From patchwork Thu Jul 11 04:55:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 46198 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB0EBC3271E for ; Thu, 11 Jul 2024 04:56:28 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.4948.1720673781624517688 for ; Wed, 10 Jul 2024 21:56:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=79227d51f5=soumya.sambu@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46B4j20J016647 for ; Wed, 10 Jul 2024 21:56:21 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 407170mcjv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 10 Jul 2024 21:56:21 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Wed, 10 Jul 2024 21:56:19 -0700 From: ssambu To: Subject: [OE-core][kirkstone][PATCH 11/11] ovmf: Fix CVE-2022-36765 Date: Thu, 11 Jul 2024 04:55:41 +0000 Message-ID: <20240711045541.2155076-11-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20240711045541.2155076-1-soumya.sambu@windriver.com> References: <20240711045541.2155076-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: A0tqwPJKsAKPkdBqa613LhpjihCqpA0E X-Proofpoint-ORIG-GUID: A0tqwPJKsAKPkdBqa613LhpjihCqpA0E X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-11_01,2024-07-10_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 suspectscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2406140001 definitions=main-2407110031 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 Jul 2024 04:56:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/201761 From: Soumya Sambu EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36765 Upstream-patches: https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2 https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679 Signed-off-by: Soumya Sambu --- .../ovmf/ovmf/CVE-2022-36765-0001.patch | 179 ++++++++++++++++++ .../ovmf/ovmf/CVE-2022-36765-0002.patch | 157 +++++++++++++++ .../ovmf/ovmf/CVE-2022-36765-0003.patch | 135 +++++++++++++ meta/recipes-core/ovmf/ovmf_git.bb | 3 + 4 files changed, 474 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch new file mode 100644 index 0000000000..120cf66f6a --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch @@ -0,0 +1,179 @@ +From 59f024c76ee57c2bec84794536302fc770cd6ec2 Mon Sep 17 00:00:00 2001 +From: Gua Guo +Date: Thu, 11 Jan 2024 13:01:19 +0800 +Subject: [PATCH] UefiPayloadPkg/Hob: Integer Overflow in CreateHob() + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 + +Fix integer overflow in various CreateHob instances. +Fixes: CVE-2022-36765 + +The CreateHob() function aligns the requested size to 8 +performing the following operation: +``` +HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); +``` + +No checks are performed to ensure this value doesn't +overflow, and could lead to CreateHob() returning a smaller +HOB than requested, which could lead to OOB HOB accesses. + +Reported-by: Marc Beatove +Cc: Guo Dong +Cc: Sean Rhodes +Cc: James Lu +Reviewed-by: Gua Guo +Cc: John Mathew +Authored-by: Gerd Hoffmann +Signed-off-by: Gua Guo + +CVE: CVE-2022-36765 + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2] + +Signed-off-by: Soumya Sambu +--- + .../Library/PayloadEntryHobLib/Hob.c | 43 +++++++++++++++++++ + .../UefiPayloadEntry/UniversalPayloadEntry.c | 8 ++-- + 2 files changed, 48 insertions(+), 3 deletions(-) + +diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c +index 2c3acbbc19..51c2e28d7d 100644 +--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c ++++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c +@@ -110,6 +110,13 @@ CreateHob ( + + HandOffHob = GetHobList (); + ++ // ++ // Check Length to avoid data overflow. ++ // ++ if (HobLength > MAX_UINT16 - 0x7) { ++ return NULL; ++ } ++ + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; +@@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( + + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); + ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->ResourceType = ResourceType; + Hob->ResourceAttribute = ResourceAttribute; +@@ -330,6 +340,10 @@ BuildModuleHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; +@@ -378,6 +392,11 @@ BuildGuidHob ( + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); + + Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return NULL; ++ } ++ + CopyGuid (&Hob->Name, Guid); + return Hob + 1; + } +@@ -441,6 +460,10 @@ BuildFvHob ( + EFI_HOB_FIRMWARE_VOLUME *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -472,6 +495,10 @@ BuildFv2Hob ( + EFI_HOB_FIRMWARE_VOLUME2 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -513,6 +540,10 @@ BuildFv3Hob ( + EFI_HOB_FIRMWARE_VOLUME3 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -546,6 +577,10 @@ BuildCpuHob ( + EFI_HOB_CPU *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->SizeOfMemorySpace = SizeOfMemorySpace; + Hob->SizeOfIoSpace = SizeOfIoSpace; +@@ -583,6 +618,10 @@ BuildStackHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +@@ -664,6 +703,10 @@ BuildMemoryAllocationHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +diff --git a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c +index edb3c20471..abfe75bd7b 100644 +--- a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c ++++ b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c +@@ -111,10 +111,12 @@ AddNewHob ( + } + + NewHob.Header = CreateHob (Hob->Header->HobType, Hob->Header->HobLength); +- +- if (NewHob.Header != NULL) { +- CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER)); ++ ASSERT (NewHob.Header != NULL); ++ if (NewHob.Header == NULL) { ++ return; + } ++ ++ CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER)); + } + + /** +-- +2.40.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch new file mode 100644 index 0000000000..1209be27b5 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch @@ -0,0 +1,157 @@ +From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001 +From: Gua Guo +Date: Thu, 11 Jan 2024 13:07:50 +0800 +Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob() + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 + +Fix integer overflow in various CreateHob instances. +Fixes: CVE-2022-36765 + +The CreateHob() function aligns the requested size to 8 +performing the following operation: +``` +HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); +``` + +No checks are performed to ensure this value doesn't +overflow, and could lead to CreateHob() returning a smaller +HOB than requested, which could lead to OOB HOB accesses. + +Reported-by: Marc Beatove +Cc: Leif Lindholm +Reviewed-by: Ard Biesheuvel +Cc: Abner Chang +Cc: John Mathew +Authored-by: Gerd Hoffmann +Signed-off-by: Gua Guo + +CVE: CVE-2022-36765 + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6] + +Signed-off-by: Soumya Sambu +--- + EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c +index 8eb175aa96..cbc35152cc 100644 +--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c ++++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c +@@ -110,6 +110,13 @@ CreateHob ( + + HandOffHob = GetHobList (); + ++ // ++ // Check Length to avoid data overflow. ++ // ++ if (HobLength > MAX_UINT16 - 0x7) { ++ return NULL; ++ } ++ + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; +@@ -160,6 +167,9 @@ BuildResourceDescriptorHob ( + + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); + ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->ResourceType = ResourceType; + Hob->ResourceAttribute = ResourceAttribute; +@@ -401,6 +411,10 @@ BuildModuleHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; +@@ -449,6 +463,11 @@ BuildGuidHob ( + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); + + Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return NULL; ++ } ++ + CopyGuid (&Hob->Name, Guid); + return Hob + 1; + } +@@ -512,6 +531,10 @@ BuildFvHob ( + EFI_HOB_FIRMWARE_VOLUME *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -543,6 +566,10 @@ BuildFv2Hob ( + EFI_HOB_FIRMWARE_VOLUME2 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -584,6 +611,10 @@ BuildFv3Hob ( + EFI_HOB_FIRMWARE_VOLUME3 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -639,6 +670,10 @@ BuildCpuHob ( + EFI_HOB_CPU *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->SizeOfMemorySpace = SizeOfMemorySpace; + Hob->SizeOfIoSpace = SizeOfIoSpace; +@@ -676,6 +711,10 @@ BuildStackHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +@@ -756,6 +795,10 @@ BuildMemoryAllocationHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +-- +2.40.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch new file mode 100644 index 0000000000..9579205e09 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch @@ -0,0 +1,135 @@ +From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001 +From: Gua Guo +Date: Thu, 11 Jan 2024 13:03:26 +0800 +Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob() + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166 + +Fix integer overflow in various CreateHob instances. +Fixes: CVE-2022-36765 + +The CreateHob() function aligns the requested size to 8 +performing the following operation: +``` +HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); +``` + +No checks are performed to ensure this value doesn't +overflow, and could lead to CreateHob() returning a smaller +HOB than requested, which could lead to OOB HOB accesses. + +Reported-by: Marc Beatove +Reviewed-by: Ard Biesheuvel +Cc: Sami Mujawar +Reviewed-by: Ray Ni +Cc: John Mathew +Authored-by: Gerd Hoffmann +Signed-off-by: Gua Guo + +CVE: CVE-2022-36765 + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679] + +Signed-off-by: Soumya Sambu +--- + .../Arm/StandaloneMmCoreHobLib.c | 35 +++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c +index 1550e1babc..59473e28fe 100644 +--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c ++++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c +@@ -34,6 +34,13 @@ CreateHob ( + + HandOffHob = GetHobList (); + ++ // ++ // Check Length to avoid data overflow. ++ // ++ if (HobLength > MAX_UINT16 - 0x7) { ++ return NULL; ++ } ++ + HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); + + FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom; +@@ -89,6 +96,10 @@ BuildModuleHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid); + Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule; +@@ -129,6 +140,9 @@ BuildResourceDescriptorHob ( + + Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR)); + ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->ResourceType = ResourceType; + Hob->ResourceAttribute = ResourceAttribute; +@@ -167,6 +181,11 @@ BuildGuidHob ( + ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE))); + + Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return NULL; ++ } ++ + CopyGuid (&Hob->Name, Guid); + return Hob + 1; + } +@@ -226,6 +245,10 @@ BuildFvHob ( + EFI_HOB_FIRMWARE_VOLUME *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -255,6 +278,10 @@ BuildFv2Hob ( + EFI_HOB_FIRMWARE_VOLUME2 *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->BaseAddress = BaseAddress; + Hob->Length = Length; +@@ -282,6 +309,10 @@ BuildCpuHob ( + EFI_HOB_CPU *Hob; + + Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + Hob->SizeOfMemorySpace = SizeOfMemorySpace; + Hob->SizeOfIoSpace = SizeOfIoSpace; +@@ -319,6 +350,10 @@ BuildMemoryAllocationHob ( + ); + + Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION)); ++ ASSERT (Hob != NULL); ++ if (Hob == NULL) { ++ return; ++ } + + ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID)); + Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress; +-- +2.40.0 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index dbfed086e4..1dba709824 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -50,6 +50,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2023-45237-0001.patch \ file://CVE-2023-45237-0002.patch \ file://CVE-2023-45236.patch \ + file://CVE-2022-36765-0001.patch \ + file://CVE-2022-36765-0002.patch \ + file://CVE-2022-36765-0003.patch \ " PV = "edk2-stable202202"