ovmf: fix CVE-2025-2295

According to [1], EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service. Refer debian [2], backport a patch from edk2 [3] to fix CVE-2025-2295 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2295 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100594 [3] 17cdc512f0 (From OE-Core rev: 0f59dec939cf0d313b1b01b1e7bf10e059d9d0ac) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-19 12:59:02 +02:00 · 2025-04-07 19:37:13 +08:00 · 2025-04-07 19:37:13 +08:00 · db026b5972
commit db026b5972
parent b9139b242e
2 changed files with 57 additions and 0 deletions
--- a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
@ -0,0 +1,56 @@
+From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
+From: Madhavan <madavtechy@gmail.com>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+
+Signed-off-by: Madhavan <madavtechy@gmail.com>
+
+CVE: CVE-2025-2295
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef587649a0..fb48e6304d 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+ 
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
+  UINT32                   TransferLength;
+ 
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+ 
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
+  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
+  if (EFI_ERROR (Status)) {
+    return EFI_PROTOCOL_ERROR;
+  }
+
+  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.48.1
+
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
           file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
           file://0003-debug-prefix-map.patch \
           file://0004-reproducible.patch \
+           file://CVE-2025-2295.patch \
           "

 PV = "edk2-stable202411"