Fixes CVE-2024-13176、CVE-2024-4741、CVE-2023-5363

0080-Fix-timing-side-channel-CVE-2024-13176.patch

@@ -0,0 +1,121 @@
+From ccdf50988462e9889f3553cbefbe81bba3e41e1f Mon Sep 17 00:00:00 2001
+From: hy <12444214+dhjgty@user.noreply.gitee.com>
+Date: Tue, 25 Feb 2025 23:29:26 +0800
+Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
+There is a timing signal of around 300 nanoseconds when the top word of
+the inverted ECDSA nonce value is zero. This can happen with significant
+probability only for some of the supported elliptic curves. In particular
+the NIST P-521 curve is affected. To be able to measure this leak, the
+attacker process must either be located in the same physical computer or
+must have a very fast network connection with low latency.
+
+Attacks on ECDSA nonce are also known as Minerva attack.
+
+Fixes CVE-2024-13176
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+
+---
+ .../OpensslLib/openssl/crypto/bn/bn_exp.c     | 21 +++++++++++++------
+ .../OpensslLib/openssl/crypto/ec/ec_lib.c     |  7 ++++---
+ .../OpensslLib/openssl/include/crypto/bn.h    |  3 +++
+ 3 files changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+index 4e169ae1..a161e580 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+@@ -598,7 +598,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+  * out by Colin Percival,
+  * http://www.daemonology.net/hyperthreading-considered-harmful/)
+  */
+-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                               const BIGNUM *m, BN_CTX *ctx,
+                               BN_MONT_CTX *in_mont)
+ {
+@@ -615,10 +615,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     unsigned int t4 = 0;
+ #endif
+ 
+-    bn_check_top(a);
+-    bn_check_top(p);
+-    bn_check_top(m);
+-
+     if (!BN_is_odd(m)) {
+         ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
+         return 0;
+@@ -1138,7 +1134,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+             goto err;
+     } else
+ #endif
+-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
++    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
+         goto err;
+     ret = 1;
+  err:
+@@ -1152,6 +1148,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     return ret;
+ }
+ 
++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont)
++{
++    bn_check_top(a);
++    bn_check_top(p);
++    bn_check_top(m);
++    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
++        return 0;
++    bn_correct_top(rr);
++    return 1;
++}
++
+ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
+                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+index b1696d93..1f0bf1ec 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/err.h>
+ #include <openssl/opensslv.h>
+ #include "crypto/ec.h"
++#include "crypto/bn.h"
+ #include "internal/nelem.h"
+ #include "ec_local.h"
+ 
+@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
+     if (!BN_sub(e, group->order, e))
+         goto err;
+     /*-
+-     * Exponent e is public.
+-     * No need for scatter-gather or BN_FLG_CONSTTIME.
++     * Although the exponent is public we want the result to be
++     * fixed top.
+      */
+-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
++    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
+         goto err;
+ 
+     ret = 1;
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+index fd1c09d9..ba50bca2 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+  */
+ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                           BN_MONT_CTX *mont, BN_CTX *ctx);
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont);
+ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+ int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+-- 
+2.33.0
+

0081-Free-the-read-buffers-CVE-2024-4741.patch

@@ -0,0 +1,70 @@
+From f40c84cc031796e0469c6294abbf945455084627 Mon Sep 17 00:00:00 2001
+From: hy <12444214+dhjgty@user.noreply.gitee.com>
+Date: Mon, 24 Feb 2025 22:50:29 +0800
+Subject: [PATCH] fix CVE-2024-4741
+Only free the read buffers if we're not using them
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+---
+ .../Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c | 9 +++++++++
+ CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h | 1 +
+ CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c       | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+index 3baf8207..99602b6b 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+index 234656bf..b60f71c8 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+index 5d57f5d2..ac4ae41e 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+@@ -5489,6 +5489,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.0
+

0082-Process-key-length-CVE-2023-5363.patch

@@ -0,0 +1,79 @@
+From 583189d64994d0a2eb2bac1591fa207210d4be7f Mon Sep 17 00:00:00 2001
+From: hy <12444214+dhjgty@user.noreply.gitee.com>
+Date: Mon, 24 Feb 2025 23:05:55 +0800
+Subject: [PATCH] evp: process key length and iv length early if present
+ evp_cipher_init_internal() takes a params array argument and this is
+ processed late in the initialisation process for some ciphers (AEAD ones).
+
+This means that changing the IV length as a parameter will either truncate the
+IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised
+bytes.
+
+Truncation is very bad if SP 800-38d section 8.2.1 is being used to
+contruct a deterministic IV.  This leads to an instant loss of confidentiality.
+
+Grabbing extra bytes isn't so serious, it will most likely result in a bad
+decryption.
+
+Problem reported by Tony Battersby of Cybernetics.com but earlier discovered
+and raised as issue #19822.
+
+Fixes CVE-2023-5363
+Fixes #19822
+
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ .../OpensslLib/openssl/crypto/evp/evp_enc.c   | 36 +++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c
+index b178d108..2dff3e66 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_enc.c
+@@ -218,6 +218,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
+             return 0;
+     }
+ 
++#ifndef FIPS_MODULE
++    /*
++     * Fix for CVE-2023-5363
++     * Passing in a size as part of the init call takes effect late
++     * so, force such to occur before the initialisation.
++     *
++     * The FIPS provider's internal library context is used in a manner
++     * such that this is not an issue.
++     */
++    if (params != NULL) {
++        OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
++                                     OSSL_PARAM_END };
++        OSSL_PARAM *q = param_lens;
++        const OSSL_PARAM *p;
++
++        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); 
++        if (p != NULL)
++            memcpy(q++, p, sizeof(*q));
++
++        /*
++         * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
++         * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
++         */
++        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
++        if (p != NULL)
++            memcpy(q++, p, sizeof(*q));
++
++        if (q != param_lens) {
++            if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
++                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
++                return 0;
++            }
++        }
++    }
++#endif
++
+     if (enc) {
+         if (ctx->cipher->einit == NULL) {
+             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+-- 
+2.33.0
+

edk2.spec

@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 16
+Release: 17
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -127,6 +127,11 @@ patch77: 0077-VirtioDxe-add-support-of-MMIO-Bar-for-virtio-devices.patch
 patch78: 0078-Virtio-wait-virtio-device-reset-done.patch
 patch79: 0079-VirtioBlk-split-large-IO-according-to-segment_size_m.patch
 
+# Fix CVE-2024-13176
+patch80: 0080-Fix-timing-side-channel-CVE-2024-13176.patch
+patch81: 0081-Free-the-read-buffers-CVE-2024-4741.patch
+patch82: 0082-Process-key-length-CVE-2023-5363.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %description
@@ -396,6 +401,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Sun Feb 23 2025 huyu<huyu70@h-partners.com> - 202308-17
+- fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363
+
 * Fri Nov 29 2024 adttil<2429917001@qq.com> - 202308-16
 - vdpa: support vdpa blk/scsi device boot