ovmf: Fix CVE-2022-36764

EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage()
function, allowing a user to trigger a heap buffer overflow via a local
network. Successful exploitation of this vulnerability may result in a
compromise of confidentiality, integrity, and/or availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-36764

Upstream-patches:
https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4
https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e
https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f

(From OE-Core rev: aba14824159e549fd77cb90e3a9a327c527b366f)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch

@@ -0,0 +1,271 @@
+From c7b27944218130cca3bbb20314ba5b88b5de4aa4 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:04 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
+  2022-36764
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpm2MeasureBootLib.c                   | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c       | 46 +++++++++++++-
+ .../DxeTpm2MeasureBootLibSanitization.h       | 28 ++++++++-
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 60 ++++++++++++++++---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+   @retval EFI_OUT_OF_RESOURCES   No enough resource to measure image.
+   @retval EFI_UNSUPPORTED        ImageType is unsupported or PE image is mal-format.
+   @retval other error value
+-
+ **/
+ EFI_STATUS
+ EFIAPI
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+   Status    = EFI_UNSUPPORTED;
+   ImageLoad = NULL;
+   EventPtr  = NULL;
++  Tcg2Event = NULL;
+ 
+   Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+   CcProtocol   = MeasureBootProtocols->CcProtocol;
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+   }
+ 
+   FilePathSize = (UINT32)GetDevicePathSize (FilePath);
++  Status       = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
+ 
+   //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  EventPtr  = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
++  // from a malicious GPT disk partition
++  EventPtr = AllocateZeroPool (EventSize);
+   if (EventPtr == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+   Tcg2Event                       = (EFI_TCG2_EVENT *)EventPtr;
+-  Tcg2Event->Size                 = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++  Tcg2Event->Size                 = EventSize;
+   Tcg2Event->Header.HeaderSize    = sizeof (EFI_TCG2_EVENT_HEADER);
+   Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+   ImageLoad                       = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }
+ 
+ /**
+-  This function will validate that the allocation size from the primary header is sane
++ This function will validate that the allocation size from the primary header is sane
+   It will check the following:
+     - AllocationSize does not overflow
+ 
+@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
++  Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 048b738987..8f72ba4240 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -9,6 +9,9 @@
+   Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+   partition data carefully.
+ 
++  Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
++  data structure within this image buffer before use.
++
+   Copyright (c) Microsoft Corporation.<BR>
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
+-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 3eb9763e3c..820e99aeb9 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
+   PrimaryHeader.Header.Revision          = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+   PrimaryHeader.Header.HeaderSize        = sizeof (EFI_PARTITION_TABLE_HEADER);
+   PrimaryHeader.MyLBA                    = 1;
+-  PrimaryHeader.AlternateLBA             = 2;
+-  PrimaryHeader.FirstUsableLBA           = 3;
+-  PrimaryHeader.LastUsableLBA            = 4;
+-  PrimaryHeader.PartitionEntryLBA        = 5;
++  PrimaryHeader.PartitionEntryLBA        = 2;
++  PrimaryHeader.AlternateLBA             = 3;
++  PrimaryHeader.FirstUsableLBA           = 4;
++  PrimaryHeader.LastUsableLBA            = 5;
+   PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+   PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+   PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-  EFI_TCG2_EVENT              *Tcg2Event;
+-
+-  Tcg2Event = NULL;
+-  GptData   = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path when generating a
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32      EventSize;
++  UINTN       ExistingLogicEventSize;
++  UINT32      FilePathSize;
++  EFI_STATUS  Status;
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    return UNIT_TEST_ERROR_TEST_FAILED;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -267,6 +308,7 @@ UefiTestMain (
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0002.patch

@@ -0,0 +1,281 @@
+From 0d341c01eeabe0ab5e76693b36e728b8f538a40e Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:05 +0800
+Subject: [PATCH] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpmMeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpmMeasureBootLib.c                    | 13 ++-
+ .../DxeTpmMeasureBootLibSanitization.c        | 44 +++++++++
+ .../DxeTpmMeasureBootLibSanitization.h        | 23 +++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c    | 98 +++++++++++++++++--
+ 4 files changed, 168 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 669ab19134..a9fc440a09 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -17,6 +17,7 @@
+ 
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
++Copyright (c) Microsoft Corporation.<BR>
+ 
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -345,18 +346,22 @@ TcgMeasurePeImage (
+   ImageLoad     = NULL;
+   SectionHeader = NULL;
+   Sha1Ctx       = NULL;
++  TcgEvent      = NULL;
+   FilePathSize  = (UINT32)GetDevicePathSize (FilePath);
+ 
+-  //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  TcgEvent  = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
++
++  TcgEvent = AllocateZeroPool (EventSize);
+   if (TcgEvent == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+-  TcgEvent->EventSize = EventSize;
++  TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+   ImageLoad           = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
+ 
+   switch (ImageType) {
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index a3fa46f5e6..c989851cec 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (TCG_PCR_EVENT_HDR)
++  Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 0d9d00c281..2248495813 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
+ #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index eeb928cdb0..c41498be45 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -1,8 +1,8 @@
+ /** @file
+-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
++  This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ 
+-Copyright (c) Microsoft Corporation.<BR>
+-SPDX-License-Identifier: BSD-2-Clause-Patent
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <Uefi.h>
+@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-
+-  GptData = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path for an
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32                    EventSize;
++  UINTN                     ExistingLogicEventSize;
++  UINT32                    FilePathSize;
++  EFI_STATUS                Status;
++  EFI_DEVICE_PATH_PROTOCOL  DevicePath;
++  EFI_IMAGE_LOAD_EVENT      *ImageLoadEvent;
++  UNIT_TEST_STATUS          TestStatus;
++
++  TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
++
++  // Generate EFI_DEVICE_PATH_PROTOCOL test data
++  DevicePath.Type      = 0;
++  DevicePath.SubType   = 0;
++  DevicePath.Length[0] = 0;
++  DevicePath.Length[1] = 0;
++
++  // Generate EFI_IMAGE_LOAD_EVENT test data
++  ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
++  if (ImageLoadEvent == NULL) {
++    DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
++    goto Exit;
++  }
++
++  // Populate EFI_IMAGE_LOAD_EVENT54 test data
++  ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
++  ImageLoadEvent->ImageLengthInMemory   = 0x1000;
++  ImageLoadEvent->ImageLinkTimeAddress  = (UINTN)ImageLoadEvent;
++  ImageLoadEvent->LengthOfDevicePath    = sizeof (EFI_DEVICE_PATH_PROTOCOL);
++  CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
++    goto Exit;
++  }
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    goto Exit;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  if (Status != EFI_BAD_BUFFER_SIZE) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
++    goto Exit;
++  }
++
++  TestStatus = UNIT_TEST_PASSED;
++Exit:
++
++  if (ImageLoadEvent != NULL) {
++    FreePool (ImageLoadEvent);
++  }
++
++  if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
++    DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
++  } else {
++    DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++  }
++
++  return TestStatus;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -265,6 +350,7 @@ UefiTestMain (
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0003.patch

@@ -0,0 +1,48 @@
+From 8f6d343ae639fba8e4b80e45257275e23083431f Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:06 +0800
+Subject: [PATCH] SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index f9e3e7be74..833fb827a9 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -20,3 +20,17 @@ CVE_2022_36763:
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
++CVE_2022_36764:
++  commit_titles:
++     - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++     - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++     - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
++  cve: CVE-2022-36764
++  date_reported: 2022-10-25 12:23 UTC
++  description: Heap Buffer Overflow in Tcg2MeasurePeImage()
++  note:
++  files_impacted:
++  - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++  - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++  links:
++  - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf_git.bb

@@ -30,6 +30,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://CVE-2022-36763-0001.patch \
            file://CVE-2022-36763-0002.patch \
            file://CVE-2022-36763-0003.patch \
+           file://CVE-2022-36764-0001.patch \
+           file://CVE-2022-36764-0002.patch \
+           file://CVE-2022-36764-0003.patch \
            "
 
 PV = "edk2-stable202202"