[scarthgap,3/3] ovmf: fix CVE-2024-38798

Message ID	20260427045650.2365793-3-hongxu.jia@windriver.com
State	Under Review
Delegated to:	Fabien Thomas
Headers	show Return-Path: <hongxu.jia@windriver.com> ip: 205.220.178.238, mailfrom: prvs=857747364e=hongxu.jia@windriver.com) From: Hongxu Jia <hongxu.jia@windriver.com> To: <openembedded-core@lists.openembedded.org>, <yoann.congal@smile.fr> Subject: [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798 Date: Mon, 27 Apr 2026 12:56:50 +0800 Message-ID: <20260427045650.2365793-3-hongxu.jia@windriver.com> In-Reply-To: <20260427045650.2365793-1-hongxu.jia@windriver.com> References: <20260427045650.2365793-1-hongxu.jia@windriver.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Series	[scarthgap,1/3] u-boot: fix CVE-2025-24857 \| expand [scarthgap,1/3] u-boot: fix CVE-2025-24857 [scarthgap,2/3] ovmf: fix CVE-2025-2296 [scarthgap,3/3] ovmf: fix CVE-2024-38798

Message ID

20260427045650.2365793-3-hongxu.jia@windriver.com

State

Under Review

Delegated to:

Fabien Thomas

Headers

From: Hongxu Jia <hongxu.jia@windriver.com>
To: <openembedded-core@lists.openembedded.org>, <yoann.congal@smile.fr>
Subject: [scarthgap][PATCH 3/3] ovmf: fix CVE-2024-38798
Date: Mon, 27 Apr 2026 12:56:50 +0800
Message-ID: <20260427045650.2365793-3-hongxu.jia@windriver.com>
In-Reply-To: <20260427045650.2365793-1-hongxu.jia@windriver.com>
References: <20260427045650.2365793-1-hongxu.jia@windriver.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Series

[scarthgap,1/3] u-boot: fix CVE-2025-24857 | expand

Commit Message

Hongxu Jia April 27, 2026, 4:56 a.m. UTC

According to [1],

  EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
  Sensitive Information to an Unauthorized Actor” by local access. Successful
  exploitation of this vulnerability will lead to possible information disclosure
  or escalation of privilege and impact Confidentiality.

Backport a patch [2] from upstream to fix CVE-2024-38798

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
[2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../ovmf/ovmf/CVE-2024-38798.patch            | 116 ++++++++++++++++++
 meta/recipes-core/ovmf/ovmf_git.bb            |   1 +
 2 files changed, 117 insertions(+)
 create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch

Comments

Fabien Thomas April 30, 2026, 9:25 a.m. UTC | #1

On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
> According to [1],
>
>   EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>   Sensitive Information to an Unauthorized Actor” by local access. Successful
>   exploitation of this vulnerability will lead to possible information disclosure
>   or escalation of privilege and impact Confidentiality.
>
> Backport a patch [2] from upstream to fix CVE-2024-38798
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  .../ovmf/ovmf/CVE-2024-38798.patch            | 116 ++++++++++++++++++
>  meta/recipes-core/ovmf/ovmf_git.bb            |   1 +
>  2 files changed, 117 insertions(+)
>  create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>
> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
> new file mode 100644
> index 0000000000..2d0a73c7a6
> --- /dev/null
> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
> @@ -0,0 +1,116 @@
> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
> +From: Hongxu Jia <hongxu.jia@windriver.com>
> +Date: Mon, 5 Jan 2026 13:04:18 +0800
> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
> +
> +There is a possibility to retrieve user input keystroke data stored in the
> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
> +exposure of the password string, clear the queue buffer by filling it
> +with zeros after reading.
> +
> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
> +
> +CVE: CVE-2024-38798
> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
> + .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
> + .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
> + 5 files changed, 11 insertions(+), 3 deletions(-)
> +
> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> +index 981309f..32757a7 100644
> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
> +     if (Buf != NULL) {
> +       Buf[Index] = Queue->Buffer[Queue->Head];
> +     }
> ++
> ++    Queue->Buffer[Queue->Head] = 0;
> +   }
> + 
> +   return EFI_SUCCESS;
> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> +index 81d3c6e..e03c88f 100644
> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
> +     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
> +   }
> + 
> ++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
> +   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
> +   return EFI_SUCCESS;
> + }
> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> +index b5a6459..7df1566 100644
> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
> +@@ -1840,7 +1840,7 @@ Dequeue (
> +   }
> + 
> +   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
> +-
> ++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
> +   //
> +   // Adjust the head pointer of the FIFO keyboard buffer.
> +   //
> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> +index 0a776f3..5c1a35e 100644
> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
> +     &Private->KeyQueue[1],
> +     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
> +     );
> ++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
> +   return EFI_SUCCESS;
> + }
> + 
> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> +index f1d0a34..8aafb4b 100644
> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
> +     return FALSE;
> +   }
> + 
> +-  *Output = TerminalDevice->RawFiFo->Data[Head];
> ++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
> ++  TerminalDevice->RawFiFo->Data[Head] = 0;
> + 
> +   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
> + 
> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
> +   }
> + 
> +   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> ++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> + 
> +   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + 
> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
> +   }
> + 
> +   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> ++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
> + 
> +   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + 
> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
> +   Head = TerminalDevice->UnicodeFiFo->Head;
> +   ASSERT (Head < FIFO_MAX_NUMBER + 1);
> + 
> +-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
> ++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
> ++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
> + 
> +   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
> + }
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index f0503db9fb..85b3d7c911 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>             file://CVE-2025-2296-7.patch \
>             file://CVE-2025-2296-8.patch \
>             file://CVE-2025-2296-9.patch \
> +           file://CVE-2024-38798.patch \
>             "
>  
>  PV = "edk2-stable202402"

Helllo Hongxu,

I'm filling in for Yoann while he's on leave.

It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
scarthgap-next nor scarthgap branch :
`Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
`Patch CVE-2024-38798.patch does not apply`

Could you take another look at this?

Hongxu Jia April 30, 2026, 12:05 p.m. UTC | #2

On 4/30/26 17:25, Fabien Thomas wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
>> According to [1],
>>
>>    EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>>    Sensitive Information to an Unauthorized Actor” by local access. Successful
>>    exploitation of this vulnerability will lead to possible information disclosure
>>    or escalation of privilege and impact Confidentiality.
>>
>> Backport a patch [2] from upstream to fix CVE-2024-38798
>>
>> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
>> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>>   .../ovmf/ovmf/CVE-2024-38798.patch            | 116 ++++++++++++++++++
>>   meta/recipes-core/ovmf/ovmf_git.bb            |   1 +
>>   2 files changed, 117 insertions(+)
>>   create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>
>> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>> new file mode 100644
>> index 0000000000..2d0a73c7a6
>> --- /dev/null
>> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>> @@ -0,0 +1,116 @@
>> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
>> +From: Hongxu Jia <hongxu.jia@windriver.com>
>> +Date: Mon, 5 Jan 2026 13:04:18 +0800
>> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
>> +
>> +There is a possibility to retrieve user input keystroke data stored in the
>> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
>> +exposure of the password string, clear the queue buffer by filling it
>> +with zeros after reading.
>> +
>> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
>> +
>> +CVE: CVE-2024-38798
>> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> +---
>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
>> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
>> + .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
>> + .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
>> + 5 files changed, 11 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> +index 981309f..32757a7 100644
>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
>> +     if (Buf != NULL) {
>> +       Buf[Index] = Queue->Buffer[Queue->Head];
>> +     }
>> ++
>> ++    Queue->Buffer[Queue->Head] = 0;
>> +   }
>> +
>> +   return EFI_SUCCESS;
>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> +index 81d3c6e..e03c88f 100644
>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
>> +     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>> +   }
>> +
>> ++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>> +   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
>> +   return EFI_SUCCESS;
>> + }
>> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> +index b5a6459..7df1566 100644
>> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>> +@@ -1840,7 +1840,7 @@ Dequeue (
>> +   }
>> +
>> +   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
>> +-
>> ++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
>> +   //
>> +   // Adjust the head pointer of the FIFO keyboard buffer.
>> +   //
>> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> +index 0a776f3..5c1a35e 100644
>> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
>> +     &Private->KeyQueue[1],
>> +     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
>> +     );
>> ++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
>> +   return EFI_SUCCESS;
>> + }
>> +
>> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> +index f1d0a34..8aafb4b 100644
>> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
>> +     return FALSE;
>> +   }
>> +
>> +-  *Output = TerminalDevice->RawFiFo->Data[Head];
>> ++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
>> ++  TerminalDevice->RawFiFo->Data[Head] = 0;
>> +
>> +   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
>> +   }
>> +
>> +   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> ++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> +
>> +   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
>> +   }
>> +
>> +   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> ++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>> +
>> +   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> +
>> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
>> +   Head = TerminalDevice->UnicodeFiFo->Head;
>> +   ASSERT (Head < FIFO_MAX_NUMBER + 1);
>> +
>> +-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>> ++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
>> ++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
>> +
>> +   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>> + }
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
>> index f0503db9fb..85b3d7c911 100644
>> --- a/meta/recipes-core/ovmf/ovmf_git.bb
>> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
>> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>>              file://CVE-2025-2296-7.patch \
>>              file://CVE-2025-2296-8.patch \
>>              file://CVE-2025-2296-9.patch \
>> +           file://CVE-2024-38798.patch \
>>              "
>>
>>   PV = "edk2-stable202402"
> Helllo Hongxu,
>
> I'm filling in for Yoann while he's on leave.
>
> It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
> and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
> scarthgap-next nor scarthgap branch :
> `Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
> `Patch CVE-2024-38798.patch does not apply`
>
> Could you take another look at this?

Hi Thomas,

I could apply the patch on latest scarthgap, I am afraid it was caused 
by the `CR' at the end of lines

would you please apply the patch by `git am --keep-cr 00*.patch' or 
cherry-pick from my github by following steps:

$ git fetch https://github.com/hongxu-jia/openembedded-core.git scarthgap

$ git log HEAD..FETCH_HEAD  --oneline
405b06db9d (scarthgap) ovmf: fix CVE-2024-38798
5b951e8d74 ovmf: fix CVE-2025-2296
2b93d45cfa u-boot: fix CVE-2025-24857

$ git cherry-pick 2b93d45cfa 5b951e8d74 405b06db9d

//Hongxu


>
> --
> Fabien Thomas
> Smile ECS
>

Fabien Thomas April 30, 2026, 12:25 p.m. UTC | #3

On Thu Apr 30, 2026 at 2:05 PM CEST, Hongxu Jia wrote:
> On 4/30/26 17:25, Fabien Thomas wrote:
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> On Mon Apr 27, 2026 at 6:56 AM CEST, hongxu via lists.openembedded.org wrote:
>>> According to [1],
>>>
>>>    EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
>>>    Sensitive Information to an Unauthorized Actor” by local access. Successful
>>>    exploitation of this vulnerability will lead to possible information disclosure
>>>    or escalation of privilege and impact Confidentiality.
>>>
>>> Backport a patch [2] from upstream to fix CVE-2024-38798
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
>>> [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
>>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> ---
>>>   .../ovmf/ovmf/CVE-2024-38798.patch            | 116 ++++++++++++++++++
>>>   meta/recipes-core/ovmf/ovmf_git.bb            |   1 +
>>>   2 files changed, 117 insertions(+)
>>>   create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>>
>>> diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>> new file mode 100644
>>> index 0000000000..2d0a73c7a6
>>> --- /dev/null
>>> +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
>>> @@ -0,0 +1,116 @@
>>> +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
>>> +From: Hongxu Jia <hongxu.jia@windriver.com>
>>> +Date: Mon, 5 Jan 2026 13:04:18 +0800
>>> +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
>>> +
>>> +There is a possibility to retrieve user input keystroke data stored in the
>>> +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
>>> +exposure of the password string, clear the queue buffer by filling it
>>> +with zeros after reading.
>>> +
>>> +Signed-off-by: Nick Wang <nick.wang@insyde.com>
>>> +
>>> +CVE: CVE-2024-38798
>>> +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> +---
>>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
>>> + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
>>> + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
>>> + .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
>>> + .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
>>> + 5 files changed, 11 insertions(+), 3 deletions(-)
>>> +
>>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> +index 981309f..32757a7 100644
>>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
>>> +@@ -650,6 +650,8 @@ PopScancodeBufHead (
>>> +     if (Buf != NULL) {
>>> +       Buf[Index] = Queue->Buffer[Queue->Head];
>>> +     }
>>> ++
>>> ++    Queue->Buffer[Queue->Head] = 0;
>>> +   }
>>> +
>>> +   return EFI_SUCCESS;
>>> +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> +index 81d3c6e..e03c88f 100644
>>> +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
>>> +@@ -51,6 +51,7 @@ PopEfikeyBufHead (
>>> +     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>>> +   }
>>> +
>>> ++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
>>> +   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
>>> +   return EFI_SUCCESS;
>>> + }
>>> +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> +index b5a6459..7df1566 100644
>>> +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
>>> +@@ -1840,7 +1840,7 @@ Dequeue (
>>> +   }
>>> +
>>> +   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
>>> +-
>>> ++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
>>> +   //
>>> +   // Adjust the head pointer of the FIFO keyboard buffer.
>>> +   //
>>> +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> +index 0a776f3..5c1a35e 100644
>>> +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
>>> +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
>>> +     &Private->KeyQueue[1],
>>> +     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
>>> +     );
>>> ++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
>>> +   return EFI_SUCCESS;
>>> + }
>>> +
>>> +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> +index f1d0a34..8aafb4b 100644
>>> +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
>>> +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
>>> +     return FALSE;
>>> +   }
>>> +
>>> +-  *Output = TerminalDevice->RawFiFo->Data[Head];
>>> ++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
>>> ++  TerminalDevice->RawFiFo->Data[Head] = 0;
>>> +
>>> +   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
>>> +   }
>>> +
>>> +   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> ++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> +
>>> +   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
>>> +   }
>>> +
>>> +   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> ++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
>>> +
>>> +   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> +
>>> +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
>>> +   Head = TerminalDevice->UnicodeFiFo->Head;
>>> +   ASSERT (Head < FIFO_MAX_NUMBER + 1);
>>> +
>>> +-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
>>> ++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
>>> ++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
>>> +
>>> +   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
>>> + }
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
>>> index f0503db9fb..85b3d7c911 100644
>>> --- a/meta/recipes-core/ovmf/ovmf_git.bb
>>> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
>>> @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
>>>              file://CVE-2025-2296-7.patch \
>>>              file://CVE-2025-2296-8.patch \
>>>              file://CVE-2025-2296-9.patch \
>>> +           file://CVE-2024-38798.patch \
>>>              "
>>>
>>>   PV = "edk2-stable202402"
>> Helllo Hongxu,
>>
>> I'm filling in for Yoann while he's on leave.
>>
>> It appears that the patches from commits "[PATCH 2/3] ovmf: fix CVE-2025-2296"
>> and "[PATCH 3/3] ovmf: fix CVE-2024-38798" do not apply to neither
>> scarthgap-next nor scarthgap branch :
>> `Patch 0001-AmdSev-Halt-on-failed-blob-allocation.patch does not apply`
>> `Patch CVE-2024-38798.patch does not apply`
>>
>> Could you take another look at this?
>
> Hi Thomas,
>
> I could apply the patch on latest scarthgap, I am afraid it was caused 
> by the `CR' at the end of lines
>
> would you please apply the patch by `git am --keep-cr 00*.patch' or 
> cherry-pick from my github by following steps:
>
> $ git fetch https://github.com/hongxu-jia/openembedded-core.git scarthgap
>
> $ git log HEAD..FETCH_HEAD  --oneline
> 405b06db9d (scarthgap) ovmf: fix CVE-2024-38798
> 5b951e8d74 ovmf: fix CVE-2025-2296
> 2b93d45cfa u-boot: fix CVE-2025-24857
>
> $ git cherry-pick 2b93d45cfa 5b951e8d74 405b06db9d
>
> //Hongxu
>
>
>>
>> --
>> Fabien Thomas
>> Smile ECS
>>

Sorry Hongxu,

I didn't see your other reply, at first.
I've just done exactly what you suggest and they applied correctly now.

Thanks for these fixes.
Regards,

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
new file mode 100644
index 0000000000..2d0a73c7a6
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
@@ -0,0 +1,116 @@ 
+From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 5 Jan 2026 13:04:18 +0800
+Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
+
+There is a possibility to retrieve user input keystroke data stored in the
+queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
+exposure of the password string, clear the queue buffer by filling it
+with zeros after reading.
+
+Signed-off-by: Nick Wang <nick.wang@insyde.com>
+
+CVE: CVE-2024-38798
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
+ MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
+ .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
+ .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
+ 5 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+index 981309f..32757a7 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+@@ -650,6 +650,8 @@ PopScancodeBufHead (
+     if (Buf != NULL) {
+       Buf[Index] = Queue->Buffer[Queue->Head];
+     }
++
++    Queue->Buffer[Queue->Head] = 0;
+   }
+ 
+   return EFI_SUCCESS;
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+index 81d3c6e..e03c88f 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+@@ -51,6 +51,7 @@ PopEfikeyBufHead (
+     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   }
+ 
++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
+   return EFI_SUCCESS;
+ }
+diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+index b5a6459..7df1566 100644
+--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+@@ -1840,7 +1840,7 @@ Dequeue (
+   }
+ 
+   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
+-
++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
+   //
+   // Adjust the head pointer of the FIFO keyboard buffer.
+   //
+diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+index 0a776f3..5c1a35e 100644
+--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
+     &Private->KeyQueue[1],
+     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
+     );
++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
+   return EFI_SUCCESS;
+ }
+ 
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+index f1d0a34..8aafb4b 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
+     return FALSE;
+   }
+ 
+-  *Output = TerminalDevice->RawFiFo->Data[Head];
++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
++  TerminalDevice->RawFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
+ 
+@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
+   Head = TerminalDevice->UnicodeFiFo->Head;
+   ASSERT (Head < FIFO_MAX_NUMBER + 1);
+ 
+-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ }
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index f0503db9fb..85b3d7c911 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -36,6 +36,7 @@  SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://CVE-2025-2296-7.patch \
            file://CVE-2025-2296-8.patch \
            file://CVE-2025-2296-9.patch \
+           file://CVE-2024-38798.patch \
            "
 
 PV = "edk2-stable202402"