com: fix StartId initialization/assignment coding style]
+(cherry picked from commit 4a443f73fd67ca8caaf0a3e1a01f8231b330d2e0)
+---
+ .../Drivers/NorFlashDxe/NorFlashDxe.inf       |   1 +
+ .../Drivers/NorFlashDxe/NorFlashFvb.c         | 149 +++++++++++++++++-
+ 2 files changed, 145 insertions(+), 5 deletions(-)
+
+diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
+index f8d4c27031..10388880a1 100644
+--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
+@@ -35,6 +35,7 @@
+   DebugLib
+   HobLib
+   NorFlashPlatformLib
+  SafeIntLib
+   UefiLib
+   UefiDriverEntryPoint
+   UefiBootServicesTableLib
+diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+index 904605cbbc..2a166c94a6 100644
+--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
+@@ -13,6 +13,7 @@
+ #include <Library/UefiLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/MemoryAllocationLib.h>
+#include <Library/SafeIntLib.h>
+ 
+ #include <Guid/VariableFormat.h>
+ #include <Guid/SystemNvDataGuid.h>
+@@ -166,11 +167,12 @@ ValidateFvHeader (
+   IN  NOR_FLASH_INSTANCE *Instance
+   )
+ {
+-  UINT16                      Checksum;
+-  EFI_FIRMWARE_VOLUME_HEADER  *FwVolHeader;
+-  VARIABLE_STORE_HEADER       *VariableStoreHeader;
+-  UINTN                       VariableStoreLength;
+-  UINTN                       FvLength;
+  UINT16                            Checksum;
+  CONST EFI_FIRMWARE_VOLUME_HEADER  *FwVolHeader;
+  CONST VARIABLE_STORE_HEADER       *VariableStoreHeader;
+  UINTN                             VarOffset;
+  UINTN                             VariableStoreLength;
+  UINTN                             FvLength;
+ 
+   FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER*)Instance->RegionBaseAddress;
+ 
+@@ -223,6 +225,143 @@ ValidateFvHeader (
+     return EFI_NOT_FOUND;
+   }
+ 
+  //
+  // check variables
+  //
+  DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__));
+  VarOffset = sizeof (*VariableStoreHeader);
+  for ( ; ;) {
+    UINTN                                VarHeaderEnd;
+    UINTN                                VarNameEnd;
+    UINTN                                VarEnd;
+    UINTN                                VarPadding;
+    CONST AUTHENTICATED_VARIABLE_HEADER  *VarHeader;
+    CONST CHAR16                         *VarName;
+    CONST CHAR8                          *VarState;
+    RETURN_STATUS                        Status;
+
+    Status = SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderEnd);
+    if (RETURN_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+      return EFI_NOT_FOUND;
+    }
+
+    if (VarHeaderEnd >= VariableStoreHeader->Size) {
+      if (VarOffset <= VariableStoreHeader->Size - sizeof (UINT16)) {
+        CONST UINT16  *StartId;
+
+        StartId = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
+        if (*StartId == 0x55aa) {
+          DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __func__));
+          return EFI_NOT_FOUND;
+        }
+      }
+
+      DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __func__));
+      break;
+    }
+
+    VarHeader = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
+    if (VarHeader->StartId != 0x55aa) {
+      DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__));
+      break;
+    }
+
+    VarName = NULL;
+    switch (VarHeader->State) {
+      // usage: State = VAR_HEADER_VALID_ONLY
+      case VAR_HEADER_VALID_ONLY:
+        VarState = "header-ok";
+        VarName  = L"<unknown>";
+        break;
+
+      // usage: State = VAR_ADDED
+      case VAR_ADDED:
+        VarState = "ok";
+        break;
+
+      // usage: State &= VAR_IN_DELETED_TRANSITION
+      case VAR_ADDED &VAR_IN_DELETED_TRANSITION:
+        VarState = "del-in-transition";
+        break;
+
+      // usage: State &= VAR_DELETED
+      case VAR_ADDED &VAR_DELETED:
+      case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION:
+        VarState = "deleted";
+        break;
+
+      default:
+        DEBUG ((
+          DEBUG_ERROR,
+          "%a: invalid variable state: 0x%x\n",
+          __func__,
+          VarHeader->State
+          ));
+        return EFI_NOT_FOUND;
+    }
+
+    Status = SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarNameEnd);
+    if (RETURN_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+      return EFI_NOT_FOUND;
+    }
+
+    Status = SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd);
+    if (RETURN_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+      return EFI_NOT_FOUND;
+    }
+
+    if (VarEnd > VariableStoreHeader->Size) {
+      DEBUG ((
+        DEBUG_ERROR,
+        "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n",
+        __func__,
+        (UINT64)VarOffset,
+        (UINT64)(sizeof (*VarHeader)),
+        VarHeader->NameSize,
+        VarHeader->DataSize,
+        VariableStoreHeader->Size
+        ));
+      return EFI_NOT_FOUND;
+    }
+
+    if (((VarHeader->NameSize & 1) != 0) ||
+        (VarHeader->NameSize < 4))
+    {
+      DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__));
+      return EFI_NOT_FOUND;
+    }
+
+    if (VarName == NULL) {
+      VarName = (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd);
+      if (VarName[VarHeader->NameSize / 2 - 1] != L'\0') {
+        DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func__));
+        return EFI_NOT_FOUND;
+      }
+    }
+
+    DEBUG ((
+      DEBUG_VERBOSE,
+      "%a: +0x%04Lx: name=0x%x data=0x%x guid=%g '%s' (%a)\n",
+      __func__,
+      (UINT64)VarOffset,
+      VarHeader->NameSize,
+      VarHeader->DataSize,
+      &VarHeader->VendorGuid,
+      VarName,
+      VarState
+      ));
+
+    VarPadding = (4 - (VarEnd & 3)) & 3;
+    Status     = SafeUintnAdd (VarEnd, VarPadding, &VarOffset);
+    if (RETURN_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
+      return EFI_NOT_FOUND;
+    }
+  }
+
+   return EFI_SUCCESS;
+ }
+ 
+-- 
+2.41.0
+
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    6%{?dist}.1
+Release:    6%{?dist}.3
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@ -19,7 +19,7 @@ URL:        http://www.tianocore.org
 # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
 Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
 Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
+Source2: openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
 Source3: ovmf-vars-generator
 Source4: LICENSE.qosb
 Source5: RedHatSecureBootPkKek1.pem
@ -60,6 +60,10 @@ Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
 Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
 # For bz#2150267 - ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8]
 Patch30: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
+# For RHEL-20351 - [rhel8] guest fails to boot due to ASSERT error [rhel-8.9.0.z]
+Patch31: old.patch
+# For RHEL-20351 - [rhel8] guest fails to boot due to ASSERT error [rhel-8.9.0.z]
+Patch32: old2.patch


 # python3-devel and libuuid-devel are required for building tools.
@ -504,6 +508,17 @@ true
 %endif

 %changelog
+* Mon Jan 15 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-6.el8_9.3
+- old.patch [RHEL-20351]
+- old2.patch [RHEL-20351]
+- Resolves: RHEL-20351
+  ([rhel8] guest fails to boot due to ASSERT error [rhel-8.9.0.z])
+
+* Fri Jan 05 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-6.el8_9.2
+- edk2-Bumped-openssl-submodule-version-to-cf317b2bb227.patch [RHEL-18048]
+- Resolves: RHEL-18048
+  (CVE-2023-3446 edk2: openssl: Excessive time spent checking DH keys and parameters [rhel-8.9.0.z])
+
 * Wed Nov 22 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-6.el8_9.1
 - edk2-add-8.6-machine-type-to-edk2-ovmf-cc.json.patch [RHEL-15931]
 - Resolves: RHEL-15931