From c7d6eb8c0ae56f6bc515c74a79268b273d7aaf10 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Mon, 2 Feb 2026 09:51:26 +0000 Subject: [PATCH 1/2] Patch hvloader for CVE-2026-22796, CVE-2025-68160, CVE-2025-69418 --- SPECS/hvloader/CVE-2025-68160.patch | 81 +++++++++++++++++++++++++++++ SPECS/hvloader/CVE-2025-69418.patch | 78 +++++++++++++++++++++++++++ SPECS/hvloader/CVE-2026-22796.patch | 77 +++++++++++++++++++++++++++ SPECS/hvloader/hvloader.spec | 8 ++- 4 files changed, 243 insertions(+), 1 deletion(-) create mode 100644 SPECS/hvloader/CVE-2025-68160.patch create mode 100644 SPECS/hvloader/CVE-2025-69418.patch create mode 100644 SPECS/hvloader/CVE-2026-22796.patch diff --git a/SPECS/hvloader/CVE-2025-68160.patch b/SPECS/hvloader/CVE-2025-68160.patch new file mode 100644 index 00000000000..fc3e92512c4 --- /dev/null +++ b/SPECS/hvloader/CVE-2025-68160.patch @@ -0,0 +1,81 @@ +From ee8b48af7a053a62baba11a21e08c0cfba4b695b Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 7 Jan 2026 11:52:09 -0500 +Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a FIO_f_linebuffer is part of a bio chain, and the next BIO +preforms short writes, the remainder of the unwritten buffer is copied +unconditionally to the internal buffer ctx->obuf, which may not be +sufficiently sized to handle the remaining data, resulting in a buffer +overflow. + +Fix it by only copying data when ctx->obuf has space, flushing to the +next BIO to increase available storage if needed. + +Fixes openssl/srt#48 + +Fixes CVE-2025-68160 + +Reviewed-by: Nikola Pajkovsky +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:41:40 2026 +(cherry picked from commit b21663c35a6f0ed4c8de06855bdc7a6a21f00c2f) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6.patch +--- + .../OpensslLib/openssl/crypto/bio/bf_lbuf.c | 32 +++++++++++++++---- + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c +index 72f99018..34dd0357 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c +@@ -191,14 +191,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl) + while (foundnl && inl > 0); + /* + * We've written as much as we can. The rest of the input buffer, if +- * any, is text that doesn't and with a NL and therefore needs to be +- * saved for the next trip. ++ * any, is text that doesn't end with a NL and therefore we need to try ++ * free up some space in our obuf so we can make forward progress. + */ +- if (inl > 0) { +- memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl); +- ctx->obuf_len += inl; +- num += inl; ++ while (inl > 0) { ++ size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len; ++ size_t to_copy; ++ ++ if (avail == 0) { ++ /* Flush buffered data to make room */ ++ i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len); ++ if (i <= 0) { ++ BIO_copy_next_retry(b); ++ return num > 0 ? num : i; ++ } ++ if (i < ctx->obuf_len) ++ memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i); ++ ctx->obuf_len -= i; ++ continue; ++ } ++ ++ to_copy = inl > (int)avail ? avail : (size_t)inl; ++ memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy); ++ ctx->obuf_len += (int)to_copy; ++ in += to_copy; ++ inl -= (int)to_copy; ++ num += (int)to_copy; + } ++ + return num; + } + +-- +2.45.4 + diff --git a/SPECS/hvloader/CVE-2025-69418.patch b/SPECS/hvloader/CVE-2025-69418.patch new file mode 100644 index 00000000000..ea8ce5c086c --- /dev/null +++ b/SPECS/hvloader/CVE-2025-69418.patch @@ -0,0 +1,78 @@ +From 7b4ea5f9ec9330d4b26e74e83feb9e03949e3c43 Mon Sep 17 00:00:00 2001 +From: Norbert Pocs +Date: Thu, 8 Jan 2026 15:04:54 +0100 +Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted + trailing bytes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path +encrypts/decrypts full blocks but does not advance in/out pointers. The +tail-handling code then operates on the base pointers, effectively reprocessing +the beginning of the buffer while leaving the actual trailing bytes +unencrypted (encryption) or using the wrong plaintext (decryption). The +authentication checksum excludes the true tail. + +CVE-2025-69418 + +Fixes: https://github.com/openssl/srt/issues/58 + +Signed-off-by: Norbert Pocs + +Reviewed-by: Saša Nedvědický +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:48:35 2026 +(cherry picked from commit be9375d5d45dfaf897b56ef148a0b58402491fcb) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347.patch +--- + .../Library/OpensslLib/openssl/crypto/modes/ocb128.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c +index b39a55a1..2ef39826 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c +@@ -342,7 +342,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, + + if (num_blocks && all_num_blocks == (size_t)all_num_blocks + && ctx->stream != NULL) { +- size_t max_idx = 0, top = (size_t)all_num_blocks; ++ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; + + /* + * See how many L_{i} entries we need to process data at hand +@@ -356,6 +356,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, + ctx->stream(in, out, num_blocks, ctx->keyenc, + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); ++ processed_bytes = num_blocks * 16; ++ in += processed_bytes; ++ out += processed_bytes; + } else { + /* Loop through all full blocks to be encrypted */ + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { +@@ -434,7 +437,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, + + if (num_blocks && all_num_blocks == (size_t)all_num_blocks + && ctx->stream != NULL) { +- size_t max_idx = 0, top = (size_t)all_num_blocks; ++ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; + + /* + * See how many L_{i} entries we need to process data at hand +@@ -448,6 +451,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, + ctx->stream(in, out, num_blocks, ctx->keydec, + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); ++ processed_bytes = num_blocks * 16; ++ in += processed_bytes; ++ out += processed_bytes; + } else { + OCB_BLOCK tmp; + +-- +2.45.4 + diff --git a/SPECS/hvloader/CVE-2026-22796.patch b/SPECS/hvloader/CVE-2026-22796.patch new file mode 100644 index 00000000000..33747ccc3de --- /dev/null +++ b/SPECS/hvloader/CVE-2026-22796.patch @@ -0,0 +1,77 @@ +From 73b2e98599a813f617b20d5860e2587b385b4aff Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Wed, 7 Jan 2026 11:29:48 -0700 +Subject: [PATCH] Ensure ASN1 types are checked before use. + +Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8 +this fix includes the other fixes in that commit, as well as fixes for others found by a scan +for a similar unvalidated access paradigm in the tree. + +Reviewed-by: Kurt Roeckx +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/29582) + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch +--- + CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c | 3 ++- + .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c | 10 ++++++++-- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 2 ++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +index 00effc80..6e8cc6e9 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +@@ -2698,8 +2698,9 @@ int s_client_main(int argc, char **argv) + goto end; + } + atyp = ASN1_generate_nconf(genstr, cnf); +- if (atyp == NULL) { ++ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) { + NCONF_free(cnf); ++ ASN1_TYPE_free(atyp); + BIO_printf(bio_err, "ASN1_generate_nconf failed\n"); + goto end; + } +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +index 7ab98385..d90404dd 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, + ASN1_BMPSTRING *fname = NULL; + ASN1_OCTET_STRING *lkid = NULL; + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) { ++ if (attrib->type != V_ASN1_BMPSTRING) ++ return 0; + fname = attrib->value.bmpstring; ++ } + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) { ++ if (attrib->type != V_ASN1_OCTET_STRING) ++ return 0; + lkid = attrib->value.octet_string; ++ } + + switch (PKCS12_SAFEBAG_get_nid(bag)) { + case NID_keyBag: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +index f63fbc50..4e0eb1e8 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) + ASN1_TYPE *astype; + if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) + return NULL; ++ if (astype->type != V_ASN1_OCTET_STRING) ++ return NULL; + return astype->value.octet_string; + } + +-- +2.45.4 + diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index 7bffc311d60..fbe7989514c 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -4,7 +4,7 @@ Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,9 @@ Patch19: CVE-2024-38796.patch Patch20: CVE-2025-3770.patch Patch21: CVE-2025-2296.patch Patch22: CVE-2025-2295.patch +Patch23: CVE-2025-68160.patch +Patch24: CVE-2025-69418.patch +Patch25: CVE-2026-22796.patch BuildRequires: bc BuildRequires: gcc @@ -82,6 +85,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Mon Feb 02 2026 Azure Linux Security Servicing Account - 1.0.1-17 +- Patch for CVE-2026-22796, CVE-2025-68160, CVE-2025-69418 + * Tue Jan 06 2026 Azure Linux Security Servicing Account - 1.0.1-16 - Patch for CVE-2025-2295 From 42648732c9809b81cbac6dd0018555e339631f30 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Mon, 2 Feb 2026 10:55:34 +0000 Subject: [PATCH 2/2] Bump release for consistency with hvloader spec. --- SPECS-SIGNED/hvloader-signed/hvloader-signed.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec index 8e5ccefa1e0..38f26295609 100644 --- a/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec +++ b/SPECS-SIGNED/hvloader-signed/hvloader-signed.spec @@ -6,7 +6,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: hvloader-signed-%{buildarch} Version: 1.0.1 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +69,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Mon Feb 02 2026 Azure Linux Security Servicing Account - 1.0.1-17 +- Bump release for consistency with hvloader spec. + * Tue Jan 06 2026 Azure Linux Security Servicing Account - 1.0.1-16 - Bump release for consistency with hvloader spec.