ovmf: fix CVE-2024-38798

According to [1],

  EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
  Sensitive Information to an Unauthorized Actor” by local access. Successful
  exploitation of this vulnerability will lead to possible information disclosure
  or escalation of privilege and impact Confidentiality.

Backport a patch [2] from upstream to fix CVE-2024-38798

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
[2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249

(From OE-Core rev: ed444adf325d3a985ed8f9ae0a009ecbaf67c3fd)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>

meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch

@@ -0,0 +1,116 @@
+From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 5 Jan 2026 13:04:18 +0800
+Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
+
+There is a possibility to retrieve user input keystroke data stored in the
+queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
+exposure of the password string, clear the queue buffer by filling it
+with zeros after reading.
+
+Signed-off-by: Nick Wang <nick.wang@insyde.com>
+
+CVE: CVE-2024-38798
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
+ MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
+ .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
+ .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
+ 5 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+index 981309f..32757a7 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+@@ -650,6 +650,8 @@ PopScancodeBufHead (
+     if (Buf != NULL) {
+       Buf[Index] = Queue->Buffer[Queue->Head];
+     }
++
++    Queue->Buffer[Queue->Head] = 0;
+   }
+ 
+   return EFI_SUCCESS;
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+index 81d3c6e..e03c88f 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+@@ -51,6 +51,7 @@ PopEfikeyBufHead (
+     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   }
+ 
++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
+   return EFI_SUCCESS;
+ }
+diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+index b5a6459..7df1566 100644
+--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+@@ -1840,7 +1840,7 @@ Dequeue (
+   }
+ 
+   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
+-
++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
+   //
+   // Adjust the head pointer of the FIFO keyboard buffer.
+   //
+diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+index 0a776f3..5c1a35e 100644
+--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
+     &Private->KeyQueue[1],
+     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
+     );
++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
+   return EFI_SUCCESS;
+ }
+ 
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+index f1d0a34..8aafb4b 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
+     return FALSE;
+   }
+ 
+-  *Output = TerminalDevice->RawFiFo->Data[Head];
++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
++  TerminalDevice->RawFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
+ 
+@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
+   Head = TerminalDevice->UnicodeFiFo->Head;
+   ASSERT (Head < FIFO_MAX_NUMBER + 1);
+ 
+-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ }
+-- 
+2.34.1
+

meta/recipes-core/ovmf/ovmf_git.bb

@@ -39,6 +39,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://CVE-2025-2296-7.patch \
            file://CVE-2025-2296-8.patch \
            file://CVE-2025-2296-9.patch \
+           file://CVE-2024-38798.patch \
            "
 
 PV = "edk2-stable202402"