| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| no-stack-protector-all-archs.diff | pass -fno-stack-protector to all GCC toolchains The upstream build rules inexplicably pass -fno-stack-protector only when building for i386 and amd64. Add this essential argument to the generic rules for gcc 4.8 and later. =================================================================== |
Steve Langasek <steve.langasek@ubuntu.com> | no | |||
| brotlicompress-disable.diff | Do not attempt to compile removed BrotliCompress source BrotliCompress is not currently used, and including an embedded copy of its source could cause false-positives when scanning for security issues. This code is stripped from our orig.tar (at the request of the Ubuntu security team), so we also need to disable the build. |
dann frazier <dannf@debian.org> | not-needed | 2019-06-25 | ||
| x64-baseline-abi.patch | Explicitly target generic x86-64 ABI The system compiler may be configured to target a higher x86-64 psABI by default, so explicitly target the generic psABI to retain compatibility with older machine types. |
dann frazier <dannf@debian.org> | yes | 2022-06-10 | ||
| Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch | Revert "ArmVirtPkg: make EFI_LOADER_DATA non-executable" The versions of GRUB most distros are shipping still depend on executable EFI_LOADER_DATA. Revert this upstream change until the necessary fixes are more generally available. diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 462073517a..34575585ad 100644 |
dann frazier <dannf@debian.org> | yes | debian | 2022-12-29 | |
| 0001-ArmVirtPkg-ArmPlatformLibQemu-Ensure-that-VFP-is-on-.patch | [PATCH 1/2] ArmVirtPkg/ArmPlatformLibQemu: Ensure that VFP is on before running C code Now that we build the early code without strict alignment and without suppressing the use of SIMD registers, ensure that the VFP unit is on before entering C code. While at it, simplyify the mov_i macro, which is only used for 32-bit quantities. diff --git a/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S b/ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S index 05ccc7f9f0..1787d52fbf 100644 |
Ard Biesheuvel <ardb@kernel.org> | no | https://edk2.groups.io/g/devel/message/98022 | 2023-01-09 | |
| 0002-ArmVirtPkg-ArmVirtQemu-Avoid-early-ID-map-on-Thunder.patch | [PATCH 2/2] ArmVirtPkg/ArmVirtQemu: Avoid early ID map on ThunderX The early ID map used by ArmVirtQemu uses ASID scoped non-global mappings, as this allows us to switch to the permanent ID map seamlessly without the need for explicit TLB maintenance. However, this triggers a known erratum on ThunderX, which does not tolerate non-global mappings that are executable at EL1, as this appears to result in I-cache corruption. (Linux disables the KPTI based Meltdown mitigation on ThunderX for the same reason) So work around this, by detecting the CPU implementor and part number, and proceeding without the early ID map if a ThunderX CPU is detected. Note that this requires the C code to be built with strict alignment again, as we may end up executing it with the MMU and caches off. diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index f77443229e..5dd8b6104c 100644 |
Ard Biesheuvel <ardb@kernel.org> | no | https://edk2.groups.io/g/devel/message/98023 | 2023-01-09 | |
| 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch | [PATCH 1/8] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 This commit contains the patch files and tests for DxeTpm2MeasureBootLib CVE 2022-36763. [ dannf: adjusted context in SecurityPkg/Test/SecurityPkgHostTest.dsc ] |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch | [PATCH 2/8] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 This commit contains the patch files and tests for DxeTpmMeasureBootLib CVE 2022-36763. |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch | [PATCH 3/8] SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch | [PATCH 4/8] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 This commit contains the patch files and tests for DxeTpm2MeasureBootLib CVE 2022-36764. |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch | [PATCH 5/8] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 This commit contains the patch files and tests for DxeTpmMeasureBootLib CVE 2022-36764. |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch | [PATCH 6/8] SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. |
"Douglas Flick [MSFT]" <doug.edk2@gmail.com> | no | 2024-01-12 | ||
| 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch | [PATCH 1/3] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename Updates the sanitation function names to be lib unique names |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-17 | ||
| 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch | [PATCH 2/3] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename Updates the sanitation function names to be lib unique names |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-17 | ||
| 0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch | [PATCH 3/3] SecurityPkg: : Updating SecurityFixes.yaml after symbol rename Adding the new commit titles for the symbol renames |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-17 | ||
| 0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch | [PATCH 8/8] UefiPayloadPkg/Hob: Integer Overflow in CreateHob() Fix integer overflow in various CreateHob instances. The CreateHob() function aligns the requested size to 8 performing the following operation: ``` HobLength = (UINT16)((HobLength + 0x7) & (~0x7)); ``` No checks are performed to ensure this value doesn't overflow, and could lead to CreateHob() returning a smaller HOB than requested, which could lead to OOB HOB accesses. |
Gua Guo <gua.guo@intel.com> | no | 2024-01-11 | ||
| 0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch | [PATCH 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Changes Overview: > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| 0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch | [PATCH 02/15] NetworkPkg: : Add Unit tests to CI and create Host Test DSC Adds Host Based testing to the NetworkPkg |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| 0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch | [PATCH 03/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests Confirms that reported issue... "Buffer overflow in the DHCPv6 client via a long Server ID option" ..has been corrected by the provided patch. Tests the following functions to ensure they appropriately handle untrusted data (either too long or too small) to prevent a buffer overflow: Dhcp6AppendOption Dhcp6AppendETOption Dhcp6AppendIaOption |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| 0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch | [PATCH 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Bug Details: PixieFail Bug #1 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Change Overview: Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking the Inner Option from a DHCP6 Option. > > EFI_STATUS > Dhcp6SeekInnerOptionSafe ( > IN UINT16 IaType, > IN UINT8 *Option, > IN UINT32 OptionLen, > OUT UINT8 **IaInnerOpt, > OUT UINT16 *IaInnerLen > ); > Lots of code cleanup to improve code readability. |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| 0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch | [PATCH 05/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests These tests confirm that the report bug... "Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" ..has been patched. The following functions are tested to confirm an out of bounds read is patched and that the correct statuses are returned: Dhcp6SeekInnerOptionSafe Dhcp6SeekStsOption TCBZ4534 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| 0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch | [PATCH 06/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Bug Overview: PixieFail Bug #3 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Out-of-bounds read when handling a ND Redirect message with truncated options Change Overview: Adds a check to prevent truncated options from being parsed + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch | [PATCH 07/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Validates that the patch for... Out-of-bounds read when handling a ND Redirect message with truncated options .. has been fixed Tests the following function to ensure that an out of bounds read does not occur Ip6OptionValidation |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch | [PATCH 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Bug Details: PixieFail Bug #4 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing unknown options in the Destination Options header PixieFail Bug #5 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing a PadN option in the Destination Options header Change Overview: Most importantly this change corrects the following incorrect math and cleans up the code. > // It is a PadN option > // > - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2); > + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); > case Ip6OptionSkip: > - Offset = (UINT8)(Offset + *(Option + Offset + 1)); > OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); Additionally, this change also corrects incorrect math where the calling function was calculating the HDR EXT optionLen as a uint8 instead of a uint16 > - OptionLen = (UINT8)((*Option + 1) * 8 - 2); > + OptionLen = IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN; Additionally this check adds additional logic to santize the incoming data |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch | [PATCH 09/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Unit tests to confirm that.. Infinite loop when parsing unknown options in the Destination Options header and Infinite loop when parsing a PadN option in the Destination Options header ... have been patched This patch tests the following functions: Ip6IsOptionValid |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch | [PATCH 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Bug Details: PixieFail Bug #6 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message Change Overview: Introduces a function to cache the Dns Server and perform sanitizing on the incoming DnsServerLen to ensure that the length is valid > + EFI_STATUS > + PxeBcCacheDnsServerAddresses ( > + IN PXEBC_PRIVATE_DATA *Private, > + IN PXEBC_DHCP6_PACKET_CACHE *Cache6 > + ) Additional code cleanup |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch | [PATCH 11/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Unit tests to that the bug.. Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message ..has been patched This contains tests for the following functions: PxeBcHandleDhcp6Offer PxeBcCacheDnsServerAddresses |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch | [PATCH 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message Change Overview: Performs two checks 1. Checks that the length of the duid is accurate > + // > + // Check that the minimum and maximum requirements are met > + // > + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { > + Status = EFI_INVALID_PARAMETER; > + goto ON_ERROR; > + } 2. Ensures that the amount of data written to the buffer is tracked and never exceeds that > + // > + // Check that the option length is valid. > + // > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { > + Status = EFI_OUT_OF_RESOURCES; > + goto ON_ERROR; > + } Additional code clean up and fix for memory leak in case Option was NULL |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch | [PATCH 14/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Unit tests to confirm that the bug.. Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message ..has been patched. This patch contains unit tests for the following functions: PxeBcRequestBootService PxeBcDhcp6Discover |
Doug Flick <dougflick@microsoft.com> | no | 2024-01-26 | ||
| 0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch | [PATCH 15/15] NetworkPkg: : Adds a SecurityFix.yaml file This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. |
"Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> | no | 2024-01-26 | ||
| Disable-the-Shell-when-SecureBoot-is-enabled.patch | Shell: Disable the Shell when SecureBoot is enabled and not in SetupMode | Mate Kukri <mate.kukri@canonical.com> | no | 2023-12-06 |