new file mode 100644
@@ -0,0 +1,271 @@
+From c7b27944218130cca3bbb20314ba5b88b5de4aa4 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:04 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpm2MeasureBootLib.c | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c | 46 +++++++++++++-
+ .../DxeTpm2MeasureBootLibSanitization.h | 28 ++++++++-
+ .../DxeTpm2MeasureBootLibSanitizationTest.c | 60 ++++++++++++++++---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+ @retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
+ @retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
+ @retval other error value
+-
+ **/
+ EFI_STATUS
+ EFIAPI
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+ Status = EFI_UNSUPPORTED;
+ ImageLoad = NULL;
+ EventPtr = NULL;
++ Tcg2Event = NULL;
+
+ Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+ CcProtocol = MeasureBootProtocols->CcProtocol;
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+ }
+
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++ if (EFI_ERROR (Status)) {
++ return EFI_UNSUPPORTED;
++ }
+
+ //
+ // Determine destination PCR by BootPolicy
+ //
+- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+- EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
++ // from a malicious GPT disk partition
++ EventPtr = AllocateZeroPool (EventSize);
+ if (EventPtr == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
+- Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++ Tcg2Event->Size = EventSize;
+ Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
+ Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }
+
+ /**
+- This function will validate that the allocation size from the primary header is sane
++ This function will validate that the allocation size from the primary header is sane
+ It will check the following:
+ - AllocationSize does not overflow
+
+@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
+
+ return EFI_SUCCESS;
+ }
++
++/**
++ This function will validate that the PeImage Event Size from the loaded image is sane
++ It will check the following:
++ - EventSize does not overflow
++
++ @param[in] FilePathSize - Size of the file path.
++ @param[out] EventSize - Pointer to the event size.
++
++ @retval EFI_SUCCESS
++ The event size is valid.
++
++ @retval EFI_OUT_OF_RESOURCES
++ Overflow would have occurred.
++
++ @retval EFI_INVALID_PARAMETER
++ One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++ IN UINT32 FilePathSize,
++ OUT UINT32 *EventSize
++ )
++{
++ EFI_STATUS Status;
++
++ // Replacing logic:
++ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ // Replacing logic:
++ // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
++ Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 048b738987..8f72ba4240 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -9,6 +9,9 @@
+ Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+ partition data carefully.
+
++ Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
++ data structure within this image buffer before use.
++
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
+ OUT UINT32 *EventSize
+ );
+
+-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++/**
++ This function will validate that the PeImage Event Size from the loaded image is sane
++ It will check the following:
++ - EventSize does not overflow
++
++ @param[in] FilePathSize - Size of the file path.
++ @param[out] EventSize - Pointer to the event size.
++
++ @retval EFI_SUCCESS
++ The event size is valid.
++
++ @retval EFI_OUT_OF_RESOURCES
++ Overflow would have occurred.
++
++ @retval EFI_INVALID_PARAMETER
++ One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++ IN UINT32 FilePathSize,
++ OUT UINT32 *EventSize
++ );
++
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 3eb9763e3c..820e99aeb9 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
+ PrimaryHeader.Header.Revision = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+ PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
+ PrimaryHeader.MyLBA = 1;
+- PrimaryHeader.AlternateLBA = 2;
+- PrimaryHeader.FirstUsableLBA = 3;
+- PrimaryHeader.LastUsableLBA = 4;
+- PrimaryHeader.PartitionEntryLBA = 5;
++ PrimaryHeader.PartitionEntryLBA = 2;
++ PrimaryHeader.AlternateLBA = 3;
++ PrimaryHeader.FirstUsableLBA = 4;
++ PrimaryHeader.LastUsableLBA = 5;
+ PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+ PrimaryHeader.SizeOfPartitionEntry = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+ PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+- EFI_GPT_DATA *GptData;
+- EFI_TCG2_EVENT *Tcg2Event;
+-
+- Tcg2Event = NULL;
+- GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
+ return UNIT_TEST_PASSED;
+ }
+
++/**
++ This function tests the SanitizePeImageEventSize function.
++ It's intent is to test that the untrusted input from a file path when generating a
++ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++ the event size when allocating space
++
++ @param[in] Context The unit test context.
++
++ @retval UNIT_TEST_PASSED The test passed.
++ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++ IN UNIT_TEST_CONTEXT Context
++ )
++{
++ UINT32 EventSize;
++ UINTN ExistingLogicEventSize;
++ UINT32 FilePathSize;
++ EFI_STATUS Status;
++
++ FilePathSize = 255;
++
++ // Test that a normal PE image passes validation
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++ UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
++
++ // Test that the event size is correct compared to the existing logic
++ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++ ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
++
++ if (EventSize != ExistingLogicEventSize) {
++ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++ return UNIT_TEST_ERROR_TEST_FAILED;
++ }
++
++ // Test that the event size may not overflow
++ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++ UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++ return UNIT_TEST_PASSED;
++}
++
+ // *--------------------------------------------------------------------*
+ // * Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -267,6 +308,7 @@ UefiTestMain (
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++ AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,281 @@
+From 0d341c01eeabe0ab5e76693b36e728b8f538a40e Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:05 +0800
+Subject: [PATCH] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpmMeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpmMeasureBootLib.c | 13 ++-
+ .../DxeTpmMeasureBootLibSanitization.c | 44 +++++++++
+ .../DxeTpmMeasureBootLibSanitization.h | 23 +++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c | 98 +++++++++++++++++--
+ 4 files changed, 168 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 669ab19134..a9fc440a09 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -17,6 +17,7 @@
+
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
++Copyright (c) Microsoft Corporation.<BR>
+
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -345,18 +346,22 @@ TcgMeasurePeImage (
+ ImageLoad = NULL;
+ SectionHeader = NULL;
+ Sha1Ctx = NULL;
++ TcgEvent = NULL;
+ FilePathSize = (UINT32)GetDevicePathSize (FilePath);
+
+- //
+ // Determine destination PCR by BootPolicy
+ //
+- EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+- TcgEvent = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++ if (EFI_ERROR (Status)) {
++ return EFI_UNSUPPORTED;
++ }
++
++ TcgEvent = AllocateZeroPool (EventSize);
+ if (TcgEvent == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+- TcgEvent->EventSize = EventSize;
++ TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+ ImageLoad = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
+
+ switch (ImageType) {
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index a3fa46f5e6..c989851cec 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
+
+ return EFI_SUCCESS;
+ }
++
++/**
++ This function will validate that the PeImage Event Size from the loaded image is sane
++ It will check the following:
++ - EventSize does not overflow
++
++ @param[in] FilePathSize - Size of the file path.
++ @param[out] EventSize - Pointer to the event size.
++
++ @retval EFI_SUCCESS
++ The event size is valid.
++
++ @retval EFI_OUT_OF_RESOURCES
++ Overflow would have occurred.
++
++ @retval EFI_INVALID_PARAMETER
++ One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++ IN UINT32 FilePathSize,
++ OUT UINT32 *EventSize
++ )
++{
++ EFI_STATUS Status;
++
++ // Replacing logic:
++ // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++ Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ // Replacing logic:
++ // EventSize + sizeof (TCG_PCR_EVENT_HDR)
++ Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 0d9d00c281..2248495813 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
+ OUT UINT32 *EventSize
+ );
+
++/**
++ This function will validate that the PeImage Event Size from the loaded image is sane
++ It will check the following:
++ - EventSize does not overflow
++
++ @param[in] FilePathSize - Size of the file path.
++ @param[out] EventSize - Pointer to the event size.
++
++ @retval EFI_SUCCESS
++ The event size is valid.
++
++ @retval EFI_OUT_OF_RESOURCES
++ Overflow would have occurred.
++
++ @retval EFI_INVALID_PARAMETER
++ One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++ IN UINT32 FilePathSize,
++ OUT UINT32 *EventSize
++ );
++
+ #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index eeb928cdb0..c41498be45 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -1,8 +1,8 @@
+ /** @file
+-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
++ This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+
+-Copyright (c) Microsoft Corporation.<BR>
+-SPDX-License-Identifier: BSD-2-Clause-Patent
++ Copyright (c) Microsoft Corporation.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+
+ #include <Uefi.h>
+@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+ EFI_STATUS Status;
+ EFI_PARTITION_TABLE_HEADER PrimaryHeader;
+ UINTN NumberOfPartition;
+- EFI_GPT_DATA *GptData;
+-
+- GptData = NULL;
+
+ // Test that a normal PrimaryHeader passes validation
+ PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
+ return UNIT_TEST_PASSED;
+ }
+
++/**
++ This function tests the SanitizePeImageEventSize function.
++ It's intent is to test that the untrusted input from a file path for an
++ EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++ the event size when allocating space.
++
++ @param[in] Context The unit test context.
++
++ @retval UNIT_TEST_PASSED The test passed.
++ @retval UNIT_TEST_ERROR_TEST_FAILED The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++ IN UNIT_TEST_CONTEXT Context
++ )
++{
++ UINT32 EventSize;
++ UINTN ExistingLogicEventSize;
++ UINT32 FilePathSize;
++ EFI_STATUS Status;
++ EFI_DEVICE_PATH_PROTOCOL DevicePath;
++ EFI_IMAGE_LOAD_EVENT *ImageLoadEvent;
++ UNIT_TEST_STATUS TestStatus;
++
++ TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
++
++ // Generate EFI_DEVICE_PATH_PROTOCOL test data
++ DevicePath.Type = 0;
++ DevicePath.SubType = 0;
++ DevicePath.Length[0] = 0;
++ DevicePath.Length[1] = 0;
++
++ // Generate EFI_IMAGE_LOAD_EVENT test data
++ ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
++ if (ImageLoadEvent == NULL) {
++ DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
++ goto Exit;
++ }
++
++ // Populate EFI_IMAGE_LOAD_EVENT54 test data
++ ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
++ ImageLoadEvent->ImageLengthInMemory = 0x1000;
++ ImageLoadEvent->ImageLinkTimeAddress = (UINTN)ImageLoadEvent;
++ ImageLoadEvent->LengthOfDevicePath = sizeof (EFI_DEVICE_PATH_PROTOCOL);
++ CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
++
++ FilePathSize = 255;
++
++ // Test that a normal PE image passes validation
++ Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++ if (EFI_ERROR (Status)) {
++ UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
++ goto Exit;
++ }
++
++ // Test that the event size is correct compared to the existing logic
++ ExistingLogicEventSize = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++ ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
++
++ if (EventSize != ExistingLogicEventSize) {
++ UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++ goto Exit;
++ }
++
++ // Test that the event size may not overflow
++ Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++ if (Status != EFI_BAD_BUFFER_SIZE) {
++ UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
++ goto Exit;
++ }
++
++ TestStatus = UNIT_TEST_PASSED;
++Exit:
++
++ if (ImageLoadEvent != NULL) {
++ FreePool (ImageLoadEvent);
++ }
++
++ if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
++ DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
++ } else {
++ DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++ }
++
++ return TestStatus;
++}
++
+ // *--------------------------------------------------------------------*
+ // * Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -265,6 +350,7 @@ UefiTestMain (
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++ AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+
+ Status = RunAllTestSuites (Framework);
+
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,48 @@
+From 8f6d343ae639fba8e4b80e45257275e23083431f Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:06 +0800
+Subject: [PATCH] SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index f9e3e7be74..833fb827a9 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -20,3 +20,17 @@ CVE_2022_36763:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
++CVE_2022_36764:
++ commit_titles:
++ - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++ - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++ - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
++ cve: CVE-2022-36764
++ date_reported: 2022-10-25 12:23 UTC
++ description: Heap Buffer Overflow in Tcg2MeasurePeImage()
++ note:
++ files_impacted:
++ - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++ - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++ links:
++ - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+--
+2.40.0
+
@@ -30,6 +30,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://CVE-2022-36763-0001.patch \
file://CVE-2022-36763-0002.patch \
file://CVE-2022-36763-0003.patch \
+ file://CVE-2022-36764-0001.patch \
+ file://CVE-2022-36764-0002.patch \
+ file://CVE-2022-36764-0003.patch \
"
PV = "edk2-stable202202"