Fix CVE-2024-4603
This commit is contained in:
hy
parent
ca2a749250
commit
2ff9fe43ad
198
0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch
Normal file
198
0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch
Normal file
@ -0,0 +1,198 @@
|
||||
From 9b551e31226d345984bc4dd64b0f8c8f768b9d0b Mon Sep 17 00:00:00 2001
|
||||
From: hy <12444214+dhjgty@user.noreply.gitee.com>
|
||||
Date: Sun, 16 Mar 2025 16:30:29 +0800
|
||||
Subject: [PATCH] Check DSA parameters for excessive sizes before validating
|
||||
This avoids overly long computation of various validation checks.
|
||||
|
||||
Fixes CVE-2024-4603
|
||||
|
||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
---
|
||||
.../Library/OpensslLib/openssl/CHANGES.md | 17 ++++++
|
||||
.../OpensslLib/openssl/crypto/dsa/dsa_check.c | 44 ++++++++++++--
|
||||
.../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++
|
||||
3 files changed, 114 insertions(+), 4 deletions(-)
|
||||
create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
|
||||
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
|
||||
index 0fb1eb1f..2209e0ce 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/CHANGES.md
|
||||
@@ -30,6 +30,23 @@ breaking changes, and mappings for the large list of deprecated functions.
|
||||
|
||||
### Changes between 3.0.8 and 3.0.9 [30 May 2023]
|
||||
|
||||
+ * Fixed an issue where checking excessively long DSA keys or parameters may
|
||||
+ be very slow.
|
||||
+
|
||||
+ Applications that use the functions EVP_PKEY_param_check() or
|
||||
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
|
||||
+ experience long delays. Where the key or parameters that are being checked
|
||||
+ have been obtained from an untrusted source this may lead to a Denial of
|
||||
+ Service.
|
||||
+
|
||||
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
|
||||
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
|
||||
+ reason.
|
||||
+
|
||||
+ ([CVE-2024-4603])
|
||||
+
|
||||
+ *Tomáš Mráz*
|
||||
+
|
||||
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
|
||||
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
|
||||
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
|
||||
index 7ee914a4..ed01ea8f 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/dsa/dsa_check.c
|
||||
@@ -19,8 +19,34 @@
|
||||
#include "dsa_local.h"
|
||||
#include "crypto/dsa.h"
|
||||
|
||||
+static int dsa_precheck_params(const DSA *dsa, int *ret)
|
||||
+ {
|
||||
+ if (dsa->params.p == NULL || dsa->params.q == NULL) {
|
||||
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
|
||||
+ *ret = FFC_CHECK_INVALID_PQ;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = FFC_CHECK_INVALID_PQ;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
|
||||
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
|
||||
+ *ret = FFC_CHECK_INVALID_PQ;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
|
||||
{
|
||||
+ if (!dsa_precheck_params(dsa, ret))
|
||||
+ return 0;
|
||||
+
|
||||
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
|
||||
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
|
||||
FFC_PARAM_TYPE_DSA, ret);
|
||||
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
|
||||
*/
|
||||
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
|
||||
{
|
||||
+ if (!dsa_precheck_params(dsa, ret))
|
||||
+ return 0;
|
||||
+
|
||||
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret);
|
||||
}
|
||||
|
||||
@@ -49,6 +78,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
|
||||
*/
|
||||
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
|
||||
{
|
||||
+ if (!dsa_precheck_params(dsa, ret))
|
||||
+ return 0;
|
||||
+
|
||||
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
|
||||
}
|
||||
|
||||
@@ -56,8 +88,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
|
||||
{
|
||||
*ret = 0;
|
||||
|
||||
- return (dsa->params.q != NULL
|
||||
- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
|
||||
+ if (!dsa_precheck_params(dsa, ret))
|
||||
+ return 0;
|
||||
+
|
||||
+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -70,8 +104,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *pub_key = NULL;
|
||||
|
||||
- if (dsa->params.p == NULL
|
||||
- || dsa->params.g == NULL
|
||||
+ if (!dsa_precheck_params(dsa, &ret))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (dsa->params.g == NULL
|
||||
|| dsa->priv_key == NULL
|
||||
|| dsa->pub_key == NULL)
|
||||
return 0;
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
|
||||
new file mode 100644
|
||||
index 00000000..162be8a8
|
||||
--- /dev/null
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
|
||||
@@ -0,0 +1,57 @@
|
||||
+-----BEGIN DSA PARAMETERS-----
|
||||
+ MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
|
||||
+ p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
|
||||
+ XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
|
||||
+ x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
|
||||
+ oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
|
||||
+ dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
|
||||
+ Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
|
||||
+ pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
|
||||
+ P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
|
||||
+ hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
|
||||
+ UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
|
||||
+ koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
|
||||
+ TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
|
||||
+ RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
|
||||
+ 4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
|
||||
+ c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
|
||||
+ cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
|
||||
+ DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
|
||||
+ Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
|
||||
+ rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
|
||||
+ PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
|
||||
+ UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
|
||||
+ 5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
|
||||
+ wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
|
||||
+ R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
|
||||
+ xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
|
||||
+ 0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
|
||||
+ uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
|
||||
+ 9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
|
||||
+ TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
|
||||
+ gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
|
||||
+ ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
|
||||
+ R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
|
||||
+ F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
|
||||
+ SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
|
||||
+ +3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
|
||||
+ UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
|
||||
+ fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
|
||||
+ qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
|
||||
+ B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
|
||||
+ hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
|
||||
+ 4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
|
||||
+ vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
|
||||
+ k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
|
||||
+ i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
|
||||
+ 9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
|
||||
+ ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
|
||||
+ Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
|
||||
+ KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
|
||||
+ x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
|
||||
+ XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
|
||||
+ YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
|
||||
+ ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
|
||||
+ 4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
|
||||
+ vKuje86bePD6kD/LH3wmkA==
|
||||
+ -----END DSA PARAMETERS-----
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Name: edk2
|
||||
Version: %{stable_date}
|
||||
Release: 20
|
||||
Release: 21
|
||||
Summary: EFI Development Kit II
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
URL: https://github.com/tianocore/edk2
|
||||
@ -137,6 +137,9 @@ patch83: 0083-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch
|
||||
patch84: 0084-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch
|
||||
patch85: 0085-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch
|
||||
|
||||
# Fix CVE-2024-4603
|
||||
patch86: 0086-Check-DSA-parameters-for-excessive-sizes-before-vali.patch
|
||||
|
||||
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl
|
||||
|
||||
%description
|
||||
@ -427,6 +430,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 17 2025 huyu<huyu70@h-partners.com> - 202308-21
|
||||
- fix CVE-2024-4603
|
||||
|
||||
* Thu Mar 13 2025 hanliyang<hanliyang@hygon.cn> - 202308-20
|
||||
- Fix boot failure on OvmfPkg/AmdSev
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user