microsoft · jykanase · Apr 3, 2025 · Apr 4, 2025 · Apr 14, 2025 · Apr 14, 2025
@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        6%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,6 +74,12 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Thu Apr 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-8
+- Bump release for consistency with edk2 spec.
+
+* Wed Apr 23 2025 Archana Choudhary <archana1@microsoft.com> - 20240524git3e722403cd16-7
+- Bump release for consistency with edk2 spec.
+
 * Tue Apr 15 2025 Tobias Brick <tobiasb@microsoft.com> - 20240524git3e722403cd16-6
 - Bump release for consistency with edk2 spec.
 

@@ -0,0 +1,109 @@
+From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
+From: Rohan McLure <rmclure@linux.ibm.com>
+Date: Thu, 4 Jan 2024 10:25:50 +0100
+Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
+
+Fixes CVE-2023-6129
+
+The POLY1305 MAC (message authentication code) implementation in OpenSSL for
+PowerPC CPUs saves the the contents of vector registers in different order
+than they are restored. Thus the contents of some of these vector registers
+is corrupted when returning to the caller. The vulnerable code is used only
+on newer PowerPC processors supporting the PowerISA 2.07 instructions.
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23200)
+
+(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
+---
+ crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl b/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl
+index 9f86134d923fb..2e601bb9c24be 100755
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/poly1305/asm/poly1305-ppc.pl
+@@ -744,7 +744,7 @@
+ my $LOCALS= 6*$SIZE_T;
+ my $VSXFRAME = $LOCALS + 6*$SIZE_T;
+    $VSXFRAME += 128;	# local variables
+-   $VSXFRAME += 13*16;	# v20-v31 offload
++   $VSXFRAME += 12*16;	# v20-v31 offload
+
+ my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
+
+@@ -919,12 +919,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
++	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
++	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
++	stvx	v25,r11,$sp
++	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1153,12 +1153,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
++	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
++	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
++	stvx	v25,r11,$sp
++	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1899,26 +1899,26 @@
+ 	mtspr	256,r12				# restore vrsave
+ 	lvx	v20,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v21,r10,$sp
+-	addi	r10,r10,32
+-	lvx	v22,r11,$sp
++	lvx	v21,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v23,r10,$sp
++	lvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v24,r11,$sp
++	lvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v25,r10,$sp
++	lvx	v24,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v26,r11,$sp
++	lvx	v25,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v27,r10,$sp
++	lvx	v26,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v28,r11,$sp
++	lvx	v27,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v29,r10,$sp
++	lvx	v28,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v30,r11,$sp
+-	lvx	v31,r10,$sp
++	lvx	v29,r11,$sp
++	addi	r11,r11,32
++	lvx	v30,r10,$sp
++	lvx	v31,r11,$sp
+ 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
+ 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
+ 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)
@@ -0,0 +1,95 @@
+From dfa811c4173d0b520de4cfb0e7794781ad41289a Mon Sep 17 00:00:00 2001
+From: Archana Choudhary <archana1@microsoft.com>
+Date: Tue, 29 Apr 2025 09:04:40 +0000
+Subject: [PATCH] Patch for CVE-2024-2511
+
+Ported from https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
+---
+ .../Library/OpensslLib/openssl/ssl/ssl_lib.c  |  5 ++--
+ .../Library/OpensslLib/openssl/ssl/ssl_sess.c | 28 +++++++++++++++----
+ .../openssl/ssl/statem/statem_srvr.c          |  5 ++--
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index 99ce450..158b550 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -3717,9 +3717,10 @@ void ssl_update_cache(SSL *s, int mode)
+
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+
+     /*
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+index 68b57a5..c1c7837 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_sess.c
+@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+
+@@ -281,6 +276,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+     return NULL;
+ }
+
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
+index a9e67f9..6c942e6 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+
+     if (usetls13) {
@@ -0,0 +1,26 @@
+From a6d8206a22d70dc5e6d7ac8aae8e69b80ace7e61 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Wed, 2 Apr 2025 05:23:55 +0000
+Subject: [PATCH] CVE-2024-38796
+
+Upstream patch reference: https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 86ff2e7..128090d 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.45.2
+
@@ -0,0 +1,125 @@
+From d2bbe37ccf8857197a4b6c36fc0381ab58bb8b09 Mon Sep 17 00:00:00 2001
+From: Archana Choudhary <archana1@microsoft.com>
+Date: Tue, 29 Apr 2025 09:12:17 +0000
+Subject: [PATCH] Fix for CVE-2024-4603
+
+Ported from https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397
+---
+ .../Library/OpensslLib/openssl/CHANGES.md     | 17 +++++++
+ .../OpensslLib/openssl/crypto/dsa/dsa_check.c | 45 +++++++++++++++++--
+ 2 files changed, 58 insertions(+), 4 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
+index 84933a8..34a2e7f 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
++++ b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
+@@ -30,6 +30,23 @@ breaking changes, and mappings for the large list of deprecated functions.
+
+ ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
+
++ * Fixed an issue where checking excessively long DSA keys or parameters may
++   be very slow.
++
++   Applications that use the functions EVP_PKEY_param_check() or
++   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
++   experience long delays. Where the key or parameters that are being checked
++   have been obtained from an untrusted source this may lead to a Denial of
++   Service.
++
++   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
++   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
++   reason.
++
++   ([CVE-2024-4603])
++
++   *Tomáš Mráz*
++
+  * Fixed two buffer overflows in punycode decoding functions.
+
+    A buffer overrun can be triggered in X.509 certificate verification,
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
+index 7ee914a..a66fe05 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++    if (dsa->params.p == NULL || dsa->params.q == NULL) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret);
+ }
+
+@@ -49,6 +78,10 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++    
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
+ }
+
+@@ -56,8 +89,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+ {
+     *ret = 0;
+
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
++    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+
+ /*
+@@ -70,8 +105,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
++    if (!dsa_precheck_params(dsa, &ret))
++        return 0;
++
++    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;