diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch new file mode 100644 index 0000000000..2d0a73c7a6 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch @@ -0,0 +1,116 @@ +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Mon, 5 Jan 2026 13:04:18 +0800 +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading + +There is a possibility to retrieve user input keystroke data stored in the +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent +exposure of the password string, clear the queue buffer by filling it +with zeros after reading. + +Signed-off-by: Nick Wang + +CVE: CVE-2024-38798 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249] +Signed-off-by: Hongxu Jia +--- + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c | 2 ++ + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c | 1 + + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 2 +- + .../Universal/Console/ConSplitterDxe/ConSplitter.c | 1 + + .../Universal/Console/TerminalDxe/TerminalConIn.c | 8 ++++++-- + 5 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c +index 981309f..32757a7 100644 +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c +@@ -650,6 +650,8 @@ PopScancodeBufHead ( + if (Buf != NULL) { + Buf[Index] = Queue->Buffer[Queue->Head]; + } ++ ++ Queue->Buffer[Queue->Head] = 0; + } + + return EFI_SUCCESS; +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c +index 81d3c6e..e03c88f 100644 +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c +@@ -51,6 +51,7 @@ PopEfikeyBufHead ( + CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA)); + } + ++ ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA)); + Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT; + return EFI_SUCCESS; + } +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +index b5a6459..7df1566 100644 +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +@@ -1840,7 +1840,7 @@ Dequeue ( + } + + CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize); +- ++ ZeroMem (Queue->Buffer[Queue->Head], ItemSize); + // + // Adjust the head pointer of the FIFO keyboard buffer. + // +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c +index 0a776f3..5c1a35e 100644 +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey ( + &Private->KeyQueue[1], + Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA) + ); ++ ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA)); + return EFI_SUCCESS; + } + +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c +index f1d0a34..8aafb4b 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey ( + return FALSE; + } + +- *Output = TerminalDevice->RawFiFo->Data[Head]; ++ *Output = TerminalDevice->RawFiFo->Data[Head]; ++ TerminalDevice->RawFiFo->Data[Head] = 0; + + TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1)); + +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey ( + } + + CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); ++ ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); + + EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey ( + } + + CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); ++ ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); + + TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey ( + Head = TerminalDevice->UnicodeFiFo->Head; + ASSERT (Head < FIFO_MAX_NUMBER + 1); + +- *Output = TerminalDevice->UnicodeFiFo->Data[Head]; ++ *Output = TerminalDevice->UnicodeFiFo->Data[Head]; ++ TerminalDevice->UnicodeFiFo->Data[Head] = 0; + + TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + } +-- +2.34.1 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index f0503db9fb..85b3d7c911 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -36,6 +36,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2025-2296-7.patch \ file://CVE-2025-2296-8.patch \ file://CVE-2025-2296-9.patch \ + file://CVE-2024-38798.patch \ " PV = "edk2-stable202402"