fix CEV-2023-0215

Signed-off-by: chenhuiying <chenhuiying4@huawei.com>

0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch

@@ -0,0 +1,106 @@
+From 93bb2a5f1df1617502c24f287ea4e5ca351aef95 Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 15:05:15 +0800
+Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+
+REF: https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../OpensslLib/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++----
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
+index 6222c99..cf52468 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+                             void *parg);
+ 
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+     NDEF_SUPPORT *ndef_aux = NULL;
+     BIO *asn_bio = NULL;
+     const ASN1_AUX *aux = it->funcs;
+     ASN1_STREAM_ARG sarg;
++    BIO *pop_bio = NULL;
+ 
+     if (!aux || !aux->asn1_cb) {
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     out = BIO_push(asn_bio, out);
+     if (out == NULL)
+         goto err;
++    pop_bio = asn_bio;
+ 
+-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     /*
+-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+-     * needs.
++     * Now let the callback prepend any digest, cipher, etc., that the BIO's
++     * ASN1 structure needs.
+      */
+ 
+     sarg.out = out;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++    /*
++     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++     * middle of some partially built, but not returned BIO chain.
++     */
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++        /*
++         * ndef_aux is now owned by asn_bio so we must not free it in the err
++         * clean up block
++         */
++        ndef_aux = NULL;
+         goto err;
++    }
++
++    /*
++     * We must not fail now because the callback has prepended additional
++     * BIOs to the chain
++     */
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     ndef_aux->boundary = sarg.boundary;
+     ndef_aux->out = out;
+ 
+-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+     return sarg.ndef_bio;
+ 
+  err:
++    /* BIO_pop() is NULL safe */
++    (void)BIO_pop(pop_bio);
+     BIO_free(asn_bio);
+     OPENSSL_free(ndef_aux);
+     return NULL;
+-- 
+2.27.0
+

0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch

@@ -0,0 +1,79 @@
+From cb81a80d059f41b0930fcc36c36a155244f3873a Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 16:18:41 +0800
+Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled correctly
+
+Test for the issue fixed in the previous commit
+
+REF:https://github.com/openssl/openssl/commit/f040f2577891d2bdb7610566c172233844cf673a
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../openssl/test/recipes/80-test_cms.t         | 15 +++++++++++++--
+ .../openssl/test/smime-certs/badrsa.pem        | 18 ++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
+index 5dc6a3a..ec11bfc 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+ 
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont   = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+ 
+-plan tests => 6;
++plan tests => 7;
+ 
+ my @smime_pkcs7_tests = (
+ 
+@@ -584,3 +584,14 @@ sub check_availability {
+ 
+     return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++    sub {
++        ok(run(app(['openssl', 'cms', '-encrypt',
++                    '-in', srctop_file("test", "smcont.txt"),
++                    '-stream', '-recip',
++                    srctop_file("test/smime-certs", "badrsa.pem"),
++                   ])),
++            "Check failure during BIO setup with -stream is handled correctly");
++    });
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+new file mode 100644
+index 0000000..f824fc2
+--- /dev/null
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----
+-- 
+2.27.0
+

edk2.spec

@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 9
+Release: 10
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -45,6 +45,9 @@ Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
 Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
 Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
 Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
+Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
+Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
 
 %description
@@ -245,6 +248,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-10
+- fix CVE-2023-0215
+
 * Sat Feb 25 2023 shaodenghui<shaodenghui@huawei.com> - 202011-9
 - fix CVE-2023-0401