build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: a270d4c957259761bcc7382fcc54642a02f9fc7d)

Signed-off-by: Steve Sakoman <steve@sakoman.com>

bitbake/lib/bb/fetch2/__init__.py

@@ -498,30 +498,30 @@ def fetcher_init(d):
     Calls before this must not hit the cache.
     """
 
-    revs = bb.persist_data.persist('BB_URI_HEADREVS', d)
-    try:
-        # fetcher_init is called multiple times, so make sure we only save the
-        # revs the first time it is called.
-        if not bb.fetch2.saved_headrevs:
-            bb.fetch2.saved_headrevs = dict(revs)
-    except:
-        pass
+    with bb.persist_data.persist('BB_URI_HEADREVS', d) as revs:
+        try:
+            # fetcher_init is called multiple times, so make sure we only save the
+            # revs the first time it is called.
+            if not bb.fetch2.saved_headrevs:
+                bb.fetch2.saved_headrevs = dict(revs)
+        except:
+            pass
 
-    # When to drop SCM head revisions controlled by user policy
-    srcrev_policy = d.getVar('BB_SRCREV_POLICY') or "clear"
-    if srcrev_policy == "cache":
-        logger.debug("Keeping SRCREV cache due to cache policy of: %s", srcrev_policy)
-    elif srcrev_policy == "clear":
-        logger.debug("Clearing SRCREV cache due to cache policy of: %s", srcrev_policy)
-        revs.clear()
-    else:
-        raise FetchError("Invalid SRCREV cache policy of: %s" % srcrev_policy)
+        # When to drop SCM head revisions controlled by user policy
+        srcrev_policy = d.getVar('BB_SRCREV_POLICY') or "clear"
+        if srcrev_policy == "cache":
+            logger.debug("Keeping SRCREV cache due to cache policy of: %s", srcrev_policy)
+        elif srcrev_policy == "clear":
+            logger.debug("Clearing SRCREV cache due to cache policy of: %s", srcrev_policy)
+            revs.clear()
+        else:
+            raise FetchError("Invalid SRCREV cache policy of: %s" % srcrev_policy)
 
-    _checksum_cache.init_cache(d)
+        _checksum_cache.init_cache(d)
 
-    for m in methods:
-        if hasattr(m, "init"):
-            m.init(d)
+        for m in methods:
+            if hasattr(m, "init"):
+                m.init(d)
 
 def fetcher_parse_save():
     _checksum_cache.save_extras()
@@ -535,8 +535,8 @@ def fetcher_compare_revisions(d):
     when bitbake was started and return true if they have changed.
     """
 
-    headrevs = dict(bb.persist_data.persist('BB_URI_HEADREVS', d))
-    return headrevs != bb.fetch2.saved_headrevs
+    with dict(bb.persist_data.persist('BB_URI_HEADREVS', d)) as headrevs:
+        return headrevs != bb.fetch2.saved_headrevs
 
 def mirror_from_string(data):
     mirrors = (data or "").replace('\\n',' ').split()
@@ -1618,13 +1618,13 @@ class FetchMethod(object):
         if not hasattr(self, "_latest_revision"):
             raise ParameterError("The fetcher for this URL does not support _latest_revision", ud.url)
 
-        revs = bb.persist_data.persist('BB_URI_HEADREVS', d)
-        key = self.generate_revision_key(ud, d, name)
-        try:
-            return revs[key]
-        except KeyError:
-            revs[key] = rev = self._latest_revision(ud, d, name)
-            return rev
+        with bb.persist_data.persist('BB_URI_HEADREVS', d) as revs:
+            key = self.generate_revision_key(ud, d, name)
+            try:
+                return revs[key]
+            except KeyError:
+                revs[key] = rev = self._latest_revision(ud, d, name)
+                return rev
 
     def sortable_revision(self, ud, d, name):
         latest_rev = self._build_revision(ud, d, name)

bitbake/lib/bb/fetch2/wget.py

@@ -88,7 +88,7 @@ class Wget(FetchMethod):
         if not ud.localfile:
             ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
 
-        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30"
+        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 100"
 
         if ud.type == 'ftp' or ud.type == 'ftps':
             self.basecmd += " --passive-ftp"
@@ -365,7 +365,7 @@ class Wget(FetchMethod):
                 except (TypeError, ImportError, IOError, netrc.NetrcParseError):
                     pass
 
-                with opener.open(r, timeout=30) as response:
+                with opener.open(r, timeout=100) as response:
                     pass
             except urllib.error.URLError as e:
                 if try_again:

bitbake/lib/bb/persist_data.py

@@ -154,6 +154,7 @@ class SQLTable(collections.abc.MutableMapping):
 
     def __exit__(self, *excinfo):
         self.connection.__exit__(*excinfo)
+        self.connection.close()
 
     @_Decorators.retry()
     @_Decorators.transaction

documentation/brief-yoctoprojectqs/index.rst

@@ -78,7 +78,7 @@ You must install essential host packages on your build host. The
 following command installs the host packages based on an Ubuntu
 distribution::
 
-   $ sudo apt install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
+   $ sudo apt install &UBUNTU_DEBIAN_HOST_PACKAGES_ESSENTIAL;
 
 .. note::
 

documentation/contributor-guide/submit-changes.rst

@@ -65,6 +65,13 @@ use to identify your commits::
    git config --global user.name "Ada Lovelace"
    git config --global user.email "ada.lovelace@gmail.com"
 
+By default, Git adds a signature line at the end of patches containing the Git
+version. We suggest to remove it as it doesn't add useful information.
+
+Remove it with the following command::
+
+   git config --global format.signature ""
+
 Clone the Git repository for the component to modify
 ----------------------------------------------------
 

documentation/dev-manual/index.rst

@@ -39,7 +39,6 @@ Yocto Project Development Tasks Manual
    external-scm
    read-only-rootfs
    build-quality
-   runtime-testing
    debugging
    licenses
    security-subjects

documentation/dev-manual/packages.rst

@@ -16,7 +16,7 @@ This section describes a few tasks that involve packages:
 -  :ref:`dev-manual/packages:generating and using signed packages`
 
 -  :ref:`Setting up and running package test
-   (ptest) <dev-manual/packages:testing packages with ptest>`
+   (ptest) <test-manual/ptest:testing packages with ptest>`
 
 -  :ref:`dev-manual/packages:creating node package manager (npm) packages`
 
@@ -887,114 +887,8 @@ related to signed package feeds are available:
 Testing Packages With ptest
 ===========================
 
-A Package Test (ptest) runs tests against packages built by the
-OpenEmbedded build system on the target machine. A ptest contains at
-least two items: the actual test, and a shell script (``run-ptest``)
-that starts the test. The shell script that starts the test must not
-contain the actual test --- the script only starts the test. On the other
-hand, the test can be anything from a simple shell script that runs a
-binary and checks the output to an elaborate system of test binaries and
-data files.
-
-The test generates output in the format used by Automake::
-
-   result: testname
-
-where the result can be ``PASS``, ``FAIL``, or ``SKIP``, and
-the testname can be any identifying string.
-
-For a list of Yocto Project recipes that are already enabled with ptest,
-see the :yocto_wiki:`Ptest </Ptest>` wiki page.
-
-.. note::
-
-   A recipe is "ptest-enabled" if it inherits the :ref:`ref-classes-ptest`
-   class.
-
-Adding ptest to Your Build
---------------------------
-
-To add package testing to your build, add the :term:`DISTRO_FEATURES` and
-:term:`EXTRA_IMAGE_FEATURES` variables to your ``local.conf`` file, which
-is found in the :term:`Build Directory`::
-
-   DISTRO_FEATURES:append = " ptest"
-   EXTRA_IMAGE_FEATURES += "ptest-pkgs"
-
-Once your build is complete, the ptest files are installed into the
-``/usr/lib/package/ptest`` directory within the image, where ``package``
-is the name of the package.
-
-Running ptest
--------------
-
-The ``ptest-runner`` package installs a shell script that loops through
-all installed ptest test suites and runs them in sequence. Consequently,
-you might want to add this package to your image.
-
-Getting Your Package Ready
---------------------------
-
-In order to enable a recipe to run installed ptests on target hardware,
-you need to prepare the recipes that build the packages you want to
-test. Here is what you have to do for each recipe:
-
--  *Be sure the recipe inherits the* :ref:`ref-classes-ptest` *class:*
-   Include the following line in each recipe::
-
-      inherit ptest
-
--  *Create run-ptest:* This script starts your test. Locate the
-   script where you will refer to it using
-   :term:`SRC_URI`. Here is an
-   example that starts a test for ``dbus``::
-
-      #!/bin/sh
-      cd test
-      make -k runtest-TESTS
-
--  *Ensure dependencies are met:* If the test adds build or runtime
-   dependencies that normally do not exist for the package (such as
-   requiring "make" to run the test suite), use the
-   :term:`DEPENDS` and
-   :term:`RDEPENDS` variables in
-   your recipe in order for the package to meet the dependencies. Here
-   is an example where the package has a runtime dependency on "make"::
-
-      RDEPENDS:${PN}-ptest += "make"
-
--  *Add a function to build the test suite:* Not many packages support
-   cross-compilation of their test suites. Consequently, you usually
-   need to add a cross-compilation function to the package.
-
-   Many packages based on Automake compile and run the test suite by
-   using a single command such as ``make check``. However, the host
-   ``make check`` builds and runs on the same computer, while
-   cross-compiling requires that the package is built on the host but
-   executed for the target architecture (though often, as in the case
-   for ptest, the execution occurs on the host). The built version of
-   Automake that ships with the Yocto Project includes a patch that
-   separates building and execution. Consequently, packages that use the
-   unaltered, patched version of ``make check`` automatically
-   cross-compiles.
-
-   Regardless, you still must add a ``do_compile_ptest`` function to
-   build the test suite. Add a function similar to the following to your
-   recipe::
-
-      do_compile_ptest() {
-          oe_runmake buildtest-TESTS
-      }
-
--  *Ensure special configurations are set:* If the package requires
-   special configurations prior to compiling the test code, you must
-   insert a ``do_configure_ptest`` function into the recipe.
-
--  *Install the test suite:* The :ref:`ref-classes-ptest` class
-   automatically copies the file ``run-ptest`` to the target and then runs make
-   ``install-ptest`` to run the tests. If this is not enough, you need
-   to create a ``do_install_ptest`` function and make sure it gets
-   called after the "make install-ptest" completes.
+See the :ref:`test-manual/ptest:Testing Packages With ptest` section of the
+Yocto Project Test Environment Manual.
 
 Creating Node Package Manager (NPM) Packages
 ============================================

documentation/migration-guides/migration-1.5.rst

@@ -243,8 +243,8 @@ A new automated image testing framework has been added through the
 framework replaces the older ``imagetest-qemu`` framework.
 
 You can learn more about performing automated image tests in the
-":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-section in the Yocto Project Development Tasks Manual.
+":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+section in the Yocto Project Test Environment Manual.
 
 .. _migration-1.5-build-history:
 

documentation/migration-guides/migration-1.6.rst

@@ -220,7 +220,7 @@ Package Test (ptest)
 
 Package Tests (ptest) are built but not installed by default. For
 information on using Package Tests, see the
-":ref:`dev-manual/packages:testing packages with ptest`"
+":ref:`test-manual/ptest:testing packages with ptest`"
 section in the Yocto Project Development Tasks Manual. For information on the
 ``ptest`` class, see the ":ref:`ref-classes-ptest`" section.
 

documentation/migration-guides/release-4.0.rst

@@ -29,4 +29,5 @@ Release 4.0 (kirkstone)
    release-notes-4.0.20
    release-notes-4.0.21
    release-notes-4.0.22
+   release-notes-4.0.23
 

documentation/migration-guides/release-notes-4.0.23.rst

@@ -0,0 +1,209 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-4.0.23 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.23
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  ``curl``: Fix :cve_nist:`2024-9681`
+-  ``expat``: Fix :cve_nist:`2024-50602`
+-  ``gcc``: Ignore :cve_nist:`2023-4039`
+-  ``ghostscript``: Fix :cve_nist:`2023-46361` and :cve_nist:`2024-29508`
+-  ``gstreamer1.0``: Ignore :cve_nist:`2024-0444`
+-  ``libarchive``: Fix :cve_nist:`2024-48957` and :cve_nist:`2024-48958`
+-  ``openssl``: Fix :cve_nist:`2024-9143`
+-  ``orc``: Fix :cve_nist:`2024-40897`
+-  ``python3``: Ignore :cve_nist:`2023-27043`, :cve_nist:`2024-6232` and :cve_nist:`2024-7592`
+-  ``qemu``: Fix :cve_nist:`2023-3019`
+-  ``vim``: Fix :cve_nist:`2024-43790`, :cve_nist:`2024-43802`, :cve_nist:`2024-45306` and :cve_nist:`2024-47814`
+-  ``zstd``: Fix :cve_nist:`2022-4899`
+
+
+Fixes in Yocto-4.0.23
+~~~~~~~~~~~~~~~~~~~~~
+
+-  at-spi2-core: backport a patch to fix build with gcc-14 on host
+-  bitbake: bitbake: doc/user-manual: Update the BB_HASHSERVE_UPSTREAM
+-  bitbake: codeparser: Fix handling of string AST nodes with older Python versions
+-  bitbake: fetch2/git: Use quote from shlex, not pipes
+-  bitbake: gitsm: Add call_process_submodules() to remove duplicated code
+-  bitbake: gitsm: Remove downloads/tmpdir when failed
+-  bitbake: tests/fetch: Use our own mirror of mobile-broadband-provider to decouple from gnome gitlab
+-  bitbake: tests/fetch: Use our own mirror of sysprof to decouple from gnome gitlab
+-  bmap-tools: update :term:`HOMEPAGE` and :term:`SRC_URI`
+-  build-appliance-image: Update to kirkstone head revision
+-  cmake: Fix sporadic issues when determining compiler internals
+-  cracklib: Modify patch to compile with GCC 14
+-  cve-check: add CVSS vector string to CVE database and reports
+-  cve-check: add support for cvss v4.0
+-  cve_check: Use a local copy of the database during builds
+-  dev-manual: document how to provide confs from layer.conf
+-  documentation: Makefile: add SPHINXLINTDOCS to specify subset to sphinx-lint
+-  documentation: Makefile: fix epub and latexpdf targets
+-  documentation: README: add instruction to run Vale on a subset
+-  documentation: brief-yoctoprojectqs: update BB_HASHSERVE_UPSTREAM for new infrastructure
+-  documentation: conf.py: add a bitbake_git extlink
+-  documentation: rename :cve: role to :cve_nist:
+-  documentation: styles: vocabularies: Yocto: add sstate
+-  documnetation: contributor-guide: Remove duplicated words
+-  gcc: restore a patch for Neoverse N2 core
+-  glib-2.0: patch regression of :cve_nist:`2023-32665`
+-  kmscube: create_framebuffer: backport modifier fix
+-  libffi: backport a fix to build libffi-native with gcc-14
+-  linux-firmware: Upgrade to 20240909
+-  local.conf.sample: update BB_HASHSERVE_UPSTREAM for new infrastructure
+-  migration-guide: add release notes for 4.0.22
+-  migration-guide: release-notes-4.0: update BB_HASHSERVE_UPSTREAM for new infrastructure
+-  nativesdk-intercept: Fix bad intercept chgrp/chown logic
+-  orc: Upgrade to  0.4.40
+-  overlayfs-etc: add option to skip creation of mount dirs
+-  overview-manual: concepts: add details on package splitting
+-  package: Switch debug source handling to use prefix map
+-  patch.py: Use shlex instead of deprecated pipe
+-  poky.conf: bump version for 4.0.23
+-  pseudo: Disable LFS on 32bit arches
+-  pseudo: Fix envp bug and add posix_spawn wrapper
+-  pseudo: Fix to work with glibc 2.40
+-  pseudo: Switch back to the master branch
+-  pseudo: Update to include logic fix
+-  pseudo: Update to include open symlink handling bugfix
+-  pseudo: Update to pull in fchmodat fix
+-  pseudo: Update to pull in fd leak fix
+-  pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept
+-  pseudo: Update to pull in linux-libc-headers race fix
+-  pseudo: Update to pull in python 3.12+ fix
+-  pseudo: Update to pull in syncfs probe fix
+-  ref-manual: add description for the "sysroot" term
+-  ref-manual: add missing CVE_CHECK manifest variables
+-  ref-manual: add missing :term:`EXTERNAL_KERNEL_DEVICETREE` variable
+-  ref-manual: add missing :term:`OPKGBUILDCMD` variable
+-  ref-manual: devtool-reference: document missing commands
+-  ref-manual: devtool-reference: refresh example outputs
+-  ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable
+-  ref-manual: release-process: add a reference to the doc's release
+-  ref-manual: release-process: refresh the current LTS releases
+-  ref-manual: release-process: update releases.svg
+-  ref-manual: release-process: update releases.svg with month after "Current"
+-  ref-manual: structure.rst: document missing tmp/ dirs
+-  ref-manual: variables: add SIGGEN_LOCKEDSIGS* variables
+-  syslinux: Disable error on implicit-function-declaration
+-  util-linux: Define pidfd_* function signatures
+-  vala: add -Wno-error=incompatible-pointer-types work around
+-  vim: Upgrade to 9.1.0764
+-  xmlto: backport a patch to fix build with gcc-14 on host
+-  zip: Fix build with gcc-14
+-  zip: Make configure checks to be more robust
+
+
+Known Issues in Yocto-4.0.23
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-N/A
+
+
+Contributors to Yocto-4.0.23
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Alexandre Belloni
+-  Antoine Lubineau
+-  Antonin Godard
+-  Archana Polampalli
+-  Ashish Sharma
+-  Baruch Siach
+-  Eilís 'pidge' Ní Fhlannagáin
+-  Jose Quaresma
+-  Julien Stephan
+-  Khem Raj
+-  Lee Chee Yang
+-  Macpaul Lin
+-  Martin Jansa
+-  Michael Opdenacker
+-  Ola x Nilsson
+-  Peter Marko
+-  Philip Lorenz
+-  Randolph Sapp
+-  Richard Purdie
+-  Robert Yang
+-  Rohini Sangam
+-  Ruiqiang Hao
+-  Siddharth Doshi
+-  Steve Sakoman
+-  Talel BELHAJSALEM
+-  Wang Mingyu
+-  Yogita Urade
+-  Zoltan Boszormenyi
+
+
+Repositories / Downloads for Yocto-4.0.23
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.23 </poky/log/?h=yocto-4.0.23>`
+-  Git Revision: :yocto_git:`8e092852b63e998d990b8f8e1aa91297dec4430f </poky/commit/?id=8e092852b63e998d990b8f8e1aa91297dec4430f>`
+-  Release Artefact: poky-8e092852b63e998d990b8f8e1aa91297dec4430f
+-  sha: 339d34d8432070dac948449e732ebf06a888eeb27ff548958b2395c9446b029d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.23/poky-8e092852b63e998d990b8f8e1aa91297dec4430f.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.23/poky-8e092852b63e998d990b8f8e1aa91297dec4430f.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.23 </openembedded-core/log/?h=yocto-4.0.23>`
+-  Git Revision: :oe_git:`fb45c5cf8c2b663af293acb069d446610f77ff1a </openembedded-core/commit/?id=fb45c5cf8c2b663af293acb069d446610f77ff1a>`
+-  Release Artefact: oecore-fb45c5cf8c2b663af293acb069d446610f77ff1a
+-  sha: 1d394370ea7d43fb885ab8a952d6d1e43f1a850745a5152d5ead5565a283a0f5
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.23/oecore-fb45c5cf8c2b663af293acb069d446610f77ff1a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.23/oecore-fb45c5cf8c2b663af293acb069d446610f77ff1a.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.23 </meta-mingw/log/?h=yocto-4.0.23>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.23/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.23/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.23 </meta-gplv2/log/?h=yocto-4.0.23>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.23/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.23/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.23 </bitbake/log/?h=yocto-4.0.23>`
+-  Git Revision: :oe_git:`fb73c495c45d1d4107cfd60b67a5b4f11a99647b </bitbake/commit/?id=fb73c495c45d1d4107cfd60b67a5b4f11a99647b>`
+-  Release Artefact: bitbake-fb73c495c45d1d4107cfd60b67a5b4f11a99647b
+-  sha: 5cd271299951f25912a2e8d4de6d8769a4c0bb3bbcfc90815be41f23fd299a0b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.23/bitbake-fb73c495c45d1d4107cfd60b67a5b4f11a99647b.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.23/bitbake-fb73c495c45d1d4107cfd60b67a5b4f11a99647b.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.23 </yocto-docs/log/?h=yocto-4.0.23>`
+-  Git Revision: :yocto_git:`TBD </yocto-docs/commit/?id=TBD>`
+
+

documentation/poky.yaml.in

@@ -1,3 +1,7 @@
+#
+# Macros used in the documentation
+#
+
 DISTRO : "4.0"
 DISTRO_NAME_NO_CAP : "kirkstone"
 DISTRO_NAME : "Kirkstone"
@@ -10,32 +14,6 @@ BITBAKE_SERIES : ""
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"
 YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
 YOCTO_RELEASE_DL_URL : "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;"
-UBUNTU_HOST_PACKAGES_ESSENTIAL : "gawk wget git diffstat unzip texinfo gcc \
-     build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
-     xz-utils debianutils iputils-ping python3-git python3-jinja2 \
-     python3-subunit zstd liblz4-tool file locales libacl1
-     \n\   $ sudo locale-gen en_US.UTF-8"
-FEDORA_HOST_PACKAGES_ESSENTIAL : "gawk make wget tar bzip2 gzip python3 unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath \
-     ccache perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue perl-bignum socat \
-     python3-pexpect findutils which file cpio python python3-pip xz python3-GitPython \
-     python3-jinja2 rpcgen perl-FindBin perl-File-Compare \
-     perl-File-Copy perl-locale zstd lz4 hostname glibc-langpack-en libacl"
-OPENSUSE_HOST_PACKAGES_ESSENTIAL : "python gcc gcc-c++ git chrpath make wget python-xml \
-     diffstat makeinfo python-curses patch socat python3 python3-curses tar python3-pip \
-     python3-pexpect xz which python3-Jinja2 rpcgen \
-     zstd lz4 bzip2 gzip hostname libacl1
-     \n\   $ sudo pip3 install GitPython"
-ALMALINUX_HOST_PACKAGES_ESSENTIAL : "-y epel-release
-     \n\   $ sudo yum install dnf-plugins-core
-     \n\   $ sudo dnf config-manager --set-enabled crb
-     \n\   $ sudo dnf makecache
-     \n\   $ sudo dnf install gawk make wget tar bzip2 gzip python3 unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath ccache \
-     socat perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue python3-pip \
-     python3-GitPython python3-jinja2 python3-pexpect xz which \
-     rpcgen zstd lz4 cpio glibc-langpack-en libacl"
-PIP3_HOST_PACKAGES_DOC : "$ sudo pip3 install sphinx sphinx_rtd_theme pyyaml"
 MIN_PYTHON_VERSION : "3.6.0"
 MIN_TAR_VERSION : "1.28"
 MIN_GIT_VERSION : "1.8.3.1"
@@ -47,3 +25,191 @@ MIN_DISK_SPACE : "90"
 MIN_DISK_SPACE_RM_WORK : "40"
 # RAM (Gbytes) needed to generate qemux86-64 core-image-sato on Ubuntu 22.04 (x86-64) on a 4 core system
 MIN_RAM : "8"
+
+#
+# Dependencies
+#
+
+# Shared between distros
+PIP3_HOST_PACKAGES_DOC: sphinx sphinx_rtd_theme pyyaml
+
+UBUNTU_DEBIAN_HOST_PACKAGES_ESSENTIAL: >-
+  build-essential
+  chrpath
+  cpio
+  debianutils
+  diffstat
+  file
+  gawk
+  gcc
+  git
+  iputils-ping
+  libacl1
+  liblz4-tool
+  locales
+  python3
+  python3-git
+  python3-jinja2
+  python3-pexpect
+  python3-pip
+  python3-subunit
+  socat
+  texinfo
+  unzip
+  wget
+  xz-utils
+  zstd
+
+UBUNTU_DEBIAN_HOST_PACKAGES_DOC: >-
+  git
+  inkscape
+  locales
+  make
+  python3-saneyaml
+  python3-sphinx-rtd-theme
+  sphinx
+  texlive-latex-extra
+
+FEDORA_HOST_PACKAGES_ESSENTIAL: >-
+  bzip2
+  ccache
+  chrpath
+  cpio
+  cpp
+  diffstat
+  diffutils
+  file
+  findutils
+  gawk
+  gcc
+  gcc-c++
+  git
+  glibc-devel
+  glibc-langpack-en
+  gzip
+  hostname
+  libacl
+  lz4
+  make
+  patch
+  perl
+  perl-Data-Dumper
+  perl-File-Compare
+  perl-File-Copy
+  perl-FindBin
+  perl-Text-ParseWords
+  perl-Thread-Queue
+  perl-bignum
+  perl-locale
+  python
+  python3
+  python3-GitPython
+  python3-jinja2
+  python3-pexpect
+  python3-pip
+  rpcgen
+  socat
+  tar
+  texinfo
+  unzip
+  wget
+  which
+  xz
+  zstd
+
+FEDORA_HOST_PACKAGES_DOC: >-
+  git
+  glibc-locale-source
+  inkscape
+  make
+  python3-pip
+  texlive-fncychap
+  which
+
+OPENSUSE_HOST_PACKAGES_ESSENTIAL: >-
+  bzip2
+  chrpath
+  diffstat
+  gcc
+  gcc-c++
+  git
+  gzip
+  hostname
+  libacl1
+  lz4
+  make
+  makeinfo
+  patch
+  python
+  python-curses
+  python-xml
+  python3
+  python3-Jinja2
+  python3-curses
+  python3-pexpect
+  python3-pip
+  rpcgen
+  socat
+  tar
+  wget
+  which
+  xz
+  zstd
+
+OPENSUSE_PIP3_HOST_PACKAGES_ESSENTIAL: GitPython
+
+OPENSUSE_HOST_PACKAGES_DOC: >-
+  git
+  glibc-i18ndata
+  inkscape
+  make
+  python3-pip
+  texlive-fncychap
+  which
+
+ALMALINUX_HOST_PACKAGES_ESSENTIAL: >-
+  bzip2
+  ccache
+  chrpath
+  cpio
+  cpp
+  diffstat
+  diffutils
+  gawk
+  gcc
+  gcc-c++
+  git
+  glibc-devel
+  glibc-langpack-en
+  gzip
+  libacl
+  lz4
+  make
+  patch
+  perl
+  perl-Data-Dumper
+  perl-Text-ParseWords
+  perl-Thread-Queue
+  python3
+  python3-GitPython
+  python3-jinja2
+  python3-pexpect
+  python3-pip
+  rpcgen
+  socat
+  tar
+  texinfo
+  unzip
+  wget
+  which
+  xz
+  zstd
+
+ALMALINUX_HOST_PACKAGES_DOC: >-
+  git
+  glibc-locale-source
+  inkscape
+  make
+  python3-pip
+  texlive-fncychap
+  which

documentation/ref-manual/classes.rst

@@ -153,27 +153,38 @@ software that includes bash-completion data.
 ``bin_package``
 ===============
 
-The :ref:`ref-classes-bin-package` class is a helper class for recipes that extract the
-contents of a binary package (e.g. an RPM) and install those contents
-rather than building the binary from source. The binary package is
-extracted and new packages in the configured output package format are
-created. Extraction and installation of proprietary binaries is a good
-example use for this class.
+The :ref:`ref-classes-bin-package` class is a helper class for recipes, that
+disables the :ref:`ref-tasks-configure` and :ref:`ref-tasks-compile` tasks and
+copies the content of the :term:`S` directory into the :term:`D` directory. This
+is useful for installing binary packages (e.g. RPM packages) by passing the
+package in the :term:`SRC_URI` variable and inheriting this class.
+
+For RPMs and other packages that do not contain a subdirectory, you should set
+the :term:`SRC_URI` option ``subdir`` to :term:`BP` so that the contents are
+extracted to the directory expected by the default value of :term:`S`. For
+example::
+
+   SRC_URI = "https://example.com/downloads/somepackage.rpm;subdir=${BP}"
+
+This class can also be used for tarballs. For example::
+
+   SRC_URI = "file://somepackage.tar.xz;subdir=${BP}"
+
+The :ref:`ref-classes-bin-package` class will copy the extracted content of the
+tarball from :term:`S` to :term:`D`.
+
+This class assumes that the content of the package as installed in :term:`S`
+mirrors the expected layout once installed on the target, which is generally the
+case for binary packages. For example, an RPM package for a library would
+usually contain the ``usr/lib`` directory, and should be extracted to
+``${S}/usr/lib/<library>.so.<version>`` to be installed in :term:`D` correctly.
 
 .. note::
 
-   For RPMs and other packages that do not contain a subdirectory, you
-   should specify an appropriate fetcher parameter to point to the
-   subdirectory. For example, if BitBake is using the Git fetcher (``git://``),
-   the "subpath" parameter limits the checkout to a specific subpath
-   of the tree. Here is an example where ``${BP}`` is used so that the files
-   are extracted into the subdirectory expected by the default value of
-   :term:`S`::
-
-      SRC_URI = "git://example.com/downloads/somepackage.rpm;branch=main;subpath=${BP}"
-
-   See the ":ref:`bitbake-user-manual/bitbake-user-manual-fetching:fetchers`" section in the BitBake User Manual for
-   more information on supported BitBake Fetchers.
+   The extraction of the package passed in :term:`SRC_URI` is not handled by the
+   :ref:`ref-classes-bin-package` class, but rather by the appropriate
+   :ref:`fetcher <bitbake-user-manual/bitbake-user-manual-fetching:fetchers>`
+   depending on the file extension.
 
 .. _ref-classes-binconfig:
 
@@ -2467,7 +2478,7 @@ runtime tests for recipes that build software that provides these tests.
 This class is intended to be inherited by individual recipes. However,
 the class' functionality is largely disabled unless "ptest" appears in
 :term:`DISTRO_FEATURES`. See the
-":ref:`dev-manual/packages:testing packages with ptest`"
+":ref:`test-manual/ptest:testing packages with ptest`"
 section in the Yocto Project Development Tasks Manual for more information
 on ptest.
 
@@ -2480,7 +2491,7 @@ Enables package tests (ptests) specifically for GNOME packages, which
 have tests intended to be executed with ``gnome-desktop-testing``.
 
 For information on setting up and running ptests, see the
-":ref:`dev-manual/packages:testing packages with ptest`"
+":ref:`test-manual/ptest:testing packages with ptest`"
 section in the Yocto Project Development Tasks Manual.
 
 .. _ref-classes-python3-dir:
@@ -3053,8 +3064,8 @@ after it is built, you can set :term:`TESTIMAGE_AUTO`::
    TESTIMAGE_AUTO = "1"
 
 For information on how to enable, run, and create new tests, see the
-":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-section in the Yocto Project Development Tasks Manual.
+":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+section in the Yocto Project Test Environment Manual.
 
 .. _ref-classes-testsdk:
 

documentation/ref-manual/devtool-reference.rst

@@ -550,6 +550,26 @@ the packages are already on the target. Consequently, when a runtime
 call is made in the application for a dependent function (e.g. a library
 call), the function cannot be found.
 
+.. warning::
+
+   Runtime dependencies can be explicitly listed in the :term:`RDEPENDS`
+   variable, but may also be the result of a :term:`DEPENDS` assignment in your
+   application's recipe. This is usually the case when your application depends
+   on libraries for compilation: these libraries are listed as build-time
+   dependencies in the :term:`DEPENDS` variable in your application's recipe.
+   However these may also be runtime dependencies if they install shared objects
+   on which your application will dynamically link to at runtime (e.g. shared
+   libraries ending with ``.so``).
+
+   These runtime dependencies are automatically resolved by the
+   :term:`OpenEmbedded Build System` during the packaging phase. Since
+   ``devtool`` ignores packaging dependencies, they will not be installed
+   automatically with ``devtool deploy-target``.
+
+   For more information on how the :term:`OpenEmbedded Build System` handles
+   packaging, see the :ref:`overview-manual/concepts:Automatically Added Runtime
+   Dependencies` section of the Yocto Project Overview and Concepts Manual.
+
 To be sure you have all the dependencies local to the target, you need
 to be sure that the packages are pre-deployed (installed) on the target
 before attempting to run your application.

documentation/ref-manual/features.rst

@@ -157,7 +157,7 @@ metadata:
 
 -  *ptest:* Enables building the package tests where supported by
    individual recipes. For more information on package tests, see the
-   ":ref:`dev-manual/packages:testing packages with ptest`" section
+   ":ref:`test-manual/ptest:testing packages with ptest`" section
    in the Yocto Project Development Tasks Manual.
 
 -  *smbfs:* Include SMB networks client support (for mounting

documentation/ref-manual/images.rst

@@ -119,8 +119,8 @@ Here is a list of supported recipes:
    deployed to a separate partition so that you can boot into it and use
    it to deploy a second image to be tested. You can find more
    information about runtime testing in the
-   ":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-   section in the Yocto Project Development Tasks Manual.
+   ":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+   section in the Yocto Project Test Environment Manual.
 
 -  ``core-image-testmaster-initramfs``: A RAM-based Initial Root
    Filesystem (initramfs) image tailored for use with the

documentation/ref-manual/qa-checks.rst

@@ -789,7 +789,6 @@ Errors and Warnings
     use a relative path rather than an absolute one, or to pick up the path from
     runtime configuration or environment variables.
 
-
 Configuring and Disabling QA Checks
 ===================================
 

documentation/ref-manual/release-process.rst

@@ -148,8 +148,8 @@ Additionally, because the test strategies are visible to you as a
 developer, you can validate your projects. This section overviews the
 available test infrastructure used in the Yocto Project. For information
 on how to run available tests on your projects, see the
-":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-section in the Yocto Project Development Tasks Manual.
+":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+section in the Yocto Project Test Environment Manual.
 
 The QA/testing infrastructure is woven into the project to the point
 where core developers take some of it for granted. The infrastructure
@@ -175,7 +175,7 @@ consists of the following pieces:
    operation and functions. However, the test can also use the IP
    address of a machine to test.
 
--  :ref:`ptest <dev-manual/packages:testing packages with ptest>`:
+-  :ref:`ptest <test-manual/ptest:testing packages with ptest>`:
    Runs tests against packages produced during the build for a given
    piece of software. The test allows the packages to be run within a
    target image.

documentation/ref-manual/system-requirements.rst

@@ -80,28 +80,20 @@ limited value if you have access to such updates.
 Finally, here are the distribution versions which were previously
 tested on former revisions of "&DISTRO_NAME;", but no longer are:
 
--  Ubuntu 16.04 (LTS)
+-  Ubuntu 18.04 (LTS)
 
--  Ubuntu 21.10
+-  Ubuntu 20.04 (LTS)
 
--  Fedora 34
-
--  Fedora 35
-
--  Fedora 36
+-  Ubuntu 22.04 (LTS)
 
 -  Fedora 37
 
--  CentOS 7.x
-
--  CentOS 8.x
-
--  Debian GNU/Linux 9.x (Stretch)
-
--  Debian GNU/Linux 10.x (Buster)
+-  Debian GNU/Linux 11.x (Bookworm)
 
 -  OpenSUSE Leap 15.3
 
+-  AlmaLinux 8
+
 .. note::
 
    -  While the Yocto Project Team attempts to ensure all Yocto Project
@@ -158,10 +150,27 @@ Ubuntu and Debian
 Here are the packages needed to build an image on a headless system
 with a supported Ubuntu or Debian Linux distribution::
 
-   $ sudo apt install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
+   $ sudo apt install &UBUNTU_DEBIAN_HOST_PACKAGES_ESSENTIAL;
+
+You also need to ensure you have the ``en_US.UTF-8`` locale enabled::
+
+   $ locale --all-locales | grep en_US.utf8
+
+If this is not the case, you can reconfigure the ``locales`` package to add it
+(requires an interactive shell)::
+
+   $ sudo dpkg-reconfigure locales
 
 .. note::
 
+   -  If you are not in an interactive shell, ``dpkg-reconfigure`` will
+      not work as expected. To add the locale you will need to edit
+      ``/etc/locale.gen`` file to add/uncomment the ``en_US.UTF-8`` locale.
+      A naive way to do this as root is::
+
+         $ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+         $ locale-gen
+
    -  If your build system has the ``oss4-dev`` package installed, you
       might experience QEMU build failures due to the package installing
       its own custom ``/usr/include/linux/soundcard.h`` on the Debian
@@ -172,8 +181,7 @@ with a supported Ubuntu or Debian Linux distribution::
 
 Here are the packages needed to build Project documentation manuals::
 
-   $ sudo apt install git make inkscape texlive-latex-extra
-   $ sudo apt install sphinx python3-saneyaml python3-sphinx-rtd-theme
+   $ sudo apt install &UBUNTU_DEBIAN_HOST_PACKAGES_DOC;
 
 Fedora Packages
 ---------------
@@ -185,8 +193,8 @@ with a supported Fedora Linux distribution::
 
 Here are the packages needed to build Project documentation manuals::
 
-   $ sudo dnf install git make python3-pip which inkscape texlive-fncychap
-   &PIP3_HOST_PACKAGES_DOC;
+   $ sudo dnf install &FEDORA_HOST_PACKAGES_DOC;
+   $ sudo pip3 install &PIP3_HOST_PACKAGES_DOC;
 
 openSUSE Packages
 -----------------
@@ -195,11 +203,12 @@ Here are the packages needed to build an image on a headless system
 with a supported openSUSE distribution::
 
    $ sudo zypper install &OPENSUSE_HOST_PACKAGES_ESSENTIAL;
+   $ sudo pip3 install &OPENSUSE_PIP3_HOST_PACKAGES_ESSENTIAL;
 
 Here are the packages needed to build Project documentation manuals::
 
-   $ sudo zypper install git make python3-pip which inkscape texlive-fncychap
-   &PIP3_HOST_PACKAGES_DOC;
+   $ sudo zypper install &OPENSUSE_HOST_PACKAGES_DOC;
+   $ sudo pip3 install &PIP3_HOST_PACKAGES_DOC;
 
 
 AlmaLinux Packages
@@ -208,6 +217,10 @@ AlmaLinux Packages
 Here are the packages needed to build an image on a headless system
 with a supported AlmaLinux distribution::
 
+   $ sudo dnf install -y epel-release
+   $ sudo yum install dnf-plugins-core
+   $ sudo dnf config-manager --set-enabled crb
+   $ sudo dnf makecache
    $ sudo dnf install &ALMALINUX_HOST_PACKAGES_ESSENTIAL;
 
 .. note::
@@ -225,8 +238,8 @@ with a supported AlmaLinux distribution::
 
 Here are the packages needed to build Project documentation manuals::
 
-   $ sudo dnf install git make python3-pip which inkscape texlive-fncychap
-   &PIP3_HOST_PACKAGES_DOC;
+   $ sudo dnf install &ALMALINUX_HOST_PACKAGES_DOC;
+   $ sudo pip3 install &PIP3_HOST_PACKAGES_DOC;
 
 .. _system-requirements-buildtools:
 

documentation/ref-manual/tasks.rst

@@ -629,8 +629,8 @@ information on how the root filesystem is created.
 
 Boots an image and performs runtime tests within the image. For
 information on automatically testing images, see the
-":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-section in the Yocto Project Development Tasks Manual.
+":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+section in the Yocto Project Test Environment Manual.
 
 .. _ref-tasks-testimage_auto:
 
@@ -642,8 +642,8 @@ after it has been built. This task is enabled when you set
 :term:`TESTIMAGE_AUTO` equal to "1".
 
 For information on automatically testing images, see the
-":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-section in the Yocto Project Development Tasks Manual.
+":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+section in the Yocto Project Test Environment Manual.
 
 Kernel-Related Tasks
 ====================

documentation/ref-manual/variables.rst

@@ -6434,7 +6434,7 @@ system and gives an overview of their function and contents.
 
    :term:`PTEST_ENABLED`
       Specifies whether or not :ref:`Package
-      Test <dev-manual/packages:testing packages with ptest>` (ptest)
+      Test <test-manual/ptest:testing packages with ptest>` (ptest)
       functionality is enabled when building a recipe. You should not set
       this variable directly. Enabling and disabling building Package Tests
       at build time should be done by adding "ptest" to (or removing it
@@ -7527,6 +7527,31 @@ system and gives an overview of their function and contents.
 
          You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
 
+      .. note::
+
+         If the mirror is protected behind a username and password, the
+         :term:`build host` needs to be configured so the :term:`build system
+         <OpenEmbedded Build System>` is able to fetch from the mirror.
+
+         The recommended way to do that is by setting the following parameters
+         in ``$HOME/.netrc`` (``$HOME`` being the :term:`build host` home
+         directory)::
+
+            machine example.com
+            login <user>
+            password <password>
+
+         This file requires permissions set to ``400`` or ``600`` to prevent
+         other users from reading the file::
+
+            chmod 600 "$HOME/.netrc"
+
+         Another method to configure the username and password is from the URL
+         in :term:`SOURCE_MIRROR_URL` directly, with the ``user`` and ``pswd``
+         parameters::
+
+            SOURCE_MIRROR_URL = "http://example.com/my_source_mirror;user=<user>;pswd=<password>"
+
    :term:`SPDX_ARCHIVE_PACKAGED`
       This option allows to add to :term:`SPDX` output compressed archives
       of the files in the generated target packages.
@@ -7905,6 +7930,34 @@ system and gives an overview of their function and contents.
              file://.* https://someserver.tld/share/sstate/PATH;downloadfilename=PATH \
              file://.* file:///some-local-dir/sstate/PATH"
 
+      .. note::
+
+         If the mirror is protected behind a username and password, the
+         :term:`build host` needs to be configured so the :term:`build system
+         <OpenEmbedded Build System>` is able to download the sstate cache using
+         authentication.
+
+         The recommended way to do that is by setting the following parameters
+         in ``$HOME/.netrc`` (``$HOME`` being the :term:`build host` home
+         directory)::
+
+            machine someserver.tld
+            login <user>
+            password <password>
+
+         This file requires permissions set to ``400`` or ``600`` to prevent
+         other users from reading the file::
+
+            chmod 600 "$HOME/.netrc"
+
+         Another method to configure the username and password is from the
+         URL in :term:`SSTATE_MIRRORS` directly, with the ``user`` and ``pswd``
+         parameters::
+
+            SSTATE_MIRRORS ?= "\
+                file://.* https://someserver.tld/share/sstate/PATH;user=<user>;pswd=<password>;downloadfilename=PATH \
+            "
+
       The Yocto Project actually shares the cache data objects built by its
       autobuilder::
 
@@ -8635,8 +8688,8 @@ system and gives an overview of their function and contents.
       file.
 
       For more information on testing images, see the
-      ":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-      section in the Yocto Project Development Tasks Manual.
+      ":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+      section in the Yocto Project Test Environment Manual.
 
    :term:`TEST_SERIALCONTROL_CMD`
       For automated hardware testing, specifies the command to use to
@@ -8708,8 +8761,8 @@ system and gives an overview of their function and contents.
          TEST_SUITES = "test_A test_B"
 
       For more information on testing images, see the
-      ":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-      section in the Yocto Project Development Tasks Manual.
+      ":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+      section in the Yocto Project Test Environment Manual.
 
    :term:`TEST_TARGET`
       Specifies the target controller to use when running tests against a
@@ -8727,8 +8780,8 @@ system and gives an overview of their function and contents.
       You can provide the following arguments with :term:`TEST_TARGET`:
 
       -  *"qemu":* Boots a QEMU image and runs the tests. See the
-         ":ref:`dev-manual/runtime-testing:enabling runtime tests on qemu`" section
-         in the Yocto Project Development Tasks Manual for more
+         ":ref:`test-manual/runtime-testing:enabling runtime tests on qemu`" section
+         in the Yocto Project Test Environment Manual for more
          information.
 
       -  *"simpleremote":* Runs the tests on target hardware that is
@@ -8743,8 +8796,8 @@ system and gives an overview of their function and contents.
             ``meta/lib/oeqa/controllers/simpleremote.py``.
 
       For information on running tests on hardware, see the
-      ":ref:`dev-manual/runtime-testing:enabling runtime tests on hardware`"
-      section in the Yocto Project Development Tasks Manual.
+      ":ref:`test-manual/runtime-testing:enabling runtime tests on hardware`"
+      section in the Yocto Project Test Environment Manual.
 
    :term:`TEST_TARGET_IP`
       The IP address of your hardware under test. The :term:`TEST_TARGET_IP`
@@ -8780,8 +8833,8 @@ system and gives an overview of their function and contents.
 
       For more information
       on enabling, running, and writing these tests, see the
-      ":ref:`dev-manual/runtime-testing:performing automated runtime testing`"
-      section in the Yocto Project Development Tasks Manual and the
+      ":ref:`test-manual/runtime-testing:performing automated runtime testing`"
+      section in the Yocto Project Test Environment Manual and the
       ":ref:`ref-classes-testimage`" section.
 
    :term:`THISDIR`

documentation/standards.md

@@ -109,6 +109,21 @@ or in the BitBake User Manual
 If it is not described yet, the variable should be added to the
 glossary before or in the same patch it is used, so that `:term:` can be used.
 
+### Admonitions
+
+Sphinx has predefined admonitions that can be used to highlight a bit of text or
+add a side-note to the documentation. For example:
+
+```rst
+.. note::
+
+   This is a note admonition.
+```
+
+We try to limit our usage of these admonitions to `note` and `warning`, as the
+Sphinx documentation [warns](https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#directives)
+that most themes only style these two admonitions.
+
 ## ReStructured Text Syntax standards
 
 This section has not been filled yet

documentation/test-manual/index.rst

@@ -12,6 +12,8 @@ Yocto Project Test Environment Manual
 
    intro
    test-process
+   ptest
+   runtime-testing
    understand-autobuilder
    reproducible-builds
    yocto-project-compatible

documentation/test-manual/intro.rst

@@ -131,7 +131,9 @@ the following types of tests:
       $ bitbake image -c testimage
 
    The tests use the :ref:`ref-classes-testimage`
-   class and the :ref:`ref-tasks-testimage` task.
+   class and the :ref:`ref-tasks-testimage` task. See the
+   :ref:`test-manual/runtime-testing:Performing Automated Runtime Testing`
+   section of the Yocto Project Test Environment Manual for more information.
 
 -  *Layer Testing:* The Autobuilder has the possibility to test whether
    specific layers work with the test of the system. The layers tested
@@ -141,7 +143,7 @@ the following types of tests:
 -  *Package Testing:* A Package Test (ptest) runs tests against packages
    built by the OpenEmbedded build system on the target machine. See the
    :ref:`Testing Packages With
-   ptest <dev-manual/packages:Testing Packages With ptest>` section
+   ptest <test-manual/ptest:Testing Packages With ptest>` section
    in the Yocto Project Development Tasks Manual and the
    ":yocto_wiki:`Ptest </Ptest>`" Wiki page for more
    information on Ptest.

documentation/test-manual/ptest.rst

@@ -0,0 +1,114 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***************************
+Testing Packages With ptest
+***************************
+
+A Package Test (ptest) runs tests against packages built by the
+OpenEmbedded build system on the target machine. A ptest contains at
+least two items: the actual test, and a shell script (``run-ptest``)
+that starts the test. The shell script that starts the test must not
+contain the actual test --- the script only starts the test. On the other
+hand, the test can be anything from a simple shell script that runs a
+binary and checks the output to an elaborate system of test binaries and
+data files.
+
+The test generates output in the format used by Automake::
+
+   result: testname
+
+where the result can be ``PASS``, ``FAIL``, or ``SKIP``, and
+the testname can be any identifying string.
+
+For a list of Yocto Project recipes that are already enabled with ptest,
+see the :yocto_wiki:`Ptest </Ptest>` wiki page.
+
+.. note::
+
+   A recipe is "ptest-enabled" if it inherits the :ref:`ref-classes-ptest`
+   class.
+
+Adding ptest to Your Build
+==========================
+
+To add package testing to your build, add the :term:`DISTRO_FEATURES` and
+:term:`EXTRA_IMAGE_FEATURES` variables to your ``local.conf`` file, which
+is found in the :term:`Build Directory`::
+
+   DISTRO_FEATURES:append = " ptest"
+   EXTRA_IMAGE_FEATURES += "ptest-pkgs"
+
+Once your build is complete, the ptest files are installed into the
+``/usr/lib/package/ptest`` directory within the image, where ``package``
+is the name of the package.
+
+Running ptest
+=============
+
+The ``ptest-runner`` package installs a shell script that loops through
+all installed ptest test suites and runs them in sequence. Consequently,
+you might want to add this package to your image.
+
+Getting Your Package Ready
+==========================
+
+In order to enable a recipe to run installed ptests on target hardware,
+you need to prepare the recipes that build the packages you want to
+test. Here is what you have to do for each recipe:
+
+-  *Be sure the recipe inherits the* :ref:`ref-classes-ptest` *class:*
+   Include the following line in each recipe::
+
+      inherit ptest
+
+-  *Create run-ptest:* This script starts your test. Locate the
+   script where you will refer to it using
+   :term:`SRC_URI`. Here is an
+   example that starts a test for ``dbus``::
+
+      #!/bin/sh
+      cd test
+      make -k runtest-TESTS
+
+-  *Ensure dependencies are met:* If the test adds build or runtime
+   dependencies that normally do not exist for the package (such as
+   requiring "make" to run the test suite), use the
+   :term:`DEPENDS` and
+   :term:`RDEPENDS` variables in
+   your recipe in order for the package to meet the dependencies. Here
+   is an example where the package has a runtime dependency on "make"::
+
+      RDEPENDS:${PN}-ptest += "make"
+
+-  *Add a function to build the test suite:* Not many packages support
+   cross-compilation of their test suites. Consequently, you usually
+   need to add a cross-compilation function to the package.
+
+   Many packages based on Automake compile and run the test suite by
+   using a single command such as ``make check``. However, the host
+   ``make check`` builds and runs on the same computer, while
+   cross-compiling requires that the package is built on the host but
+   executed for the target architecture (though often, as in the case
+   for ptest, the execution occurs on the host). The built version of
+   Automake that ships with the Yocto Project includes a patch that
+   separates building and execution. Consequently, packages that use the
+   unaltered, patched version of ``make check`` automatically
+   cross-compiles.
+
+   Regardless, you still must add a ``do_compile_ptest`` function to
+   build the test suite. Add a function similar to the following to your
+   recipe::
+
+      do_compile_ptest() {
+          oe_runmake buildtest-TESTS
+      }
+
+-  *Ensure special configurations are set:* If the package requires
+   special configurations prior to compiling the test code, you must
+   insert a ``do_configure_ptest`` function into the recipe.
+
+-  *Install the test suite:* The :ref:`ref-classes-ptest` class
+   automatically copies the file ``run-ptest`` to the target and then runs make
+   ``install-ptest`` to run the tests. If this is not enough, you need
+   to create a ``do_install_ptest`` function and make sure it gets
+   called after the "make install-ptest" completes.

documentation/test-manual/reproducible-builds.rst

@@ -91,11 +91,21 @@ run::
 
    oe-selftest -r reproducible.ReproducibleTests.test_reproducible_builds
 
-This defaults to including a ``world`` build so, if other layers are added, it would
-also run the tests for recipes in the additional layers. The first build will be
-run using :ref:`Shared State <overview-manual/concepts:Shared State>` if
-available, the second build explicitly disables
-:ref:`Shared State <overview-manual/concepts:Shared State>` and builds on the
+This defaults to including a ``world`` build so, if other layers are added, it
+would also run the tests for recipes in the additional layers. Different build
+targets can be defined using the :term:`OEQA_REPRODUCIBLE_TEST_TARGET` variable
+in ``local.conf``. For example, running reproducibility tests for only the
+``python3-numpy`` recipe can be done by setting::
+
+   OEQA_REPRODUCIBLE_TEST_TARGET = "python3-numpy"
+
+in local.conf before running the ``oe-selftest`` command shown above.
+
+Reproducibility builds the target list twice. The first build will be run using
+:ref:`Shared State <overview-manual/concepts:Shared State>` if available, the
+second build explicitly disables :ref:`Shared State
+<overview-manual/concepts:Shared State>` except for recipes defined in the
+:term:`OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS` variable, and builds on the
 specific host the build is running on. This means we can test reproducibility
 builds between different host distributions over time on the Autobuilder.
 

documentation/test-manual/runtime-testing.rst

@@ -1,5 +1,6 @@
 .. SPDX-License-Identifier: CC-BY-SA-2.0-UK
 
+************************************
 Performing Automated Runtime Testing
 ************************************
 
@@ -153,7 +154,7 @@ options are available:
 
    If you choose "SystemdbootTarget", there are additional requirements
    and considerations. See the
-   ":ref:`dev-manual/runtime-testing:selecting systemdboottarget`" section, which
+   ":ref:`test-manual/runtime-testing:selecting systemdboottarget`" section, which
    follows, for more information.
 
 -  *"BeagleBoneTarget":* Choose "BeagleBoneTarget" if you are deploying
@@ -185,7 +186,7 @@ Selecting SystemdbootTarget
 
 If you did not set :term:`TEST_TARGET` to "SystemdbootTarget", then you do
 not need any information in this section. You can skip down to the
-":ref:`dev-manual/runtime-testing:running tests`" section.
+":ref:`test-manual/runtime-testing:running tests`" section.
 
 If you did set :term:`TEST_TARGET` to "SystemdbootTarget", you also need to
 perform a one-time setup of your controller image by doing the following:

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.23"
+DISTRO_VERSION = "4.0.24"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
@@ -38,9 +38,14 @@ SANITY_TESTED_DISTROS ?= " \
             ubuntu-20.04 \n \
             ubuntu-22.04 \n \
             fedora-37 \n \
+            fedora-39 \n \
+            fedora-40 \n \
             debian-11 \n \
             opensuseleap-15.3 \n \
             almalinux-8.8 \n \
+            almalinux-8.9 \n \
+            almalinux-8.10 \n \
+            almalinux-9.4 \n \
             "
 # add poky sanity bbclass
 INHERIT += "poky-sanity"

meta/classes/package.bbclass

@@ -1850,7 +1850,7 @@ SHLIBSWORKDIR = "${PKGDESTWORK}/${MLPREFIX}shlibs2"
 
 python package_do_shlibs() {
     import itertools
-    import re, pipes
+    import re, shlex
     import subprocess
 
     exclude_shlibs = d.getVar('EXCLUDE_FROM_SHLIBS', False)
@@ -1894,7 +1894,7 @@ python package_do_shlibs() {
         sonames = set()
         renames = []
         ldir = os.path.dirname(file).replace(pkgdest + "/" + pkg, '')
-        cmd = d.getVar('OBJDUMP') + " -p " + pipes.quote(file) + " 2>/dev/null"
+        cmd = d.getVar('OBJDUMP') + " -p " + shlex.quote(file) + " 2>/dev/null"
         fd = os.popen(cmd)
         lines = fd.readlines()
         fd.close()

meta/classes/package_rpm.bbclass

@@ -4,7 +4,7 @@ IMAGE_PKGTYPE ?= "rpm"
 
 RPM="rpm"
 RPMBUILD="rpmbuild"
-RPMBUILD_COMPMODE ?= "${@'w19T%d.zstdio' % int(d.getVar('ZSTD_THREADS'))}"
+RPMBUILD_COMPMODE ?= "${@'w3T%d.zstdio' % int(d.getVar('ZSTD_THREADS'))}"
 
 PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
 
@@ -680,6 +680,7 @@ python do_package_rpm () {
     cmd = cmd + " --define '_use_internal_dependency_generator 0'"
     cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
     cmd = cmd + " --define '_build_id_links none'"
+    cmd = cmd + " --define '_smp_ncpus_max 4'"
     cmd = cmd + " --define '_source_payload %s'" % rpmbuild_compmode
     cmd = cmd + " --define '_binary_payload %s'" % rpmbuild_compmode
     cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"

meta/classes/rootfs-postcommands.bbclass

@@ -377,6 +377,10 @@ rootfs_reproducible () {
 			find ${IMAGE_ROOTFS}${sysconfdir}/gconf -name '%gconf.xml' -print0 | xargs -0r \
 			sed -i -e 's@\bmtime="[0-9][0-9]*"@mtime="'${REPRODUCIBLE_TIMESTAMP_ROOTFS}'"@g'
 		fi
+
+		if [ -f ${IMAGE_ROOTFS}${localstatedir}/lib/opkg/status ]; then
+			sed -i 's/^Installed-Time: .*/Installed-Time: ${REPRODUCIBLE_TIMESTAMP_ROOTFS}/' ${IMAGE_ROOTFS}${localstatedir}/lib/opkg/status
+		fi
 	fi
 }
 

meta/classes/sanity.bbclass

@@ -469,6 +469,29 @@ def check_wsl(d):
             bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
     return None
 
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
+
+
 # Require at least gcc version 7.5.
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -634,6 +657,7 @@ def check_sanity_version_change(status, d):
     status.addresult(check_git_version(d))
     status.addresult(check_perl_modules(d))
     status.addresult(check_wsl(d))
+    status.addresult(check_userns())
 
     missing = ""
 

meta/classes/sstate.bbclass

@@ -660,15 +660,6 @@ def sstate_package(ss, d):
 
     tmpdir = d.getVar('TMPDIR')
 
-    fixtime = False
-    if ss['task'] == "package":
-        fixtime = True
-
-    def fixtimestamp(root, path):
-        f = os.path.join(root, path)
-        if os.lstat(f).st_mtime > sde:
-            os.utime(f, (sde, sde), follow_symlinks=False)
-
     sstatebuild = d.expand("${WORKDIR}/sstate-build-%s/" % ss['task'])
     sde = int(d.getVar("SOURCE_DATE_EPOCH") or time.time())
     d.setVar("SSTATE_CURRTASK", ss['task'])
@@ -683,8 +674,6 @@ def sstate_package(ss, d):
         # to sstate tasks but there aren't many of these so better just avoid them entirely.
         for walkroot, dirs, files in os.walk(state[1]):
             for file in files + dirs:
-                if fixtime:
-                    fixtimestamp(walkroot, file)
                 srcpath = os.path.join(walkroot, file)
                 if not os.path.islink(srcpath):
                     continue
@@ -706,11 +695,6 @@ def sstate_package(ss, d):
         bb.utils.mkdirhier(plain)
         bb.utils.mkdirhier(pdir)
         bb.utils.rename(plain, pdir)
-        if fixtime:
-            fixtimestamp(pdir, "")
-            for walkroot, dirs, files in os.walk(pdir):
-                for file in files + dirs:
-                    fixtimestamp(walkroot, file)
 
     d.setVar('SSTATE_BUILDDIR', sstatebuild)
     d.setVar('SSTATE_INSTDIR', sstatebuild)

meta/files/toolchain-shar-extract.sh

@@ -284,6 +284,10 @@ post_relocate="$target_sdk_dir/post-relocate-setup.sh"
 if [ -e "$post_relocate" ]; then
 	$SUDO_EXEC sed -e "s:@SDKPATH@:$target_sdk_dir:g" -i $post_relocate
 	$SUDO_EXEC /bin/sh $post_relocate "$target_sdk_dir" "@SDKPATH@"
+	if [ $? -ne 0 ]; then
+		echo "Executing $post_relocate failed"
+		exit 1
+	fi
 	$SUDO_EXEC rm -f $post_relocate
 fi
 

meta/lib/oe/sstatesig.py

@@ -510,6 +510,7 @@ def OEOuthashBasic(path, sigfile, task, d):
     if task == "package":
         include_timestamps = True
         include_root = False
+        source_date_epoch = float(d.getVar("SOURCE_DATE_EPOCH"))
     hash_version = d.getVar('HASHEQUIV_HASH_VERSION')
     extra_sigdata = d.getVar("HASHEQUIV_EXTRA_SIGDATA")
 
@@ -601,7 +602,11 @@ def OEOuthashBasic(path, sigfile, task, d):
                         raise Exception(msg).with_traceback(e.__traceback__)
 
                 if include_timestamps:
-                    update_hash(" %10d" % s.st_mtime)
+                    # Need to clamp to SOURCE_DATE_EPOCH
+                    if s.st_mtime > source_date_epoch:
+                        update_hash(" %10d" % source_date_epoch)
+                    else:
+                        update_hash(" %10d" % s.st_mtime)
 
                 update_hash(" ")
                 if stat.S_ISBLK(s.st_mode) or stat.S_ISCHR(s.st_mode):

meta/lib/oeqa/core/runner.py

@@ -347,7 +347,7 @@ class OETestResultJSONHelper(object):
             os.makedirs(write_dir, exist_ok=True)
         test_results = self._get_existing_testresults_if_available(write_dir)
         test_results[result_id] = {'configuration': configuration, 'result': test_result}
-        json_testresults = json.dumps(test_results, sort_keys=True, indent=4)
+        json_testresults = json.dumps(test_results, sort_keys=True, indent=1)
         self._write_file(write_dir, self.testresult_filename, json_testresults)
         if has_bb:
             bb.utils.unlockfile(lf)

meta/lib/oeqa/selftest/cases/reproducible.py

@@ -163,12 +163,8 @@ class ReproducibleTests(OESelftestTestCase):
             setattr(self, v.lower(), bb_vars[v])
 
         self.extraresults = {}
-        self.extraresults.setdefault('reproducible.rawlogs', {})['log'] = ''
         self.extraresults.setdefault('reproducible', {}).setdefault('files', {})
 
-    def append_to_log(self, msg):
-        self.extraresults['reproducible.rawlogs']['log'] += msg
-
     def compare_packages(self, reference_dir, test_dir, diffutils_sysroot):
         result = PackageCompareResults()
 
@@ -195,7 +191,7 @@ class ReproducibleTests(OESelftestTestCase):
 
     def write_package_list(self, package_class, name, packages):
         self.extraresults['reproducible']['files'].setdefault(package_class, {})[name] = [
-                {'reference': p.reference, 'test': p.test} for p in packages]
+                p.reference.split("/./")[1] for p in packages]
 
     def copy_file(self, source, dest):
         bb.utils.mkdirhier(os.path.dirname(dest))
@@ -282,8 +278,6 @@ class ReproducibleTests(OESelftestTestCase):
 
                 self.logger.info('Reproducibility summary for %s: %s' % (c, result))
 
-                self.append_to_log('\n'.join("%s: %s" % (r.status, r.test) for r in result.total))
-
                 self.write_package_list(package_class, 'missing', result.missing)
                 self.write_package_list(package_class, 'different', result.different)
                 self.write_package_list(package_class, 'different_excluded', result.different_excluded)

meta/lib/oeqa/utils/gitarchive.py

@@ -67,7 +67,7 @@ def git_commit_data(repo, data_dir, branch, message, exclude, notes, log):
 
         # Remove files that are excluded
         if exclude:
-            repo.run_cmd(['rm', '--cached'] + [f for f in exclude], env_update)
+            repo.run_cmd(['rm', '--cached', '--ignore-unmatch'] + [f for f in exclude], env_update)
 
         tree = repo.run_cmd('write-tree', env_update)
 
@@ -166,6 +166,8 @@ def gitarchive(data_dir, git_dir, no_create, bare, commit_msg_subject, commit_ms
         log.info("Pushing data to remote")
         data_repo.run_cmd(cmd)
 
+    return tag_name
+
 # Container class for tester revisions
 TestedRev = namedtuple('TestedRev', 'commit commit_number tags')
 

meta/recipes-bsp/grub/grub2.inc

@@ -49,6 +49,8 @@ SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae
 CVE_CHECK_IGNORE += "CVE-2019-14865"
 # Applies only to SUSE
 CVE_CHECK_IGNORE += "CVE-2021-46705"
+# not-applicable-platform: Applies only to RHEL/Fedora
+CVE_CHECK_IGNORE += "CVE-2024-1048 CVE-2023-4001"
 
 DEPENDS = "flex-native bison-native gettext-native"
 

meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch

@@ -0,0 +1,26 @@
+From 8f3ace87df3aaad85946c22cae240532ea3e73b8 Mon Sep 17 00:00:00 2001
+From: Saul Wold <sgw@linux.intel.com>
+Date: Fri, 29 Apr 2022 13:32:27 +0000
+Subject: [PATCH] Add a shutdown group
+
+We need to have a shutdown group to allow the shutdown icon to work
+correctly. Any users that want to use shutdown like the xuser should
+be added to this group.
+
+Upstream-Status: Inappropriate [Embedded]
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+---
+ group.master | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/group.master b/group.master
+index ad1dd2d..1b5e2fb 100644
+--- a/group.master
++++ b/group.master
+@@ -35,5 +35,6 @@ sasl:*:45:
+ plugdev:*:46:
+ staff:*:50:
+ games:*:60:
++shutdown:*:70:
+ users:*:100:
+ nogroup:*:65534:

meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch

@@ -0,0 +1,30 @@
+From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Fri, 28 Jul 2023 10:28:57 +0100
+Subject: [PATCH] base-passwd: Add the sgx group
+
+To avoid errors from eudev/udev we need an sgx group, but if we add it
+via groupadd that causes shadow login to be brought into an image, which
+causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
+Function not implemented` as shadow's login doesn't implement the
+heuristics which busybox has to handle this kernel configuration.
+
+Upstream-Status: Inappropriate [oe-specific]
+
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+---
+ group.master | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/group.master b/group.master
+index d34d2b832d43..e54fd1d2c6dc 100644
+--- a/group.master
++++ b/group.master
+@@ -34,6 +34,7 @@ video:*:44:
+ sasl:*:45:
+ plugdev:*:46:
+ kvm:*:47:
++sgx:*:48:
+ staff:*:50:
+ games:*:60:
+ shutdown:*:70:

meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch

@@ -0,0 +1,23 @@
+From 4411fc0df77566d52bee11ec0bad4be30a96e99e Mon Sep 17 00:00:00 2001
+From: Scott Garman <scott.a.garman@intel.com>
+Date: Fri, 29 Apr 2022 13:32:27 +0000
+Subject: [PATCH] Use /bin/sh instead of /bin/bash for the root user
+
+/bin/bash may not be included in some images such as minimal.
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+---
+ passwd.master | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/passwd.master b/passwd.master
+index 7cd4e24..041685a 100644
+--- a/passwd.master
++++ b/passwd.master
+@@ -1,4 +1,4 @@
+-root:*:0:0:root:/root:/bin/bash
++root:*:0:0:root:/root:/bin/sh
+ daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:*:2:2:bin:/bin:/usr/sbin/nologin
+ sys:*:3:3:sys:/dev:/usr/sbin/nologin

meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch

@@ -0,0 +1,21 @@
+From 13a1a284a134d18a454625a5b4485c0d99079ae9 Mon Sep 17 00:00:00 2001
+From: Scott Garman <scott.a.garman@intel.com>
+Date: Fri, 29 Apr 2022 13:32:28 +0000
+Subject: [PATCH] Remove "*" for root since we do not have an /etc/shadow
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+---
+ passwd.master | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/passwd.master b/passwd.master
+index 041685a..31a84d4 100644
+--- a/passwd.master
++++ b/passwd.master
+@@ -1,4 +1,4 @@
+-root:*:0:0:root:/root:/bin/sh
++root::0:0:root:/root:/bin/sh
+ daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:*:2:2:bin:/bin:/usr/sbin/nologin
+ sys:*:3:3:sys:/dev:/usr/sbin/nologin

meta/recipes-core/base-passwd/base-passwd/0004-Add-an-input-group-for-the-dev-input-devices.patch

@@ -0,0 +1,23 @@
+From c5f012750f8102ff54af73ccc2d2b7bfa1f26db4 Mon Sep 17 00:00:00 2001
+From: Darren Hart <dvhart@linux.intel.com>
+Date: Fri, 29 Apr 2022 13:32:28 +0000
+Subject: [PATCH] Add an input group for the /dev/input/* devices
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+---
+ group.master | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/group.master b/group.master
+index 1b5e2fb..cea9d60 100644
+--- a/group.master
++++ b/group.master
+@@ -12,6 +12,7 @@ uucp:*:10:
+ man:*:12:
+ proxy:*:13:
+ kmem:*:15:
++input:*:19:
+ dialout:*:20:
+ fax:*:21:
+ voice:*:22:

meta/recipes-core/base-passwd/base-passwd/0005-Add-kvm-group.patch

@@ -1,4 +1,4 @@
-From 6355278b9f744291864c373a32a8da8f84aaaf37 Mon Sep 17 00:00:00 2001
+From 6cf19461fb31d7a7a3010629aae9aab49c26a01b Mon Sep 17 00:00:00 2001
 From: Jacob Kroon <jacob.kroon@gmail.com>
 Date: Wed, 30 Jan 2019 04:53:48 +0000
 Subject: [PATCH] Add kvm group

meta/recipes-core/base-passwd/base-passwd/0006-Make-it-possible-to-build-without-debconf-support.patch

@@ -0,0 +1,129 @@
+From 236d6c8c0dd7e15d9a9795813b94bc87ce09eec5 Mon Sep 17 00:00:00 2001
+From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
+Date: Fri, 29 Apr 2022 19:32:29 +0200
+Subject: [PATCH] Make it possible to build without debconf support
+
+Not all systems have the debconfclient library available.
+
+Upstream-Status: Backport [https://salsa.debian.org/debian/base-passwd/-/commit/c72aa5dd25a952da25e307761f4526db2c8c39ec]
+Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
+---
+ Makefile.am     |  1 -
+ configure.ac    | 13 +++++++++++++
+ update-passwd.c | 15 +++++++++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 223916f..4bdd769 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -3,7 +3,6 @@ SUBDIRS = doc man
+ sbin_PROGRAMS = update-passwd
+ 
+ update_passwd_SOURCES = update-passwd.c
+-update_passwd_LDADD = -ldebconfclient
+ 
+ pkgdata_DATA = passwd.master group.master
+ 
+diff --git a/configure.ac b/configure.ac
+index 9d1ace5..1e35ad1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -14,6 +14,19 @@ AC_SYS_LARGEFILE
+ dnl Scan for things we need
+ AC_CHECK_FUNCS([putgrent])
+ 
++dnl Check for debconf
++AC_MSG_CHECKING([whether to enable debconf support])
++AC_ARG_ENABLE([debconf],
++  [AS_HELP_STRING([--disable-debconf], [disable support for debconf])],
++  [],
++  [enable_debconf=yes])
++AC_MSG_RESULT($enable_debconf)
++AS_IF([test "x$enable_debconf" != xno],
++  [AC_CHECK_LIB([debconfclient], [debconfclient_new], [],
++    [AC_MSG_ERROR(
++      [debconf support not available (use --disable-debconf to disable)])])
++   AC_DEFINE([HAVE_DEBCONF], [1], [Define if you have libdebconfclient])])
++
+ dnl Finally output everything
+ AC_CONFIG_FILES([Makefile doc/Makefile man/Makefile])
+ AC_OUTPUT
+diff --git a/update-passwd.c b/update-passwd.c
+index 3f3dffa..5b49740 100644
+--- a/update-passwd.c
++++ b/update-passwd.c
+@@ -39,7 +39,9 @@
+ #include <stdarg.h>
+ #include <ctype.h>
+ 
++#ifdef HAVE_DEBCONF
+ #include <cdebconf/debconfclient.h>
++#endif
+ 
+ #define DEFAULT_PASSWD_MASTER	"/usr/share/base-passwd/passwd.master"
+ #define DEFAULT_GROUP_MASTER	"/usr/share/base-passwd/group.master"
+@@ -143,6 +145,7 @@ int		flag_debconf	= 0;
+ const char*	user_domain	= DEFAULT_DEBCONF_DOMAIN;
+ const char*	group_domain	= DEFAULT_DEBCONF_DOMAIN;
+ 
++#ifdef HAVE_DEBCONF
+ struct debconfclient*	debconf	= NULL;
+ 
+ /* Abort the program if talking to debconf fails.  Use ret exactly once. */
+@@ -162,6 +165,10 @@ struct debconfclient*	debconf	= NULL;
+     DEBCONF_CHECK(debconf_register(debconf, (template), (question)))
+ #define DEBCONF_SUBST(question, var, value) \
+     DEBCONF_CHECK(debconf_subst(debconf, (question), (var), (value)))
++#else
++#define DEBCONF_REGISTER(template, question)
++#define DEBCONF_SUBST(question, var, value)
++#endif
+ 
+ 
+ /* malloc() with out-of-memory checking.
+@@ -621,6 +628,7 @@ void version() {
+  * flag.  Aborts the problem on any failure.
+  */
+ int ask_debconf(const char* priority, const char* question) {
++#ifdef HAVE_DEBCONF
+     int		ret;
+     const char*	response;
+ 
+@@ -640,6 +648,9 @@ int ask_debconf(const char* priority, const char* question) {
+ 	return 1;
+     else
+ 	return 0;
++#else
++	return 0;
++#endif
+ }
+ 
+ 
+@@ -1427,6 +1438,7 @@ int main(int argc, char** argv) {
+     /* If DEBIAN_HAS_FRONTEND is set in the environment, we're running under
+      * debconf.  Enable debconf prompting unless --dry-run was also given.
+      */
++#ifdef HAVE_DEBCONF
+     if (getenv("DEBIAN_HAS_FRONTEND")!=NULL && !opt_dryrun) {
+ 	debconf=debconfclient_new();
+ 	if (debconf==NULL) {
+@@ -1435,6 +1447,7 @@ int main(int argc, char** argv) {
+ 	}
+ 	flag_debconf=1;
+     }
++#endif
+ 
+     if (read_passwd(&master_accounts, master_passwd)!=0)
+ 	return 2;
+@@ -1480,8 +1493,10 @@ int main(int argc, char** argv) {
+ 	if (!unlock_files())
+ 	    return 5;
+ 
++#ifdef HAVE_DEBCONF
+     if (debconf!=NULL)
+ 	debconfclient_delete(debconf);
++#endif
+ 
+     if (opt_dryrun)
+ 	return flag_dirty;

meta/recipes-core/base-passwd/base-passwd/0007-Make-it-possible-to-disable-the-generation-of-the-do.patch

@@ -0,0 +1,46 @@
+From 63e8270141a296843cfe1daba38e1969ac6d75ae Mon Sep 17 00:00:00 2001
+From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
+Date: Sat, 30 Apr 2022 00:35:34 +0200
+Subject: [PATCH] Make it possible to disable the generation of the
+ documentation
+
+Not all systems have docbook and po4a available.
+
+Upstream-Status: Backport [https://salsa.debian.org/debian/base-passwd/-/commit/2a6d16e595c93084e279d0dcbef37d960b44fd1a]
+Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
+---
+ Makefile.am  | 2 ++
+ configure.ac | 9 +++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 4bdd769..97b4f42 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,4 +1,6 @@
++if ENABLE_DOCS
+ SUBDIRS = doc man
++endif
+ 
+ sbin_PROGRAMS = update-passwd
+ 
+diff --git a/configure.ac b/configure.ac
+index 1e35ad1..b98374e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -27,6 +27,15 @@ AS_IF([test "x$enable_debconf" != xno],
+       [debconf support not available (use --disable-debconf to disable)])])
+    AC_DEFINE([HAVE_DEBCONF], [1], [Define if you have libdebconfclient])])
+ 
++dnl Check whether to build the documentation 
++AC_MSG_CHECKING([whether to build the documentation])
++AC_ARG_ENABLE([docs],
++  [AC_HELP_STRING([--disable-docs], [do not build and install documentation])],
++  [],
++  [enable_docs=yes])
++AC_MSG_RESULT($enable_docs)
++AM_CONDITIONAL(ENABLE_DOCS, test "x$enable_docs" = xyes)
++
+ dnl Finally output everything
+ AC_CONFIG_FILES([Makefile doc/Makefile man/Makefile])
+ AC_OUTPUT

meta/recipes-core/base-passwd/base-passwd/0008-Add-wheel-group.patch

@@ -0,0 +1,20 @@
+
+We need to have a wheel group which has some system privileges to consult the
+systemd journal or manage printers with cups.
+
+Upstream says the group does not exist by default.
+
+Upstream-Status: Inappropriate [enable feature]
+
+Signed-off-by: Louis Rannou <lrannou@baylibre.com>
+Index: base-passwd-3.5.26/group.master
+===================================================================
+--- base-passwd-3.5.29.orig/group.master
++++ base-passwd-3.5.29/group.master
+@@ -38,5 +38,6 @@
+ staff:*:50:
+ games:*:60:
+ shutdown:*:70:
++wheel:*:80:
+ users:*:100:
+ nogroup:*:65534:

meta/recipes-core/base-passwd/base-passwd/add_shutdown.patch

@@ -1,19 +0,0 @@
-
-We need to have a shutdown group to allow the shutdown icon
-to work correctly. Any users that want to use shutdown like
-the xuser should be added to this group.
-
-Upstream-Status: Inappropriate [Embedded]
-
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-Index: base-passwd-3.5.26/group.master
-===================================================================
---- base-passwd-3.5.26.orig/group.master
-+++ base-passwd-3.5.26/group.master
-@@ -36,5 +36,6 @@ sasl:*:45:
- plugdev:*:46:
- staff:*:50:
- games:*:60:
-+shutdown:*:70:
- users:*:100:
- nogroup:*:65534:

meta/recipes-core/base-passwd/base-passwd/disable-docs.patch

@@ -1,24 +0,0 @@
-Disable documentation for now as it uses tools currently not supported
-by OE-Core. It uses sgmltools and po4a.
-
-Upstream-Status: Inappropriate [OE-Core specific]
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-
-Index: base-passwd-3.5.28/Makefile.in
-===================================================================
---- base-passwd-3.5.28.orig/Makefile.in
-+++ base-passwd-3.5.28/Makefile.in
-@@ -25,13 +25,10 @@ gen_configure	= config.cache config.stat
- 		  confdefhs.h config.h Makefile
- 
- all: update-passwd
--	$(MAKE) -C doc all
--	$(MAKE) -C man all
- 
- install: all
- 	mkdir -p $(DESTDIR)$(sbindir)
- 	$(INSTALL) update-passwd $(DESTDIR)$(sbindir)/
--	$(MAKE) -C man install
- 
- update-passwd.o: version.h
- 

meta/recipes-core/base-passwd/base-passwd/disable-shell.patch

@@ -1,57 +0,0 @@
-From 91e0db96741359173ddf2be083aafcc1a3c32472 Mon Sep 17 00:00:00 2001
-From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
-Date: Mon, 18 Apr 2022 11:22:43 +0800
-Subject: [PATCH] Disable shell for default users
-
-Change the shell of all global static users other than root (which
-retains /bin/sh) and sync (as /bin/sync is rather harmless) to
-/sbin/nologin (as /usr/sbin/nologin does not exist in openembedded)
-
-Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/base-passwd/3.5.30]
-Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
----
- passwd.master | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/passwd.master b/passwd.master
-index e1c32ff..0cd5ffd 100644
---- a/passwd.master
-+++ b/passwd.master
-@@ -1,18 +1,18 @@
- root::0:0:root:/root:/bin/sh
--daemon:*:1:1:daemon:/usr/sbin:/bin/sh
--bin:*:2:2:bin:/bin:/bin/sh
--sys:*:3:3:sys:/dev:/bin/sh
-+daemon:*:1:1:daemon:/usr/sbin:/sbin/nologin
-+bin:*:2:2:bin:/bin:/sbin/nologin
-+sys:*:3:3:sys:/dev:/sbin/nologin
- sync:*:4:65534:sync:/bin:/bin/sync
--games:*:5:60:games:/usr/games:/bin/sh
--man:*:6:12:man:/var/cache/man:/bin/sh
--lp:*:7:7:lp:/var/spool/lpd:/bin/sh
--mail:*:8:8:mail:/var/mail:/bin/sh
--news:*:9:9:news:/var/spool/news:/bin/sh
--uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
--proxy:*:13:13:proxy:/bin:/bin/sh
--www-data:*:33:33:www-data:/var/www:/bin/sh
--backup:*:34:34:backup:/var/backups:/bin/sh
--list:*:38:38:Mailing List Manager:/var/list:/bin/sh
--irc:*:39:39:ircd:/var/run/ircd:/bin/sh
--gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
--nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
-+games:*:5:60:games:/usr/games:/sbin/nologin
-+man:*:6:12:man:/var/cache/man:/sbin/nologin
-+lp:*:7:7:lp:/var/spool/lpd:/sbin/nologin
-+mail:*:8:8:mail:/var/mail:/sbin/nologin
-+news:*:9:9:news:/var/spool/news:/sbin/nologin
-+uucp:*:10:10:uucp:/var/spool/uucp:/sbin/nologin
-+proxy:*:13:13:proxy:/bin:/sbin/nologin
-+www-data:*:33:33:www-data:/var/www:/sbin/nologin
-+backup:*:34:34:backup:/var/backups:/sbin/nologin
-+list:*:38:38:Mailing List Manager:/var/list:/sbin/nologin
-+irc:*:39:39:ircd:/var/run/ircd:/sbin/nologin
-+gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/sbin/nologin
-+nobody:*:65534:65534:nobody:/nonexistent:/sbin/nologin
---
-2.32.0
-

meta/recipes-core/base-passwd/base-passwd/input.patch

@@ -1,22 +0,0 @@
-Add an input group for the /dev/input/* devices.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Darren Hart <dvhart@linux.intel.com>
-
----
- group.master |    1 +
- 1 file changed, 1 insertion(+)
-
-Index: base-passwd-3.5.26/group.master
-===================================================================
---- base-passwd-3.5.26.orig/group.master
-+++ base-passwd-3.5.26/group.master
-@@ -12,6 +12,7 @@ uucp:*:10:
- man:*:12:
- proxy:*:13:
- kmem:*:15:
-+input:*:19:
- dialout:*:20:
- fax:*:21:
- voice:*:22:

meta/recipes-core/base-passwd/base-passwd/nobash.patch

@@ -1,15 +0,0 @@
-use /bin/sh instead of /bin/bash, since the latter may not be included in
-some images such as minimal
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Scott Garman <scott.a.garman@intel.com>
-
---- base-passwd/passwd.master~nobash
-+++ base-passwd/passwd.master
-@@ -1,4 +1,4 @@
--root:*:0:0:root:/root:/bin/bash
-+root:*:0:0:root:/root:/bin/sh
- daemon:*:1:1:daemon:/usr/sbin:/bin/sh
- bin:*:2:2:bin:/bin:/bin/sh
- sys:*:3:3:sys:/dev:/bin/sh

meta/recipes-core/base-passwd/base-passwd/noshadow.patch

@@ -1,14 +0,0 @@
-remove "*" for root since we don't have a /etc/shadow so far.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Scott Garman <scott.a.garman@intel.com>
-
---- base-passwd/passwd.master~nobash
-+++ base-passwd/passwd.master
-@@ -1,4 +1,4 @@
--root:*:0:0:root:/root:/bin/sh
-+root::0:0:root:/root:/bin/sh
- daemon:*:1:1:daemon:/usr/sbin:/bin/sh
- bin:*:2:2:bin:/bin:/bin/sh
- sys:*:3:3:sys:/dev:/bin/sh

meta/recipes-core/base-passwd/base-passwd_3.5.52.bb

@@ -5,27 +5,32 @@ SECTION = "base"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
 
-RECIPE_NO_UPDATE_REASON = "Version 3.5.38 requires cdebconf for update-passwd utility"
-
-SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar.gz \
-           file://add_shutdown.patch \
-           file://nobash.patch \
-           file://noshadow.patch \
-           file://input.patch \
-           file://disable-docs.patch \
-           file://kvm.patch \
-           file://disable-shell.patch \
+SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar.xz \
+           file://0001-Add-a-shutdown-group.patch \
+           file://0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch \
+           file://0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch \
+           file://0004-Add-an-input-group-for-the-dev-input-devices.patch \
+           file://0005-Add-kvm-group.patch \
+           file://0006-Make-it-possible-to-build-without-debconf-support.patch \
+           file://0007-Make-it-possible-to-disable-the-generation-of-the-do.patch \
+           file://0008-Add-wheel-group.patch \
+           file://0001-base-passwd-Add-the-sgx-group.patch \
            "
 
-SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
-SRC_URI[sha256sum] = "f0b66388b2c8e49c15692439d2bee63bcdd4bbbf7a782c7f64accc55986b6a36"
+SRC_URI[sha256sum] = "5dfec6556b5a16ecf14dd3f7c95b591d929270289268123f31a3d6317f95ccea"
 
 # the package is taken from launchpad; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/"
 
+S = "${WORKDIR}/work"
+
 inherit autotools
 
+EXTRA_OECONF += "--disable-debconf --disable-docs"
+
+NOLOGIN ?= "${base_sbindir}/nologin"
+
 do_install () {
 	install -d -m 755 ${D}${sbindir}
 	install -o root -g root -p -m 755 ${B}/update-passwd ${D}${sbindir}/
@@ -37,6 +42,7 @@ do_install () {
 	install -d -m 755 ${D}${datadir}/base-passwd
 	install -o root -g root -p -m 644 ${S}/passwd.master ${D}${datadir}/base-passwd/
 	sed -i 's#:/root:#:${ROOT_HOME}:#' ${D}${datadir}/base-passwd/passwd.master
+	sed -i 's#/usr/sbin/nologin#${NOLOGIN}#' ${D}${datadir}/base-passwd/passwd.master
 	install -o root -g root -p -m 644 ${S}/group.master ${D}${datadir}/base-passwd/
 
 	install -d -m 755 ${D}${docdir}/${BPN}

meta/recipes-core/coreutils/coreutils/0001-split-do-not-shrink-hold-buffer.patch

@@ -0,0 +1,42 @@
+From 80dca40bbb36b7b1630bb5a43d62b3ff21b4e064 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Mon, 25 Nov 2024 23:43:49 -0800
+Subject: [PATCH] split: do not shrink hold buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* src/split.c (line_bytes_split): Do not shrink hold buffer.
+If it’s large for this batch it’s likely to be large for the next
+batch, and for ‘split’ it’s not worth the complexity/CPU hassle to
+shrink it.  Do not assume hold_size can be bufsize.
+
+CVE: CVE-2024-0684
+
+Upstream-Status: Backport [c4c5ed8f4e9cd55a12966d4f520e3a13101637d9]
+
+The original patch is tweaked to fit the current version.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/split.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/split.c b/src/split.c
+index 4b1b144..e44e867 100644
+--- a/src/split.c
++++ b/src/split.c
+@@ -785,10 +785,7 @@ line_bytes_split (uintmax_t n_bytes, char *buf, size_t bufsize)
+             {
+               cwrite (n_out == 0, hold, n_hold);
+               n_out += n_hold;
+-              if (n_hold > bufsize)
+-                hold = xrealloc (hold, bufsize);
+               n_hold = 0;
+-              hold_size = bufsize;
+             }
+ 
+           /* Output to eol if present.  */
+-- 
+2.25.1
+

meta/recipes-core/coreutils/coreutils_9.0.bb

@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            file://0001-local.mk-fix-cross-compiling-problem.patch \
            file://e8b56ebd536e82b15542a00c888109471936bfda.patch \
            file://run-ptest \
+           file://0001-split-do-not-shrink-hold-buffer.patch \
            "
 
 SRC_URI[sha256sum] = "ce30acdf4a41bc5bb30dd955e9eaa75fa216b4e3deb08889ed32433c7b3b97ce"

meta/recipes-core/dbus/dbus_1.14.8.bb

@@ -22,9 +22,8 @@ EXTRA_OECONF = "--disable-xml-docs \
                 --disable-doxygen-docs \
                 --enable-largefile \
                 --with-system-socket=/run/dbus/system_bus_socket \
-                --enable-tests \
+                --enable-modular-tests \
                 --enable-checks \
-                --enable-asserts \
                 --runstatedir=/run \
                 "
 EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl"

meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533.patch

@@ -0,0 +1,49 @@
+From ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 19 Sep 2024 18:35:53 +0100
+Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
+ messages
+
+`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
+byte in the connect message, which is an addition in SOCKSv4a vs
+SOCKSv4.
+
+This means that the buffer for building and transmitting the connect
+message could be overflowed if the username and hostname are both
+`SOCKS4_MAX_LEN` (255) bytes long.
+
+Proxy configurations are normally statically configured, so the username
+is very unlikely to be near its maximum length, and hence this overflow
+is unlikely to be triggered in practice.
+
+(Commit message by Philip Withnall, diagnosis and fix by Michael
+Catanzaro.)
+
+Fixes: #3461
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29]
+CVE: CVE-2024-52533
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ gio/gsocks4aproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
+index 3dad118eb7..b3146d08fd 100644
+--- a/gio/gsocks4aproxy.c
++++ b/gio/gsocks4aproxy.c
+@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+  * | VN | CD | DSTPORT |      DSTIP        | USERID       |NULL| HOST |    | NULL |
+  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
+- *    1    1      2              4           variable       1    variable
++ *    1    1      2              4           variable       1    variable    1
+  */
+-#define SOCKS4_CONN_MSG_LEN	    (9 + SOCKS4_MAX_LEN * 2)
++#define SOCKS4_CONN_MSG_LEN	    (10 + SOCKS4_MAX_LEN * 2)
+ static gint
+ set_connect_msg (guint8      *msg,
+ 		 const gchar *hostname,
+-- 
+GitLab
+

meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0001.patch

@@ -0,0 +1,72 @@
+From 39af934b11ec7bb8f943ba963919816266a3316e Mon Sep 17 00:00:00 2001
+From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
+Date: Fri, 11 Oct 2024 09:38:52 +0100
+Subject: [PATCH 1/3] gdatetime test: Do not assume PST8PDT was always exactly
+ -8/-7
+
+In newer tzdata, it is an alias for America/Los_Angeles, which has a
+slightly different meaning: DST did not exist there before 1883. As a
+result, we can no longer hard-code the knowledge that interval 0 is
+standard time and interval 1 is summer time, and instead we need to look
+up the correct intervals from known timestamps.
+
+Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3502
+Bug-Debian: https://bugs.debian.org/1084190
+[smcv: expand commit message, fix whitespace]
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport
+[https://github.com/GNOME/glib/commit/c0619f08e6c608fd6464d2f0c6970ef0bbfb9ecf]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ glib/tests/gdatetime.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index 141263b66..cfe00906d 100644
+--- a/glib/tests/gdatetime.c
++++ b/glib/tests/gdatetime.c
+@@ -2625,6 +2625,7 @@ test_posix_parse (void)
+ {
+   GTimeZone *tz;
+   GDateTime *gdt1, *gdt2;
++  gint i1, i2;
+ 
+   /* Check that an unknown zone name falls back to UTC. */
+   G_GNUC_BEGIN_IGNORE_DEPRECATIONS
+@@ -2648,16 +2649,25 @@ test_posix_parse (void)
+ 
+ /* This fails rules_from_identifier on Unix (though not on Windows)
+  * but passes anyway because PST8PDT is a zone name.
++ *
++ * Intervals i1 and i2 (rather than 0 and 1) are needed because in
++ * recent tzdata, PST8PDT may be an alias for America/Los_Angeles,
++ * and hence be aware that DST has not always existed.
++ * https://bugs.debian.org/1084190
+  */
+   tz = g_time_zone_new_identifier ("PST8PDT");
+   g_assert_nonnull (tz);
+   g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT");
+-  g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 0), ==, "PST");
+-  g_assert_cmpint (g_time_zone_get_offset (tz, 0), ==, - 8 * 3600);
+-  g_assert (!g_time_zone_is_dst (tz, 0));
+-  g_assert_cmpstr (g_time_zone_get_abbreviation (tz, 1), ==, "PDT");
+-  g_assert_cmpint (g_time_zone_get_offset (tz, 1), ==,- 7 * 3600);
+-  g_assert (g_time_zone_is_dst (tz, 1));
++  /* a date in winter = non-DST */
++  i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0);
++  /* approximately 6 months in seconds, i.e. a date in summer = DST */
++  i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000);
++  g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST");
++  g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600);
++  g_assert (!g_time_zone_is_dst (tz, i1));
++  g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i2), ==, "PDT");
++  g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600);
++  g_assert (g_time_zone_is_dst (tz, i2));
+   g_time_zone_unref (tz);
+ 
+   tz = g_time_zone_new_identifier ("PST8PDT6:32:15");
+-- 
+2.34.1
+

meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0002.patch

@@ -0,0 +1,65 @@
+From 27eb6eb01d5752c201dd2ec02f656463d12ebee0 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 18 Oct 2024 11:03:19 +0100
+Subject: [PATCH 2/3] gdatetime test: Try to make PST8PDT test more obviously
+ correct
+
+Instead of using timestamp 0 as a magic number (in this case interpreted
+as 1970-01-01T00:00:00-08:00), calculate a timestamp from a recent
+year/month/day in winter, in this case 2024-01-01T00:00:00-08:00.
+
+Similarly, instead of using a timestamp 15 million seconds later
+(1970-06-23T15:40:00-07:00), calculate a timestamp from a recent
+year/month/day in summer, in this case 2024-07-01T00:00:00-07:00.
+
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport
+[https://github.com/GNOME/glib/commit/30e9cfa5733003cd1079e0e9e8a4bff1a191171a]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ glib/tests/gdatetime.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index cfe00906d..22aa5112a 100644
+--- a/glib/tests/gdatetime.c
++++ b/glib/tests/gdatetime.c
+@@ -2649,19 +2649,16 @@ test_posix_parse (void)
+ 
+ /* This fails rules_from_identifier on Unix (though not on Windows)
+  * but passes anyway because PST8PDT is a zone name.
+- *
+- * Intervals i1 and i2 (rather than 0 and 1) are needed because in
+- * recent tzdata, PST8PDT may be an alias for America/Los_Angeles,
+- * and hence be aware that DST has not always existed.
+- * https://bugs.debian.org/1084190
+  */
+   tz = g_time_zone_new_identifier ("PST8PDT");
+   g_assert_nonnull (tz);
+   g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT");
+   /* a date in winter = non-DST */
+-  i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, 0);
+-  /* approximately 6 months in seconds, i.e. a date in summer = DST */
+-  i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, 15000000);
++  gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0);
++  i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1));
++  /* a date in summer = DST */
++  gdt2 = g_date_time_new (tz, 2024, 7, 1, 0, 0, 0);
++  i2 = g_time_zone_find_interval (tz, G_TIME_TYPE_DAYLIGHT, g_date_time_to_unix (gdt2));
+   g_assert_cmpstr (g_time_zone_get_abbreviation (tz, i1), ==, "PST");
+   g_assert_cmpint (g_time_zone_get_offset (tz, i1), ==, - 8 * 3600);
+   g_assert (!g_time_zone_is_dst (tz, i1));
+@@ -2669,6 +2666,8 @@ test_posix_parse (void)
+   g_assert_cmpint (g_time_zone_get_offset (tz, i2), ==,- 7 * 3600);
+   g_assert (g_time_zone_is_dst (tz, i2));
+   g_time_zone_unref (tz);
++  g_date_time_unref (gdt1);
++  g_date_time_unref (gdt2);
+ 
+   tz = g_time_zone_new_identifier ("PST8PDT6:32:15");
+ #ifdef G_OS_WIN32
+-- 
+2.34.1
+

meta/recipes-core/glib-2.0/glib-2.0/gdatetime-test-fail-0003.patch

@@ -0,0 +1,63 @@
+From 9dd5e9f49620f13a3eaf2b862b7aa3c680953f01 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 18 Oct 2024 11:23:42 +0100
+Subject: [PATCH 3/3] gdatetime test: Fall back if legacy System V PST8PDT is
+ not available
+
+On recent versions of Debian, PST8PDT is part of the tzdata-legacy
+package, which is not always installed and might disappear in future.
+Successfully tested with and without tzdata-legacy on Debian unstable.
+
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport
+[https://github.com/GNOME/glib/commit/fe2699369f79981dcf913af4cfd98b342b84a9c1]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ glib/tests/gdatetime.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index 22aa5112a..4e963b171 100644
+--- a/glib/tests/gdatetime.c
++++ b/glib/tests/gdatetime.c
+@@ -2626,6 +2626,7 @@ test_posix_parse (void)
+   GTimeZone *tz;
+   GDateTime *gdt1, *gdt2;
+   gint i1, i2;
++  const char *expect_id;
+ 
+   /* Check that an unknown zone name falls back to UTC. */
+   G_GNUC_BEGIN_IGNORE_DEPRECATIONS
+@@ -2648,11 +2649,25 @@ test_posix_parse (void)
+   g_time_zone_unref (tz);
+ 
+ /* This fails rules_from_identifier on Unix (though not on Windows)
+- * but passes anyway because PST8PDT is a zone name.
++ * but can pass anyway because PST8PDT is a legacy System V zone name.
+  */
+   tz = g_time_zone_new_identifier ("PST8PDT");
++  expect_id = "PST8PDT";
++
++#ifndef G_OS_WIN32
++  /* PST8PDT is in tzdata's "backward" set, packaged as tzdata-legacy and
++   * not always present in some OSs; fall back to the equivalent geographical
++   * name if the "backward" time zones are absent. */
++  if (tz == NULL)
++    {
++      g_test_message ("Legacy PST8PDT time zone not available, falling back");
++      tz = g_time_zone_new_identifier ("America/Los_Angeles");
++      expect_id = "America/Los_Angeles";
++    }
++#endif
++
+   g_assert_nonnull (tz);
+-  g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, "PST8PDT");
++  g_assert_cmpstr (g_time_zone_get_identifier (tz), ==, expect_id);
+   /* a date in winter = non-DST */
+   gdt1 = g_date_time_new (tz, 2024, 1, 1, 0, 0, 0);
+   i1 = g_time_zone_find_interval (tz, G_TIME_TYPE_STANDARD, g_date_time_to_unix (gdt1));
+-- 
+2.34.1
+

meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb

@@ -50,6 +50,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://CVE-2024-34397_17.patch \
            file://CVE-2024-34397_18.patch \
            file://0001-gvariant-serialiser-Convert-endianness-of-offsets.patch \
+           file://CVE-2024-52533.patch \
+           file://gdatetime-test-fail-0001.patch \
+           file://gdatetime-test-fail-0002.patch \
+           file://gdatetime-test-fail-0003.patch \
            "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
 

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "1784189462779fc573c9537c3f352f8586a2e959"
+SRCREV ?= "cb03c7cf84b3e5a974395f7c02754a01913ddbe1"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/meta/cve-update-nvd2-native.bb

@@ -85,6 +85,8 @@ python do_fetch() {
     if update_db_file(db_tmp_file, d, database_time) == True:
         # Update downloaded correctly, can swap files
         shutil.move(db_tmp_file, db_file)
+        # Need to 'touch' the file to ensure NFS sees the data
+        os.utime(db_file)
     else:
         # Update failed, do not modify the database
         bb.warn("CVE database update failed")

meta/recipes-core/ovmf/ovmf/0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch

@@ -0,0 +1,51 @@
+From 63f29c180dd04d13614440740a8795ee422567b8 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Fri, 22 Nov 2024 17:43:28 +0800
+Subject: [PATCH] MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+Attacker able to modify physical memory and ResumeCount.
+System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+CVE: CVE-2024-1298
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../FirmwarePerformancePei.c                         | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+index 2f2b2a80b2..2ba9215226 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -112,11 +112,15 @@ FpdtStatusCodeListenerPei (
+   //
+   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+   AcpiS3ResumeRecord->ResumeCount++;
+-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++  if (AcpiS3ResumeRecord->ResumeCount > 0) {
++    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
++  } else {
++    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
++  }
+ 
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));
+ 
+   //
+   // Update S3 Suspend Performance Record.
+-- 
+2.34.1
+

meta/recipes-core/ovmf/ovmf/0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch

@@ -0,0 +1,37 @@
+From c4d6af8428375c0343fcfd20bf1465e6d4be4690 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 22 Nov 2024 17:44:27 +0800
+Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib
+
+The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
+also a UINT32 value. The current code does not check for overflow when
+adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
+check to ensure that the addition does not overflow.
+
+Signed-off-by: Doug Flick <dougflick@microsoft.com>
+Authored-by: sriraamx gobichettipalayam <sri..@intel.com>
+
+CVE: CVE-2024-38796
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+index 6d8d9faeb8..2339b111b5 100644
+--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c
+@@ -1014,7 +1014,7 @@ PeCoffLoaderRelocateImage (
+     RelocDir = &Hdr.Te->DataDirectory[0];
+   }
+ 
+-  if ((RelocDir != NULL) && (RelocDir->Size > 0)) {
++  if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) {
+     RelocBase    = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset);
+     RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (
+                                                   ImageContext,
+-- 
+2.34.1
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0001.patch

@@ -0,0 +1,985 @@
+From 224446543206450ddb5830e6abd026d61d3c7f4b Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:01 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE
+ 2022-36763
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36763.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+
+CVE: CVE-2022-36763
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/224446543206450ddb5830e6abd026d61d3c7f4b]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpm2MeasureBootLib.c                   |  69 ++--
+ .../DxeTpm2MeasureBootLib.inf                 |   4 +-
+ .../DxeTpm2MeasureBootLibSanitization.c       | 275 ++++++++++++++++
+ .../DxeTpm2MeasureBootLibSanitization.h       | 113 +++++++
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 303 ++++++++++++++++++
+ ...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
+ SecurityPkg/SecurityPkg.ci.yaml               |   1 +
+ 7 files changed, 763 insertions(+), 30 deletions(-)
+ create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+ create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+ create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+ create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 36a256a7af..0475103d6e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -20,6 +20,8 @@ Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+ (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <PiDxe.h>
+@@ -44,6 +46,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/HobLib.h>
+ #include <Protocol/CcMeasurement.h>
+ 
++#include "DxeTpm2MeasureBootLibSanitization.h"
++
+ typedef struct {
+   EFI_TCG2_PROTOCOL              *Tcg2Protocol;
+   EFI_CC_MEASUREMENT_PROTOCOL    *CcProtocol;
+@@ -144,10 +148,11 @@ Tcg2MeasureGptTable (
+   EFI_TCG2_EVENT               *Tcg2Event;
+   EFI_CC_EVENT                 *CcEvent;
+   EFI_GPT_DATA                 *GptData;
+-  UINT32                       EventSize;
++  UINT32                       TcgEventSize;
+   EFI_TCG2_PROTOCOL            *Tcg2Protocol;
+   EFI_CC_MEASUREMENT_PROTOCOL  *CcProtocol;
+   EFI_CC_MR_INDEX              MrIndex;
++  UINT32                       AllocSize;
+ 
+   if (mTcg2MeasureGptCount > 0) {
+     return EFI_SUCCESS;
+@@ -195,25 +200,22 @@ Tcg2MeasureGptTable (
+                      BlockIo->Media->BlockSize,
+                      (UINT8 *)PrimaryHeader
+                      );
+-  if (EFI_ERROR (Status)) {
+-    DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
++  if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
++    DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
+     FreePool (PrimaryHeader);
+     return EFI_DEVICE_ERROR;
+   }
+ 
+   //
+-  // PrimaryHeader->SizeOfPartitionEntry should not be zero
++  // Read the partition entry.
+   //
+-  if (PrimaryHeader->SizeOfPartitionEntry == 0) {
+-    DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry should not be zero!\n"));
++  Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
++  if (EFI_ERROR (Status)) {
+     FreePool (PrimaryHeader);
+     return EFI_BAD_BUFFER_SIZE;
+   }
+ 
+-  //
+-  // Read the partition entry.
+-  //
+-  EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
++  EntryPtr = (UINT8 *)AllocatePool (AllocSize);
+   if (EntryPtr == NULL) {
+     FreePool (PrimaryHeader);
+     return EFI_OUT_OF_RESOURCES;
+@@ -223,7 +225,7 @@ Tcg2MeasureGptTable (
+                      DiskIo,
+                      BlockIo->Media->MediaId,
+                      MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
+-                     PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
++                     AllocSize,
+                      EntryPtr
+                      );
+   if (EFI_ERROR (Status)) {
+@@ -248,16 +250,21 @@ Tcg2MeasureGptTable (
+   //
+   // Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
+   //
+-  EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
+-                       + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
+-  EventPtr = (UINT8 *)AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
++  Status = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
++  if (EFI_ERROR (Status)) {
++    FreePool (PrimaryHeader);
++    FreePool (EntryPtr);
++    return EFI_DEVICE_ERROR;
++  }
++
++  EventPtr = (UINT8 *)AllocateZeroPool (TcgEventSize);
+   if (EventPtr == NULL) {
+     Status = EFI_OUT_OF_RESOURCES;
+     goto Exit;
+   }
+ 
+   Tcg2Event                       = (EFI_TCG2_EVENT *)EventPtr;
+-  Tcg2Event->Size                 = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++  Tcg2Event->Size                 = TcgEventSize;
+   Tcg2Event->Header.HeaderSize    = sizeof (EFI_TCG2_EVENT_HEADER);
+   Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+   Tcg2Event->Header.PCRIndex      = 5;
+@@ -310,7 +317,7 @@ Tcg2MeasureGptTable (
+                                             CcProtocol,
+                                             0,
+                                             (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
+-                                            (UINT64)EventSize,
++                                            (UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event),
+                                             CcEvent
+                                             );
+     if (!EFI_ERROR (Status)) {
+@@ -326,7 +333,7 @@ Tcg2MeasureGptTable (
+                              Tcg2Protocol,
+                              0,
+                              (EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
+-                             (UINT64)EventSize,
++                             (UINT64)TcgEventSize -  OFFSET_OF (EFI_TCG2_EVENT, Event),
+                              Tcg2Event
+                              );
+     if (!EFI_ERROR (Status)) {
+@@ -443,11 +450,13 @@ Tcg2MeasurePeImage (
+       Tcg2Event->Header.PCRIndex  = 2;
+       break;
+     default:
+-      DEBUG ((
+-        DEBUG_ERROR,
+-        "Tcg2MeasurePeImage: Unknown subsystem type %d",
+-        ImageType
+-        ));
++      DEBUG (
++        (
++         DEBUG_ERROR,
++         "Tcg2MeasurePeImage: Unknown subsystem type %d",
++         ImageType
++        )
++        );
+       goto Finish;
+   }
+ 
+@@ -515,7 +524,7 @@ Finish:
+ 
+   @param  MeasureBootProtocols  Pointer to the located measure boot protocol instances.
+ 
+-  @retval EFI_SUCCESS           Sucessfully locate the measure boot protocol instances (at least one instance).
++  @retval EFI_SUCCESS           Successfully locate the measure boot protocol instances (at least one instance).
+   @retval EFI_UNSUPPORTED       Measure boot is not supported.
+ **/
+ EFI_STATUS
+@@ -646,12 +655,14 @@ DxeTpm2MeasureBootHandler (
+     return EFI_SUCCESS;
+   }
+ 
+-  DEBUG ((
+-    DEBUG_INFO,
+-    "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
+-    MeasureBootProtocols.Tcg2Protocol,
+-    MeasureBootProtocols.CcProtocol
+-    ));
++  DEBUG (
++    (
++     DEBUG_INFO,
++     "Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
++     MeasureBootProtocols.Tcg2Protocol,
++     MeasureBootProtocols.CcProtocol
++    )
++    );
+ 
+   //
+   // Copy File Device Path
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+index 6dca79a20c..28995f438d 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+@@ -37,6 +37,8 @@
+ 
+ [Sources]
+   DxeTpm2MeasureBootLib.c
++  DxeTpm2MeasureBootLibSanitization.c
++  DxeTpm2MeasureBootLibSanitization.h
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+@@ -46,6 +48,7 @@
+ 
+ [LibraryClasses]
+   BaseMemoryLib
++  SafeIntLib
+   DebugLib
+   MemoryAllocationLib
+   DevicePathLib
+@@ -65,4 +68,3 @@
+   gEfiFirmwareVolumeBlockProtocolGuid   ## SOMETIMES_CONSUMES
+   gEfiBlockIoProtocolGuid               ## SOMETIMES_CONSUMES
+   gEfiDiskIoProtocolGuid                ## SOMETIMES_CONSUMES
+-
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+new file mode 100644
+index 0000000000..e2309655d3
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -0,0 +1,275 @@
++/** @file
++  The library instance provides security service of TPM2 measure boot and
++  Confidential Computing (CC) measure boot.
++
++  Caution: This file requires additional review when modified.
++  This library will have external input - PE/COFF image and GPT partition.
++  This external input must be validated carefully to avoid security issue like
++  buffer overflow, integer overflow.
++
++  This file will pull out the validation logic from the following functions, in an
++  attempt to validate the untrusted input in the form of unit tests
++
++  These are those functions:
++
++  DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content
++  read is within the image buffer.
++
++  Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
++  partition data carefully.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <Uefi.h>
++#include <Uefi/UefiSpec.h>
++#include <Library/SafeIntLib.h>
++#include <Library/UefiLib.h>
++#include <Library/DebugLib.h>
++#include <Library/BaseLib.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++#include <Protocol/BlockIo.h>
++#include <Library/MemoryAllocationLib.h>
++
++#include "DxeTpm2MeasureBootLibSanitization.h"
++
++#define GPT_HEADER_REVISION_V1  0x00010000
++
++/**
++  This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
++  However this function will not attempt to verify the validity of the GPT partition
++  It will check the following:
++    - Signature
++    - Revision
++    - AlternateLBA
++    - FirstUsableLBA
++    - LastUsableLBA
++    - PartitionEntryLBA
++    - NumberOfPartitionEntries
++    - SizeOfPartitionEntry
++    - BlockIo
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[in] BlockIo
++    Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
++
++  @retval EFI_SUCCESS
++    The EFI_PARTITION_TABLE_HEADER structure is valid.
++
++  @retval EFI_INVALID_PARAMETER
++    The EFI_PARTITION_TABLE_HEADER structure is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizeEfiPartitionTableHeader (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
++  )
++{
++  //
++  // Verify that the input parameters are safe to use
++  //
++  if (PrimaryHeader == NULL) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
++    DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
++  //
++  if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
++  //
++  if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
++  //
++  if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // The partition entries should all be before the first usable block
++  //
++  if (PrimaryHeader->FirstUsableLBA <= PrimaryHeader->PartitionEntryLBA) {
++    DEBUG ((DEBUG_ERROR, "GPT PartitionEntryLBA is not less than FirstUsableLBA!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // Check that the PartitionEntryLBA greater than the Max LBA
++  // This will be used later for multiplication
++  //
++  if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // Check that the number of partition entries is greater than zero
++  //
++  if (PrimaryHeader->NumberOfPartitionEntries == 0) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
++  //
++  if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
++    DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // This check is to prevent overflow when calculating the allocation size for the partition entries
++  // This check will be used later for multiplication
++  //
++  if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  return EFI_SUCCESS;
++}
++
++/**
++  This function will validate that the allocation size from the primary header is sane
++  It will check the following:
++    - AllocationSize does not overflow
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[out] AllocationSize
++    Pointer to the allocation size.
++
++  @retval EFI_SUCCESS
++    The allocation size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    The allocation size is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizePrimaryHeaderAllocationSize (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  OUT UINT32                           *AllocationSize
++  )
++{
++  EFI_STATUS  Status;
++
++  if (PrimaryHeader == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if (AllocationSize == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // Replacing logic:
++  // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
++  //
++  Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
++
++/**
++  This function will validate that the Gpt Event Size calculated from the primary header is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  Important: This function includes the entire length of the allocated space, including
++  (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this
++  size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event))
++  from the size of the buffer before hashing.
++
++  @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++  @param[in] NumberOfPartition - Number of partitions.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePrimaryHeaderGptEventSize (
++  IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN  UINTN                             NumberOfPartition,
++  OUT UINT32                            *EventSize
++  )
++{
++  EFI_STATUS  Status;
++  UINT32      SafeNumberOfPartitions;
++
++  if (PrimaryHeader == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if (EventSize == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
++  //
++  Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // Replacing logic:
++  // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
++  //
++  Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  //
++  // Replacing logic:
++  // *EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++  //
++  Status = SafeUint32Add (
++             OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions),
++             *EventSize,
++             EventSize
++             );
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+new file mode 100644
+index 0000000000..048b738987
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -0,0 +1,113 @@
++/** @file
++  This file includes the function prototypes for the sanitization functions.
++
++  These are those functions:
++
++  DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content
++  read is within the image buffer.
++
++  Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
++  partition data carefully.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#ifndef DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++#define DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++
++#include <Uefi.h>
++#include <Uefi/UefiSpec.h>
++#include <Protocol/BlockIo.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++#include <Protocol/Tcg2Protocol.h>
++
++/**
++  This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
++  However this function will not attempt to verify the validity of the GPT partition
++  It will check the following:
++    - Signature
++    - Revision
++    - AlternateLBA
++    - FirstUsableLBA
++    - LastUsableLBA
++    - PartitionEntryLBA
++    - NumberOfPartitionEntries
++    - SizeOfPartitionEntry
++    - BlockIo
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[in] BlockIo
++    Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
++
++  @retval EFI_SUCCESS
++    The EFI_PARTITION_TABLE_HEADER structure is valid.
++
++  @retval EFI_INVALID_PARAMETER
++    The EFI_PARTITION_TABLE_HEADER structure is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizeEfiPartitionTableHeader (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
++  );
++
++/**
++  This function will validate that the allocation size from the primary header is sane
++  It will check the following:
++    - AllocationSize does not overflow
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[out] AllocationSize
++    Pointer to the allocation size.
++
++  @retval EFI_SUCCESS
++    The allocation size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    The allocation size is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizePrimaryHeaderAllocationSize (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  OUT UINT32                           *AllocationSize
++  );
++
++/**
++  This function will validate that the Gpt Event Size calculated from the primary header is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  Important: This function includes the entire length of the allocated space, including
++  (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)) . When hashing the buffer allocated with this
++  size, the caller must subtract the size of the (sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event))
++  from the size of the buffer before hashing.
++
++  @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++  @param[in] NumberOfPartition - Number of partitions.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePrimaryHeaderGptEventSize (
++  IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN  UINTN                             NumberOfPartition,
++  OUT UINT32                            *EventSize
++  );
++
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+new file mode 100644
+index 0000000000..3eb9763e3c
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -0,0 +1,303 @@
++/** @file
++  This file includes the unit test cases for the DxeTpm2MeasureBootLibSanitizationTest.c.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Uefi.h>
++#include <Library/UefiLib.h>
++#include <Library/DebugLib.h>
++#include <Library/UnitTestLib.h>
++#include <Protocol/BlockIo.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++#include <Protocol/Tcg2Protocol.h>
++
++#include "../DxeTpm2MeasureBootLibSanitization.h"
++
++#define UNIT_TEST_NAME     "DxeTpm2MeasureBootLibSanitizationTest"
++#define UNIT_TEST_VERSION  "1.0"
++
++#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION                     0x00010000
++#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES  1
++#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY      128
++
++/**
++  This function tests the SanitizeEfiPartitionTableHeader function.
++  It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
++  structure will not cause undefined or unexpected behavior.
++
++  In general the TPM should still be able to measure the data, but
++  be the header should be sanitized to prevent any unexpected behavior.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizeEfiPartitionTableHeader (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++  EFI_BLOCK_IO_PROTOCOL       BlockIo;
++  EFI_BLOCK_IO_MEDIA          BlockMedia;
++
++  // Generate EFI_BLOCK_IO_MEDIA test data
++  BlockMedia.MediaId          = 1;
++  BlockMedia.RemovableMedia   = FALSE;
++  BlockMedia.MediaPresent     = TRUE;
++  BlockMedia.LogicalPartition = FALSE;
++  BlockMedia.ReadOnly         = FALSE;
++  BlockMedia.WriteCaching     = FALSE;
++  BlockMedia.BlockSize        = 512;
++  BlockMedia.IoAlign          = 1;
++  BlockMedia.LastBlock        = 0;
++
++  // Generate EFI_BLOCK_IO_PROTOCOL test data
++  BlockIo.Revision    = 1;
++  BlockIo.Media       = &BlockMedia;
++  BlockIo.Reset       = NULL;
++  BlockIo.ReadBlocks  = NULL;
++  BlockIo.WriteBlocks = NULL;
++  BlockIo.FlushBlocks = NULL;
++
++  // Geneate EFI_PARTITION_TABLE_HEADER test data
++  PrimaryHeader.Header.Signature         = EFI_PTAB_HEADER_ID;
++  PrimaryHeader.Header.Revision          = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
++  PrimaryHeader.Header.HeaderSize        = sizeof (EFI_PARTITION_TABLE_HEADER);
++  PrimaryHeader.MyLBA                    = 1;
++  PrimaryHeader.AlternateLBA             = 2;
++  PrimaryHeader.FirstUsableLBA           = 3;
++  PrimaryHeader.LastUsableLBA            = 4;
++  PrimaryHeader.PartitionEntryLBA        = 5;
++  PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++  PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
++
++  // Calculate the CRC32 of the PrimaryHeader
++  PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
++
++  // Test that a normal PrimaryHeader passes validation
++  Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
++  // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
++  PrimaryHeader.NumberOfPartitionEntries = 0;
++  Status                                 = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++  PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
++  // Should print "Invalid Partition Table Header Size!"
++  PrimaryHeader.Header.HeaderSize = 0;
++  Status                          = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++  PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
++
++  // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
++  // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
++  PrimaryHeader.SizeOfPartitionEntry = 1;
++  Status                             = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++/**
++  This function tests the SanitizePrimaryHeaderAllocationSize function.
++  It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
++  structure will not cause an overflow when calculating the allocation size.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePrimaryHeaderAllocationSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32  AllocationSize;
++
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++
++  // Test that a normal PrimaryHeader passes validation
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Test that the allocation size is correct compared to the existing logic
++  UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
++
++  // Test that an overflow is detected
++  PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
++  PrimaryHeader.SizeOfPartitionEntry     = 5;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test the inverse
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test the worst case scenario
++  PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
++  PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++/**
++  This function tests the SanitizePrimaryHeaderGptEventSize function.
++  It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
++  will not cause an overflow when calculating the event size.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePrimaryHeaderGptEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32                      EventSize;
++  UINT32                      ExistingLogicEventSize;
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++  UINTN                       NumberOfPartition;
++  EFI_GPT_DATA                *GptData;
++  EFI_TCG2_EVENT              *Tcg2Event;
++
++  Tcg2Event = NULL;
++  GptData   = NULL;
++
++  // Test that a normal PrimaryHeader passes validation
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  // set the number of partitions
++  NumberOfPartition = 13;
++
++  // that the primary event size is correct
++  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Calculate the existing logic event size
++  ExistingLogicEventSize = (UINT32)(OFFSET_OF (EFI_TCG2_EVENT, Event) + OFFSET_OF (EFI_GPT_DATA, Partitions)
++                                    + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
++
++  // Check that the event size is correct
++  UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
++
++  // Tests that the primary event size may not overflow
++  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test that the size of partition entries may not overflow
++  PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
++  Status                             = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++// *--------------------------------------------------------------------*
++// *  Unit Test Code Main Function
++// *--------------------------------------------------------------------*
++
++/**
++  This function acts as the entry point for the unit tests.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++  @retval others The test failed.
++**/
++EFI_STATUS
++EFIAPI
++UefiTestMain (
++  VOID
++  )
++{
++  EFI_STATUS                  Status;
++  UNIT_TEST_FRAMEWORK_HANDLE  Framework;
++  UNIT_TEST_SUITE_HANDLE      Tcg2MeasureBootLibValidationTestSuite;
++
++  Framework = NULL;
++
++  DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
++
++  Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
++    goto EXIT;
++  }
++
++  Status = CreateUnitTestSuite (&Tcg2MeasureBootLibValidationTestSuite, Framework, "Tcg2MeasureBootLibValidationTestSuite", "Common.Tcg2MeasureBootLibValidation", NULL, NULL);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for Tcg2MeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
++    Status = EFI_OUT_OF_RESOURCES;
++    goto EXIT;
++  }
++
++  // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++
++  Status = RunAllTestSuites (Framework);
++
++EXIT:
++  if (Framework != NULL) {
++    FreeUnitTestFramework (Framework);
++  }
++
++  DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
++  return Status;
++}
++
++///
++/// Avoid ECC error for function name that starts with lower case letter
++///
++#define DxeTpm2MeasureBootLibUnitTestMain  main
++
++/**
++  Standard POSIX C entry point for host based unit test execution.
++
++  @param[in] Argc  Number of arguments
++  @param[in] Argv  Array of pointers to arguments
++
++  @retval 0      Success
++  @retval other  Error
++**/
++INT32
++DxeTpm2MeasureBootLibUnitTestMain (
++  IN INT32  Argc,
++  IN CHAR8  *Argv[]
++  )
++{
++  return (INT32)UefiTestMain ();
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+new file mode 100644
+index 0000000000..2999aa2a44
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
+@@ -0,0 +1,28 @@
++## @file
++# This file builds the unit tests for DxeTpm2MeasureBootLib
++#
++# Copyright (C) Microsoft Corporation.<BR>
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++[Defines]
++  INF_VERSION                    = 0x00010006
++  BASE_NAME                      = DxeTpm2MeasuredBootLibTest
++  FILE_GUID                      = 144d757f-d423-484e-9309-a23695fad5bd
++  MODULE_TYPE                    = HOST_APPLICATION
++  VERSION_STRING                 = 1.0
++  ENTRY_POINT                    = main
++
++[Sources]
++  DxeTpm2MeasureBootLibSanitizationTest.c
++  ../DxeTpm2MeasureBootLibSanitization.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++
++[LibraryClasses]
++  BaseLib
++  DebugLib
++  UnitTestLib
++  PrintLib
++  SafeIntLib
+diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
+index 7912142398..da811fdf93 100644
+--- a/SecurityPkg/SecurityPkg.ci.yaml
++++ b/SecurityPkg/SecurityPkg.ci.yaml
+@@ -15,6 +15,7 @@
+         ##     "<ErrorID>", "<KeyWord>"
+         ## ]
+         "ExceptionList": [
++            "8001", "DxeTpm2MeasureBootLibUnitTestMain",
+         ],
+         ## Both file path and directory path are accepted.
+         "IgnoreFiles": [
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0002.patch

@@ -0,0 +1,889 @@
+From 4776a1b39ee08fc45c70c1eab5a0195f325000d3 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:02 +0800
+Subject: [PATCH] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 
+ 2022-36763
+
+This commit contains the patch files and tests for DxeTpmMeasureBootLib
+CVE 2022-36763.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36763
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4776a1b39ee08fc45c70c1eab5a0195f325000d3]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpmMeasureBootLib.c                    |  40 ++-
+ .../DxeTpmMeasureBootLib.inf                  |   4 +-
+ .../DxeTpmMeasureBootLibSanitization.c        | 241 ++++++++++++++
+ .../DxeTpmMeasureBootLibSanitization.h        | 114 +++++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c    | 301 ++++++++++++++++++
+ ...eTpmMeasureBootLibSanitizationTestHost.inf |  28 ++
+ SecurityPkg/SecurityPkg.ci.yaml               |   1 +
+ 7 files changed, 715 insertions(+), 14 deletions(-)
+ create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+ create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+ create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+ create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 220393dd2b..669ab19134 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -18,6 +18,8 @@
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <PiDxe.h>
+@@ -40,6 +42,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/SecurityManagementLib.h>
+ #include <Library/HobLib.h>
+ 
++#include "DxeTpmMeasureBootLibSanitization.h"
++
+ //
+ // Flag to check GPT partition. It only need be measured once.
+ //
+@@ -136,6 +140,9 @@ TcgMeasureGptTable (
+   UINT32                      EventSize;
+   UINT32                      EventNumber;
+   EFI_PHYSICAL_ADDRESS        EventLogLastEntry;
++  UINT32                      AllocSize;
++
++  GptData = NULL;
+ 
+   if (mMeasureGptCount > 0) {
+     return EFI_SUCCESS;
+@@ -166,8 +173,8 @@ TcgMeasureGptTable (
+                      BlockIo->Media->BlockSize,
+                      (UINT8 *)PrimaryHeader
+                      );
+-  if (EFI_ERROR (Status)) {
+-    DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
++  if (EFI_ERROR (Status) || EFI_ERROR (SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
++    DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
+     FreePool (PrimaryHeader);
+     return EFI_DEVICE_ERROR;
+   }
+@@ -175,7 +182,13 @@ TcgMeasureGptTable (
+   //
+   // Read the partition entry.
+   //
+-  EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
++  Status = SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
++  if (EFI_ERROR (Status)) {
++    FreePool (PrimaryHeader);
++    return EFI_DEVICE_ERROR;
++  }
++
++  EntryPtr = (UINT8 *)AllocatePool (AllocSize);
+   if (EntryPtr == NULL) {
+     FreePool (PrimaryHeader);
+     return EFI_OUT_OF_RESOURCES;
+@@ -185,7 +198,7 @@ TcgMeasureGptTable (
+                      DiskIo,
+                      BlockIo->Media->MediaId,
+                      MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
+-                     PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
++                     AllocSize,
+                      EntryPtr
+                      );
+   if (EFI_ERROR (Status)) {
+@@ -210,9 +223,8 @@ TcgMeasureGptTable (
+   //
+   // Prepare Data for Measurement
+   //
+-  EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
+-                       + NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
+-  TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT_HDR));
++  Status   = SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &EventSize);
++  TcgEvent = (TCG_PCR_EVENT *)AllocateZeroPool (EventSize);
+   if (TcgEvent == NULL) {
+     FreePool (PrimaryHeader);
+     FreePool (EntryPtr);
+@@ -221,7 +233,7 @@ TcgMeasureGptTable (
+ 
+   TcgEvent->PCRIndex  = 5;
+   TcgEvent->EventType = EV_EFI_GPT_EVENT;
+-  TcgEvent->EventSize = EventSize;
++  TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+   GptData             = (EFI_GPT_DATA *)TcgEvent->Event;
+ 
+   //
+@@ -361,11 +373,13 @@ TcgMeasurePeImage (
+       TcgEvent->PCRIndex  = 2;
+       break;
+     default:
+-      DEBUG ((
+-        DEBUG_ERROR,
+-        "TcgMeasurePeImage: Unknown subsystem type %d",
+-        ImageType
+-        ));
++      DEBUG (
++        (
++         DEBUG_ERROR,
++         "TcgMeasurePeImage: Unknown subsystem type %d",
++         ImageType
++        )
++        );
+       goto Finish;
+   }
+ 
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+index ebab6f7c1e..414c654d15 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+@@ -32,6 +32,8 @@
+ 
+ [Sources]
+   DxeTpmMeasureBootLib.c
++  DxeTpmMeasureBootLibSanitization.c
++  DxeTpmMeasureBootLibSanitization.h
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+@@ -41,6 +43,7 @@
+ 
+ [LibraryClasses]
+   BaseMemoryLib
++  SafeIntLib
+   DebugLib
+   MemoryAllocationLib
+   DevicePathLib
+@@ -59,4 +62,3 @@
+   gEfiFirmwareVolumeBlockProtocolGuid   ## SOMETIMES_CONSUMES
+   gEfiBlockIoProtocolGuid               ## SOMETIMES_CONSUMES
+   gEfiDiskIoProtocolGuid                ## SOMETIMES_CONSUMES
+-
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+new file mode 100644
+index 0000000000..a3fa46f5e6
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -0,0 +1,241 @@
++/** @file
++  The library instance provides security service of TPM2 measure boot and
++  Confidential Computing (CC) measure boot.
++
++  Caution: This file requires additional review when modified.
++  This library will have external input - PE/COFF image and GPT partition.
++  This external input must be validated carefully to avoid security issue like
++  buffer overflow, integer overflow.
++
++  This file will pull out the validation logic from the following functions, in an
++  attempt to validate the untrusted input in the form of unit tests
++
++  These are those functions:
++
++  DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
++  read is within the image buffer.
++
++  Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
++  partition data carefully.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <Uefi.h>
++#include <Uefi/UefiSpec.h>
++#include <Library/SafeIntLib.h>
++#include <Library/UefiLib.h>
++#include <Library/DebugLib.h>
++#include <Library/BaseLib.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++#include <Protocol/BlockIo.h>
++#include <Library/MemoryAllocationLib.h>
++
++#include "DxeTpmMeasureBootLibSanitization.h"
++
++#define GPT_HEADER_REVISION_V1  0x00010000
++
++/**
++  This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
++  However this function will not attempt to verify the validity of the GPT partition
++  It will check the following:
++    - Signature
++    - Revision
++    - AlternateLBA
++    - FirstUsableLBA
++    - LastUsableLBA
++    - PartitionEntryLBA
++    - NumberOfPartitionEntries
++    - SizeOfPartitionEntry
++    - BlockIo
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[in] BlockIo
++    Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
++
++  @retval EFI_SUCCESS
++    The EFI_PARTITION_TABLE_HEADER structure is valid.
++
++  @retval EFI_INVALID_PARAMETER
++    The EFI_PARTITION_TABLE_HEADER structure is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizeEfiPartitionTableHeader (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
++  )
++{
++  // Verify that the input parameters are safe to use
++  if (PrimaryHeader == NULL) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if ((BlockIo == NULL) || (BlockIo->Media == NULL)) {
++    DEBUG ((DEBUG_ERROR, "Invalid BlockIo!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  // The signature must be EFI_PTAB_HEADER_ID ("EFI PART" in ASCII)
++  if (PrimaryHeader->Header.Signature != EFI_PTAB_HEADER_ID) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // The version must be GPT_HEADER_REVISION_V1 (0x00010000)
++  if (PrimaryHeader->Header.Revision != GPT_HEADER_REVISION_V1) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header Revision!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // The HeaderSize must be greater than or equal to 92 and must be less than or equal to the logical block size
++  if ((PrimaryHeader->Header.HeaderSize < sizeof (EFI_PARTITION_TABLE_HEADER)) || (PrimaryHeader->Header.HeaderSize > BlockIo->Media->BlockSize)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header HeaderSize!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // check that the PartitionEntryLBA greater than the Max LBA
++  // This will be used later for multiplication
++  if (PrimaryHeader->PartitionEntryLBA > DivU64x32 (MAX_UINT64, BlockIo->Media->BlockSize)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header PartitionEntryLBA!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // Check that the number of partition entries is greater than zero
++  if (PrimaryHeader->NumberOfPartitionEntries == 0) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // SizeOfPartitionEntry must be 128, 256, 512... improper size may lead to accessing uninitialized memory
++  if ((PrimaryHeader->SizeOfPartitionEntry < 128) || ((PrimaryHeader->SizeOfPartitionEntry & (PrimaryHeader->SizeOfPartitionEntry - 1)) != 0)) {
++    DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  // This check is to prevent overflow when calculating the allocation size for the partition entries
++  // This check will be used later for multiplication
++  if (PrimaryHeader->NumberOfPartitionEntries > DivU64x32 (MAX_UINT64, PrimaryHeader->SizeOfPartitionEntry)) {
++    DEBUG ((DEBUG_ERROR, "Invalid Partition Table Header NumberOfPartitionEntries!\n"));
++    return EFI_DEVICE_ERROR;
++  }
++
++  return EFI_SUCCESS;
++}
++
++/**
++  This function will validate that the allocation size from the primary header is sane
++  It will check the following:
++    - AllocationSize does not overflow
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[out] AllocationSize
++    Pointer to the allocation size.
++
++  @retval EFI_SUCCESS
++    The allocation size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    The allocation size is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizePrimaryHeaderAllocationSize (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  OUT UINT32                           *AllocationSize
++  )
++{
++  EFI_STATUS  Status;
++
++  if (PrimaryHeader == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if (AllocationSize == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  // Replacing logic:
++  // PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry;
++  Status = SafeUint32Mult (PrimaryHeader->NumberOfPartitionEntries, PrimaryHeader->SizeOfPartitionEntry, AllocationSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Allocation Size would have overflowed!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
++
++/**
++  This function will validate that the Gpt Event Size calculated from the primary header is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  Important: This function includes the entire length of the allocated space, including the
++  TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
++  the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
++
++  @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++  @param[in] NumberOfPartition - Number of partitions.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePrimaryHeaderGptEventSize (
++  IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN  UINTN                             NumberOfPartition,
++  OUT UINT32                            *EventSize
++  )
++{
++  EFI_STATUS  Status;
++  UINT32      SafeNumberOfPartitions;
++
++  if (PrimaryHeader == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if (EventSize == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  // We shouldn't even attempt to perform the multiplication if the number of partitions is greater than the maximum value of UINT32
++  Status = SafeUintnToUint32 (NumberOfPartition, &SafeNumberOfPartitions);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "NumberOfPartition would have overflowed!\n"));
++    return EFI_INVALID_PARAMETER;
++  }
++
++  // Replacing logic:
++  // (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions) + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry + sizeof (TCG_PCR_EVENT_HDR));
++  Status = SafeUint32Mult (SafeNumberOfPartitions, PrimaryHeader->SizeOfPartitionEntry, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Event Size would have overflowed!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  Status = SafeUint32Add (
++             sizeof (TCG_PCR_EVENT_HDR) +
++             OFFSET_OF (EFI_GPT_DATA, Partitions),
++             *EventSize,
++             EventSize
++             );
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "Event Size would have overflowed because of GPTData!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+new file mode 100644
+index 0000000000..0d9d00c281
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -0,0 +1,114 @@
++/** @file
++  This file includes the function prototypes for the sanitization functions.
++
++  These are those functions:
++
++  DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
++  read is within the image buffer.
++
++  TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
++  data structure within this image buffer before use.
++
++  TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
++  partition data carefully.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#ifndef DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
++#define DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
++
++#include <Uefi.h>
++#include <Uefi/UefiSpec.h>
++#include <Protocol/BlockIo.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++
++/**
++  This function will validate the EFI_PARTITION_TABLE_HEADER structure is safe to parse
++  However this function will not attempt to verify the validity of the GPT partition
++  It will check the following:
++    - Signature
++    - Revision
++    - AlternateLBA
++    - FirstUsableLBA
++    - LastUsableLBA
++    - PartitionEntryLBA
++    - NumberOfPartitionEntries
++    - SizeOfPartitionEntry
++    - BlockIo
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[in] BlockIo
++    Pointer to the EFI_BLOCK_IO_PROTOCOL structure.
++
++  @retval EFI_SUCCESS
++    The EFI_PARTITION_TABLE_HEADER structure is valid.
++
++  @retval EFI_INVALID_PARAMETER
++    The EFI_PARTITION_TABLE_HEADER structure is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizeEfiPartitionTableHeader (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN CONST EFI_BLOCK_IO_PROTOCOL       *BlockIo
++  );
++
++/**
++  This function will validate that the allocation size from the primary header is sane
++  It will check the following:
++    - AllocationSize does not overflow
++
++  @param[in] PrimaryHeader
++    Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++
++  @param[out] AllocationSize
++    Pointer to the allocation size.
++
++  @retval EFI_SUCCESS
++    The allocation size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    The allocation size is invalid.
++**/
++EFI_STATUS
++EFIAPI
++SanitizePrimaryHeaderAllocationSize (
++  IN CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  OUT UINT32                           *AllocationSize
++  );
++
++/**
++  This function will validate that the Gpt Event Size calculated from the primary header is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  Important: This function includes the entire length of the allocated space, including the
++  TCG_PCR_EVENT_HDR. When hashing the buffer allocated with this size, the caller must subtract
++  the size of the TCG_PCR_EVENT_HDR from the size of the buffer before hashing.
++
++  @param[in] PrimaryHeader - Pointer to the EFI_PARTITION_TABLE_HEADER structure.
++  @param[in] NumberOfPartition - Number of partitions.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePrimaryHeaderGptEventSize (
++  IN  CONST EFI_PARTITION_TABLE_HEADER  *PrimaryHeader,
++  IN  UINTN                             NumberOfPartition,
++  OUT UINT32                            *EventSize
++  );
++
++#endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+new file mode 100644
+index 0000000000..eeb928cdb0
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -0,0 +1,301 @@
++/** @file
++This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
++
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Uefi.h>
++#include <Library/UefiLib.h>
++#include <Library/DebugLib.h>
++#include <Library/UnitTestLib.h>
++#include <Protocol/BlockIo.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <IndustryStandard/UefiTcgPlatform.h>
++
++#include "../DxeTpmMeasureBootLibSanitization.h"
++
++#define UNIT_TEST_NAME     "DxeTpmMeasureBootLibSanitizationTest"
++#define UNIT_TEST_VERSION  "1.0"
++
++#define DEFAULT_PRIMARY_TABLE_HEADER_REVISION                     0x00010000
++#define DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES  1
++#define DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY      128
++
++/**
++  This function tests the SanitizeEfiPartitionTableHeader function.
++  It's intent is to test that a malicious EFI_PARTITION_TABLE_HEADER
++  structure will not cause undefined or unexpected behavior.
++
++  In general the TPM should still be able to measure the data, but
++  be the header should be sanitized to prevent any unexpected behavior.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizeEfiPartitionTableHeader (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++  EFI_BLOCK_IO_PROTOCOL       BlockIo;
++  EFI_BLOCK_IO_MEDIA          BlockMedia;
++
++  // Generate EFI_BLOCK_IO_MEDIA test data
++  BlockMedia.MediaId          = 1;
++  BlockMedia.RemovableMedia   = FALSE;
++  BlockMedia.MediaPresent     = TRUE;
++  BlockMedia.LogicalPartition = FALSE;
++  BlockMedia.ReadOnly         = FALSE;
++  BlockMedia.WriteCaching     = FALSE;
++  BlockMedia.BlockSize        = 512;
++  BlockMedia.IoAlign          = 1;
++  BlockMedia.LastBlock        = 0;
++
++  // Generate EFI_BLOCK_IO_PROTOCOL test data
++  BlockIo.Revision    = 1;
++  BlockIo.Media       = &BlockMedia;
++  BlockIo.Reset       = NULL;
++  BlockIo.ReadBlocks  = NULL;
++  BlockIo.WriteBlocks = NULL;
++  BlockIo.FlushBlocks = NULL;
++
++  // Geneate EFI_PARTITION_TABLE_HEADER test data
++  PrimaryHeader.Header.Signature         = EFI_PTAB_HEADER_ID;
++  PrimaryHeader.Header.Revision          = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
++  PrimaryHeader.Header.HeaderSize        = sizeof (EFI_PARTITION_TABLE_HEADER);
++  PrimaryHeader.MyLBA                    = 1;
++  PrimaryHeader.AlternateLBA             = 2;
++  PrimaryHeader.FirstUsableLBA           = 3;
++  PrimaryHeader.LastUsableLBA            = 4;
++  PrimaryHeader.PartitionEntryLBA        = 5;
++  PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++  PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
++
++  // Calculate the CRC32 of the PrimaryHeader
++  PrimaryHeader.Header.CRC32 = CalculateCrc32 ((UINT8 *)&PrimaryHeader, PrimaryHeader.Header.HeaderSize);
++
++  // Test that a normal PrimaryHeader passes validation
++  Status = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Test that when number of partition entries is 0, the function returns EFI_DEVICE_ERROR
++  // Should print "Invalid Partition Table Header NumberOfPartitionEntries!""
++  PrimaryHeader.NumberOfPartitionEntries = 0;
++  Status                                 = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++  PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  // Test that when the header size is too small, the function returns EFI_DEVICE_ERROR
++  // Should print "Invalid Partition Table Header Size!"
++  PrimaryHeader.Header.HeaderSize = 0;
++  Status                          = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++  PrimaryHeader.Header.HeaderSize = sizeof (EFI_PARTITION_TABLE_HEADER);
++
++  // Test that when the SizeOfPartitionEntry is too small, the function returns EFI_DEVICE_ERROR
++  // should print: "SizeOfPartitionEntry shall be set to a value of 128 x 2^n where n is an integer greater than or equal to zero (e.g., 128, 256, 512, etc.)!"
++  PrimaryHeader.SizeOfPartitionEntry = 1;
++  Status                             = SanitizeEfiPartitionTableHeader (&PrimaryHeader, &BlockIo);
++  UT_ASSERT_EQUAL (Status, EFI_DEVICE_ERROR);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++/**
++  This function tests the SanitizePrimaryHeaderAllocationSize function.
++  It's intent is to test that the untrusted input from a EFI_PARTITION_TABLE_HEADER
++  structure will not cause an overflow when calculating the allocation size.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePrimaryHeaderAllocationSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32  AllocationSize;
++
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++
++  // Test that a normal PrimaryHeader passes validation
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  Status = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Test that the allocation size is correct compared to the existing logic
++  UT_ASSERT_EQUAL (AllocationSize, PrimaryHeader.NumberOfPartitionEntries * PrimaryHeader.SizeOfPartitionEntry);
++
++  // Test that an overflow is detected
++  PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
++  PrimaryHeader.SizeOfPartitionEntry     = 5;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test the inverse
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test the worst case scenario
++  PrimaryHeader.NumberOfPartitionEntries = MAX_UINT32;
++  PrimaryHeader.SizeOfPartitionEntry     = MAX_UINT32;
++  Status                                 = SanitizePrimaryHeaderAllocationSize (&PrimaryHeader, &AllocationSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++/**
++  This function tests the SanitizePrimaryHeaderGptEventSize function.
++  It's intent is to test that the untrusted input from a EFI_GPT_DATA structure
++  will not cause an overflow when calculating the event size.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePrimaryHeaderGptEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32                      EventSize;
++  UINT32                      ExistingLogicEventSize;
++  EFI_STATUS                  Status;
++  EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
++  UINTN                       NumberOfPartition;
++  EFI_GPT_DATA                *GptData;
++
++  GptData = NULL;
++
++  // Test that a normal PrimaryHeader passes validation
++  PrimaryHeader.NumberOfPartitionEntries = 5;
++  PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
++
++  // set the number of partitions
++  NumberOfPartition = 13;
++
++  // that the primary event size is correct
++  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  UT_ASSERT_NOT_EFI_ERROR (Status);
++
++  // Calculate the existing logic event size
++  ExistingLogicEventSize = (UINT32)(sizeof (TCG_PCR_EVENT_HDR) + OFFSET_OF (EFI_GPT_DATA, Partitions)
++                                    + NumberOfPartition * PrimaryHeader.SizeOfPartitionEntry);
++
++  // Check that the event size is correct
++  UT_ASSERT_EQUAL (EventSize, ExistingLogicEventSize);
++
++  // Tests that the primary event size may not overflow
++  Status = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, MAX_UINT32, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  // Test that the size of partition entries may not overflow
++  PrimaryHeader.SizeOfPartitionEntry = MAX_UINT32;
++  Status                             = SanitizePrimaryHeaderGptEventSize (&PrimaryHeader, NumberOfPartition, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
++// *--------------------------------------------------------------------*
++// *  Unit Test Code Main Function
++// *--------------------------------------------------------------------*
++
++/**
++  This function acts as the entry point for the unit tests.
++
++  @param argc - The number of command line arguments
++  @param argv - The command line arguments
++
++  @return int - The status of the test
++**/
++EFI_STATUS
++EFIAPI
++UefiTestMain (
++  VOID
++  )
++{
++  EFI_STATUS                  Status;
++  UNIT_TEST_FRAMEWORK_HANDLE  Framework;
++  UNIT_TEST_SUITE_HANDLE      TcgMeasureBootLibValidationTestSuite;
++
++  Framework = NULL;
++
++  DEBUG ((DEBUG_INFO, "%a: TestMain() - Start\n", UNIT_TEST_NAME));
++
++  Status = InitUnitTestFramework (&Framework, UNIT_TEST_NAME, gEfiCallerBaseName, UNIT_TEST_VERSION);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%a: Failed in InitUnitTestFramework. Status = %r\n", UNIT_TEST_NAME, Status));
++    goto EXIT;
++  }
++
++  Status = CreateUnitTestSuite (&TcgMeasureBootLibValidationTestSuite, Framework, "TcgMeasureBootLibValidationTestSuite", "Common.TcgMeasureBootLibValidation", NULL, NULL);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%s: Failed in CreateUnitTestSuite for TcgMeasureBootLibValidationTestSuite\n", UNIT_TEST_NAME));
++    Status = EFI_OUT_OF_RESOURCES;
++    goto EXIT;
++  }
++
++  // -----------Suite---------------------------------Description----------------------------Class----------------------------------Test Function------------------------Pre---Clean-Context
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++
++  Status = RunAllTestSuites (Framework);
++
++EXIT:
++  if (Framework != NULL) {
++    FreeUnitTestFramework (Framework);
++  }
++
++  DEBUG ((DEBUG_INFO, "%a: TestMain() - End\n", UNIT_TEST_NAME));
++  return Status;
++}
++
++///
++/// Avoid ECC error for function name that starts with lower case letter
++///
++#define DxeTpmMeasureBootLibUnitTestMain  main
++
++/**
++  Standard POSIX C entry point for host based unit test execution.
++
++  @param[in] Argc  Number of arguments
++  @param[in] Argv  Array of pointers to arguments
++
++  @retval 0      Success
++  @retval other  Error
++**/
++INT32
++DxeTpmMeasureBootLibUnitTestMain (
++  IN INT32  Argc,
++  IN CHAR8  *Argv[]
++  )
++{
++  return (INT32)UefiTestMain ();
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
+new file mode 100644
+index 0000000000..47b0811b00
+--- /dev/null
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
+@@ -0,0 +1,28 @@
++## @file
++# This file builds the unit tests for DxeTpmMeasureBootLib
++#
++# Copyright (C) Microsoft Corporation.<BR>
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++[Defines]
++  INF_VERSION                    = 0x00010006
++  BASE_NAME                      = DxeTpmMeasuredBootLibTest
++  FILE_GUID                      = eb01bc38-309c-4d3e-967e-9f078c90772f
++  MODULE_TYPE                    = HOST_APPLICATION
++  VERSION_STRING                 = 1.0
++  ENTRY_POINT                    = main
++
++[Sources]
++  DxeTpmMeasureBootLibSanitizationTest.c
++  ../DxeTpmMeasureBootLibSanitization.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++
++[LibraryClasses]
++  BaseLib
++  DebugLib
++  UnitTestLib
++  PrintLib
++  SafeIntLib
+diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
+index da811fdf93..0e40eaa0fe 100644
+--- a/SecurityPkg/SecurityPkg.ci.yaml
++++ b/SecurityPkg/SecurityPkg.ci.yaml
+@@ -16,6 +16,7 @@
+         ## ]
+         "ExceptionList": [
+             "8001", "DxeTpm2MeasureBootLibUnitTestMain",
++            "8001", "DxeTpmMeasureBootLibUnitTestMain"
+         ],
+         ## Both file path and directory path are accepted.
+         "IgnoreFiles": [
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36763-0003.patch

@@ -0,0 +1,55 @@
+From 1ddcb9fc6b4164e882687b031e8beacfcf7df29e Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:03 +0800
+Subject: [PATCH] SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36763
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1ddcb9fc6b4164e882687b031e8beacfcf7df29e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+ create mode 100644 SecurityPkg/SecurityFixes.yaml
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+new file mode 100644
+index 0000000000..f9e3e7be74
+--- /dev/null
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -0,0 +1,22 @@
++## @file
++# Security Fixes for SecurityPkg
++#
++# Copyright (c) Microsoft Corporation
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++CVE_2022_36763:
++  commit_titles:
++    - "SecurityPkg: DxeTpm2Measurement: SECURITY PATCH 4117 - CVE 2022-36763"
++    - "SecurityPkg: DxeTpmMeasurement: SECURITY PATCH 4117 - CVE 2022-36763"
++    - "SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml"
++  cve: CVE-2022-36763
++  date_reported: 2022-10-25 11:31 UTC
++  description: (CVE-2022-36763) - Heap Buffer Overflow in Tcg2MeasureGptTable()
++  note: This patch is related to and supersedes TCBZ2168
++  files_impacted:
++  - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++  - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++  links:
++  - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
++  - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
++  - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0001.patch

@@ -0,0 +1,271 @@
+From c7b27944218130cca3bbb20314ba5b88b5de4aa4 Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:04 +0800
+Subject: [PATCH] SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
+  2022-36764
+
+This commit contains the patch files and tests for DxeTpm2MeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpm2MeasureBootLib.c                   | 12 ++--
+ .../DxeTpm2MeasureBootLibSanitization.c       | 46 +++++++++++++-
+ .../DxeTpm2MeasureBootLibSanitization.h       | 28 ++++++++-
+ .../DxeTpm2MeasureBootLibSanitizationTest.c   | 60 ++++++++++++++++---
+ 4 files changed, 131 insertions(+), 15 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+index 0475103d6e..714cc8e03e 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
+@@ -378,7 +378,6 @@ Exit:
+   @retval EFI_OUT_OF_RESOURCES   No enough resource to measure image.
+   @retval EFI_UNSUPPORTED        ImageType is unsupported or PE image is mal-format.
+   @retval other error value
+-
+ **/
+ EFI_STATUS
+ EFIAPI
+@@ -405,6 +404,7 @@ Tcg2MeasurePeImage (
+   Status    = EFI_UNSUPPORTED;
+   ImageLoad = NULL;
+   EventPtr  = NULL;
++  Tcg2Event = NULL;
+ 
+   Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
+   CcProtocol   = MeasureBootProtocols->CcProtocol;
+@@ -420,18 +420,22 @@ Tcg2MeasurePeImage (
+   }
+ 
+   FilePathSize = (UINT32)GetDevicePathSize (FilePath);
++  Status       = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
+ 
+   //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  EventPtr  = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
++  // from a malicious GPT disk partition
++  EventPtr = AllocateZeroPool (EventSize);
+   if (EventPtr == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+   Tcg2Event                       = (EFI_TCG2_EVENT *)EventPtr;
+-  Tcg2Event->Size                 = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
++  Tcg2Event->Size                 = EventSize;
+   Tcg2Event->Header.HeaderSize    = sizeof (EFI_TCG2_EVENT_HEADER);
+   Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+   ImageLoad                       = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+index e2309655d3..2a4d52c6d5 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
+@@ -151,7 +151,7 @@ SanitizeEfiPartitionTableHeader (
+ }
+ 
+ /**
+-  This function will validate that the allocation size from the primary header is sane
++ This function will validate that the allocation size from the primary header is sane
+   It will check the following:
+     - AllocationSize does not overflow
+ 
+@@ -273,3 +273,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event)
++  Status = SafeUint32Add (*EventSize, OFFSET_OF (EFI_TCG2_EVENT, Event), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+index 048b738987..8f72ba4240 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
+@@ -9,6 +9,9 @@
+   Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
+   partition data carefully.
+ 
++  Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
++  data structure within this image buffer before use.
++
+   Copyright (c) Microsoft Corporation.<BR>
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -110,4 +113,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
+-#endif // DXE_TPM2_MEASURE_BOOT_LIB_SANITATION_
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
++#endif // DXE_TPM2_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+index 3eb9763e3c..820e99aeb9 100644
+--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
+@@ -72,10 +72,10 @@ TestSanitizeEfiPartitionTableHeader (
+   PrimaryHeader.Header.Revision          = DEFAULT_PRIMARY_TABLE_HEADER_REVISION;
+   PrimaryHeader.Header.HeaderSize        = sizeof (EFI_PARTITION_TABLE_HEADER);
+   PrimaryHeader.MyLBA                    = 1;
+-  PrimaryHeader.AlternateLBA             = 2;
+-  PrimaryHeader.FirstUsableLBA           = 3;
+-  PrimaryHeader.LastUsableLBA            = 4;
+-  PrimaryHeader.PartitionEntryLBA        = 5;
++  PrimaryHeader.PartitionEntryLBA        = 2;
++  PrimaryHeader.AlternateLBA             = 3;
++  PrimaryHeader.FirstUsableLBA           = 4;
++  PrimaryHeader.LastUsableLBA            = 5;
+   PrimaryHeader.NumberOfPartitionEntries = DEFAULT_PRIMARY_TABLE_HEADER_NUMBER_OF_PARTITION_ENTRIES;
+   PrimaryHeader.SizeOfPartitionEntry     = DEFAULT_PRIMARY_TABLE_HEADER_SIZE_OF_PARTITION_ENTRY;
+   PrimaryHeader.PartitionEntryArrayCRC32 = 0; // Purposely invalid
+@@ -187,11 +187,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-  EFI_TCG2_EVENT              *Tcg2Event;
+-
+-  Tcg2Event = NULL;
+-  GptData   = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -225,6 +220,52 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path when generating a
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32      EventSize;
++  UINTN       ExistingLogicEventSize;
++  UINT32      FilePathSize;
++  EFI_STATUS  Status;
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_SUCCESS);
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += OFFSET_OF (EFI_TCG2_EVENT, Event);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    return UNIT_TEST_ERROR_TEST_FAILED;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  UT_ASSERT_EQUAL (Status, EFI_BAD_BUFFER_SIZE);
++
++  DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++
++  return UNIT_TEST_PASSED;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -267,6 +308,7 @@ UefiTestMain (
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.Tcg2MeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (Tcg2MeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.Tcg2MeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0002.patch

@@ -0,0 +1,281 @@
+From 0d341c01eeabe0ab5e76693b36e728b8f538a40e Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:05 +0800
+Subject: [PATCH] SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 
+ 2022-36764
+
+This commit contains the patch files and tests for DxeTpmMeasureBootLib
+CVE 2022-36764.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../DxeTpmMeasureBootLib.c                    | 13 ++-
+ .../DxeTpmMeasureBootLibSanitization.c        | 44 +++++++++
+ .../DxeTpmMeasureBootLibSanitization.h        | 23 +++++
+ .../DxeTpmMeasureBootLibSanitizationTest.c    | 98 +++++++++++++++++--
+ 4 files changed, 168 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+index 669ab19134..a9fc440a09 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
+@@ -17,6 +17,7 @@
+ 
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
++Copyright (c) Microsoft Corporation.<BR>
+ 
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -345,18 +346,22 @@ TcgMeasurePeImage (
+   ImageLoad     = NULL;
+   SectionHeader = NULL;
+   Sha1Ctx       = NULL;
++  TcgEvent      = NULL;
+   FilePathSize  = (UINT32)GetDevicePathSize (FilePath);
+ 
+-  //
+   // Determine destination PCR by BootPolicy
+   //
+-  EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
+-  TcgEvent  = AllocateZeroPool (EventSize + sizeof (TCG_PCR_EVENT));
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    return EFI_UNSUPPORTED;
++  }
++
++  TcgEvent = AllocateZeroPool (EventSize);
+   if (TcgEvent == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+-  TcgEvent->EventSize = EventSize;
++  TcgEvent->EventSize = EventSize - sizeof (TCG_PCR_EVENT_HDR);
+   ImageLoad           = (EFI_IMAGE_LOAD_EVENT *)TcgEvent->Event;
+ 
+   switch (ImageType) {
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+index a3fa46f5e6..c989851cec 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
+@@ -239,3 +239,47 @@ SanitizePrimaryHeaderGptEventSize (
+ 
+   return EFI_SUCCESS;
+ }
++
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  )
++{
++  EFI_STATUS  Status;
++
++  // Replacing logic:
++  // sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
++  Status = SafeUint32Add (OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath), FilePathSize, EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  // Replacing logic:
++  // EventSize + sizeof (TCG_PCR_EVENT_HDR)
++  Status = SafeUint32Add (*EventSize, sizeof (TCG_PCR_EVENT_HDR), EventSize);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "EventSize would overflow!\n"));
++    return EFI_BAD_BUFFER_SIZE;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+index 0d9d00c281..2248495813 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
+@@ -111,4 +111,27 @@ SanitizePrimaryHeaderGptEventSize (
+   OUT UINT32                            *EventSize
+   );
+ 
++/**
++  This function will validate that the PeImage Event Size from the loaded image is sane
++  It will check the following:
++    - EventSize does not overflow
++
++  @param[in] FilePathSize - Size of the file path.
++  @param[out] EventSize - Pointer to the event size.
++
++  @retval EFI_SUCCESS
++    The event size is valid.
++
++  @retval EFI_OUT_OF_RESOURCES
++    Overflow would have occurred.
++
++  @retval EFI_INVALID_PARAMETER
++    One of the passed parameters was invalid.
++**/
++EFI_STATUS
++SanitizePeImageEventSize (
++  IN  UINT32  FilePathSize,
++  OUT UINT32  *EventSize
++  );
++
+ #endif // DXE_TPM_MEASURE_BOOT_LIB_VALIDATION_
+diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+index eeb928cdb0..c41498be45 100644
+--- a/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
++++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
+@@ -1,8 +1,8 @@
+ /** @file
+-This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
++  This file includes the unit test cases for the DxeTpmMeasureBootLibSanitizationTest.c.
+ 
+-Copyright (c) Microsoft Corporation.<BR>
+-SPDX-License-Identifier: BSD-2-Clause-Patent
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <Uefi.h>
+@@ -186,9 +186,6 @@ TestSanitizePrimaryHeaderGptEventSize (
+   EFI_STATUS                  Status;
+   EFI_PARTITION_TABLE_HEADER  PrimaryHeader;
+   UINTN                       NumberOfPartition;
+-  EFI_GPT_DATA                *GptData;
+-
+-  GptData = NULL;
+ 
+   // Test that a normal PrimaryHeader passes validation
+   PrimaryHeader.NumberOfPartitionEntries = 5;
+@@ -222,6 +219,94 @@ TestSanitizePrimaryHeaderGptEventSize (
+   return UNIT_TEST_PASSED;
+ }
+ 
++/**
++  This function tests the SanitizePeImageEventSize function.
++  It's intent is to test that the untrusted input from a file path for an
++  EFI_IMAGE_LOAD_EVENT structure will not cause an overflow when calculating
++  the event size when allocating space.
++
++  @param[in] Context  The unit test context.
++
++  @retval UNIT_TEST_PASSED  The test passed.
++  @retval UNIT_TEST_ERROR_TEST_FAILED  The test failed.
++**/
++UNIT_TEST_STATUS
++EFIAPI
++TestSanitizePeImageEventSize (
++  IN UNIT_TEST_CONTEXT  Context
++  )
++{
++  UINT32                    EventSize;
++  UINTN                     ExistingLogicEventSize;
++  UINT32                    FilePathSize;
++  EFI_STATUS                Status;
++  EFI_DEVICE_PATH_PROTOCOL  DevicePath;
++  EFI_IMAGE_LOAD_EVENT      *ImageLoadEvent;
++  UNIT_TEST_STATUS          TestStatus;
++
++  TestStatus = UNIT_TEST_ERROR_TEST_FAILED;
++
++  // Generate EFI_DEVICE_PATH_PROTOCOL test data
++  DevicePath.Type      = 0;
++  DevicePath.SubType   = 0;
++  DevicePath.Length[0] = 0;
++  DevicePath.Length[1] = 0;
++
++  // Generate EFI_IMAGE_LOAD_EVENT test data
++  ImageLoadEvent = AllocateZeroPool (sizeof (EFI_IMAGE_LOAD_EVENT) + sizeof (EFI_DEVICE_PATH_PROTOCOL));
++  if (ImageLoadEvent == NULL) {
++    DEBUG ((DEBUG_ERROR, "%a: AllocateZeroPool failed\n", __func__));
++    goto Exit;
++  }
++
++  // Populate EFI_IMAGE_LOAD_EVENT54 test data
++  ImageLoadEvent->ImageLocationInMemory = (EFI_PHYSICAL_ADDRESS)0x12345678;
++  ImageLoadEvent->ImageLengthInMemory   = 0x1000;
++  ImageLoadEvent->ImageLinkTimeAddress  = (UINTN)ImageLoadEvent;
++  ImageLoadEvent->LengthOfDevicePath    = sizeof (EFI_DEVICE_PATH_PROTOCOL);
++  CopyMem (ImageLoadEvent->DevicePath, &DevicePath, sizeof (EFI_DEVICE_PATH_PROTOCOL));
++
++  FilePathSize = 255;
++
++  // Test that a normal PE image passes validation
++  Status = SanitizePeImageEventSize (FilePathSize, &EventSize);
++  if (EFI_ERROR (Status)) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize failed with %r\n", Status);
++    goto Exit;
++  }
++
++  // Test that the event size is correct compared to the existing logic
++  ExistingLogicEventSize  = OFFSET_OF (EFI_IMAGE_LOAD_EVENT, DevicePath) + FilePathSize;
++  ExistingLogicEventSize += sizeof (TCG_PCR_EVENT_HDR);
++
++  if (EventSize != ExistingLogicEventSize) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize returned an incorrect event size. Expected %u, got %u\n", ExistingLogicEventSize, EventSize);
++    goto Exit;
++  }
++
++  // Test that the event size may not overflow
++  Status = SanitizePeImageEventSize (MAX_UINT32, &EventSize);
++  if (Status != EFI_BAD_BUFFER_SIZE) {
++    UT_LOG_ERROR ("SanitizePeImageEventSize succeded when it was supposed to fail with %r\n", Status);
++    goto Exit;
++  }
++
++  TestStatus = UNIT_TEST_PASSED;
++Exit:
++
++  if (ImageLoadEvent != NULL) {
++    FreePool (ImageLoadEvent);
++  }
++
++  if (TestStatus == UNIT_TEST_ERROR_TEST_FAILED) {
++    DEBUG ((DEBUG_ERROR, "%a: Test failed\n", __func__));
++  } else {
++    DEBUG ((DEBUG_INFO, "%a: Test passed\n", __func__));
++  }
++
++  return TestStatus;
++}
++
+ // *--------------------------------------------------------------------*
+ // *  Unit Test Code Main Function
+ // *--------------------------------------------------------------------*
+@@ -265,6 +350,7 @@ UefiTestMain (
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Validating EFI Partition Table", "Common.TcgMeasureBootLibValidation", TestSanitizeEfiPartitionTableHeader, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header gpt event checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderAllocationSize, NULL, NULL, NULL);
+   AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests Primary header allocation size checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePrimaryHeaderGptEventSize, NULL, NULL, NULL);
++  AddTestCase (TcgMeasureBootLibValidationTestSuite, "Tests PE Image and FileSize checks for overflow", "Common.TcgMeasureBootLibValidation", TestSanitizePeImageEventSize, NULL, NULL, NULL);
+ 
+   Status = RunAllTestSuites (Framework);
+ 
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36764-0003.patch

@@ -0,0 +1,48 @@
+From 8f6d343ae639fba8e4b80e45257275e23083431f Mon Sep 17 00:00:00 2001
+From: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>
+Date: Fri, 12 Jan 2024 02:16:06 +0800
+Subject: [PATCH] SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+CVE: CVE-2022-36764
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index f9e3e7be74..833fb827a9 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -20,3 +20,17 @@ CVE_2022_36763:
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=2168
+   - https://bugzilla.tianocore.org/show_bug.cgi?id=1990
++CVE_2022_36764:
++  commit_titles:
++     - "SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++     - "SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764"
++     - "SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml"
++  cve: CVE-2022-36764
++  date_reported: 2022-10-25 12:23 UTC
++  description: Heap Buffer Overflow in Tcg2MeasurePeImage()
++  note:
++  files_impacted:
++  - Library\DxeTpm2MeasureBootLib\DxeTpm2MeasureBootLib.c
++  - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
++  links:
++  - https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0001.patch

@@ -0,0 +1,179 @@
+From 59f024c76ee57c2bec84794536302fc770cd6ec2 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:01:19 +0800
+Subject: [PATCH] UefiPayloadPkg/Hob: Integer Overflow in CreateHob()
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+
+Reported-by: Marc Beatove <mbeatove@google.com>
+Cc: Guo Dong <guo.dong@intel.com>
+Cc: Sean Rhodes <sean@starlabs.systems>
+Cc: James Lu <james.lu@intel.com>
+Reviewed-by: Gua Guo <gua.guo@intel.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+
+CVE: CVE-2022-36765
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Library/PayloadEntryHobLib/Hob.c          | 43 +++++++++++++++++++
+ .../UefiPayloadEntry/UniversalPayloadEntry.c  |  8 ++--
+ 2 files changed, 48 insertions(+), 3 deletions(-)
+
+diff --git a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+index 2c3acbbc19..51c2e28d7d 100644
+--- a/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
++++ b/UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c
+@@ -110,6 +110,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
++  //
++  // Check Length to avoid data overflow.
++  //
++  if (HobLength > MAX_UINT16 - 0x7) {
++    return NULL;
++  }
++
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -330,6 +340,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -378,6 +392,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return NULL;
++  }
++
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -441,6 +460,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -472,6 +495,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -513,6 +540,10 @@ BuildFv3Hob (
+   EFI_HOB_FIRMWARE_VOLUME3  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress          = BaseAddress;
+   Hob->Length               = Length;
+@@ -546,6 +577,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -583,6 +618,10 @@ BuildStackHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+@@ -664,6 +703,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+diff --git a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
+index edb3c20471..abfe75bd7b 100644
+--- a/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
++++ b/UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c
+@@ -111,10 +111,12 @@ AddNewHob (
+   }
+ 
+   NewHob.Header = CreateHob (Hob->Header->HobType, Hob->Header->HobLength);
+-
+-  if (NewHob.Header != NULL) {
+-    CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
++  ASSERT (NewHob.Header != NULL);
++  if (NewHob.Header == NULL) {
++    return;
+   }
++
++  CopyMem (NewHob.Header + 1, Hob->Header + 1, Hob->Header->HobLength - sizeof (EFI_HOB_GENERIC_HEADER));
+ }
+ 
+ /**
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0002.patch

@@ -0,0 +1,157 @@
+From aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:07:50 +0800
+Subject: [PATCH] EmbeddedPkg/Hob: Integer Overflow in CreateHob()
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+
+Reported-by: Marc Beatove <mbeatove@google.com>
+Cc: Leif Lindholm <quic_llindhol@quicinc.com>
+Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Abner Chang <abner.chang@amd.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+
+CVE: CVE-2022-36765
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ EmbeddedPkg/Library/PrePiHobLib/Hob.c | 43 +++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/EmbeddedPkg/Library/PrePiHobLib/Hob.c b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+index 8eb175aa96..cbc35152cc 100644
+--- a/EmbeddedPkg/Library/PrePiHobLib/Hob.c
++++ b/EmbeddedPkg/Library/PrePiHobLib/Hob.c
+@@ -110,6 +110,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
++  //
++  // Check Length to avoid data overflow.
++  //
++  if (HobLength > MAX_UINT16 - 0x7) {
++    return NULL;
++  }
++
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -160,6 +167,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -401,6 +411,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -449,6 +463,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return NULL;
++  }
++
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -512,6 +531,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -543,6 +566,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -584,6 +611,10 @@ BuildFv3Hob (
+   EFI_HOB_FIRMWARE_VOLUME3  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV3, sizeof (EFI_HOB_FIRMWARE_VOLUME3));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress          = BaseAddress;
+   Hob->Length               = Length;
+@@ -639,6 +670,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -676,6 +711,10 @@ BuildStackHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_STACK));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   CopyGuid (&(Hob->AllocDescriptor.Name), &gEfiHobMemoryAllocStackGuid);
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+@@ -756,6 +795,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2022-36765-0003.patch

@@ -0,0 +1,135 @@
+From 9a75b030cf27d2530444e9a2f9f11867f79bf679 Mon Sep 17 00:00:00 2001
+From: Gua Guo <gua.guo@intel.com>
+Date: Thu, 11 Jan 2024 13:03:26 +0800
+Subject: [PATCH] StandaloneMmPkg/Hob: Integer Overflow in CreateHob()
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+
+Fix integer overflow in various CreateHob instances.
+Fixes: CVE-2022-36765
+
+The CreateHob() function aligns the requested size to 8
+performing the following operation:
+```
+HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+```
+
+No checks are performed to ensure this value doesn't
+overflow, and could lead to CreateHob() returning a smaller
+HOB than requested, which could lead to OOB HOB accesses.
+
+Reported-by: Marc Beatove <mbeatove@google.com>
+Reviewed-by: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Sami Mujawar <sami.mujawar@arm.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+Cc: John Mathew <john.mathews@intel.com>
+Authored-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Gua Guo <gua.guo@intel.com>
+
+CVE: CVE-2022-36765
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Arm/StandaloneMmCoreHobLib.c              | 35 +++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+index 1550e1babc..59473e28fe 100644
+--- a/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
++++ b/StandaloneMmPkg/Library/StandaloneMmCoreHobLib/Arm/StandaloneMmCoreHobLib.c
+@@ -34,6 +34,13 @@ CreateHob (
+ 
+   HandOffHob = GetHobList ();
+ 
++  //
++  // Check Length to avoid data overflow.
++  //
++  if (HobLength > MAX_UINT16 - 0x7) {
++    return NULL;
++  }
++
+   HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
+ 
+   FreeMemory = HandOffHob->EfiFreeMemoryTop - HandOffHob->EfiFreeMemoryBottom;
+@@ -89,6 +96,10 @@ BuildModuleHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION_MODULE));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   CopyGuid (&(Hob->MemoryAllocationHeader.Name), &gEfiHobMemoryAllocModuleGuid);
+   Hob->MemoryAllocationHeader.MemoryBaseAddress = MemoryAllocationModule;
+@@ -129,6 +140,9 @@ BuildResourceDescriptorHob (
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_RESOURCE_DESCRIPTOR, sizeof (EFI_HOB_RESOURCE_DESCRIPTOR));
+   ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->ResourceType      = ResourceType;
+   Hob->ResourceAttribute = ResourceAttribute;
+@@ -167,6 +181,11 @@ BuildGuidHob (
+   ASSERT (DataLength <= (0xffff - sizeof (EFI_HOB_GUID_TYPE)));
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_GUID_EXTENSION, (UINT16)(sizeof (EFI_HOB_GUID_TYPE) + DataLength));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return NULL;
++  }
++
+   CopyGuid (&Hob->Name, Guid);
+   return Hob + 1;
+ }
+@@ -226,6 +245,10 @@ BuildFvHob (
+   EFI_HOB_FIRMWARE_VOLUME  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV, sizeof (EFI_HOB_FIRMWARE_VOLUME));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -255,6 +278,10 @@ BuildFv2Hob (
+   EFI_HOB_FIRMWARE_VOLUME2  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_FV2, sizeof (EFI_HOB_FIRMWARE_VOLUME2));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->BaseAddress = BaseAddress;
+   Hob->Length      = Length;
+@@ -282,6 +309,10 @@ BuildCpuHob (
+   EFI_HOB_CPU  *Hob;
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_CPU, sizeof (EFI_HOB_CPU));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   Hob->SizeOfMemorySpace = SizeOfMemorySpace;
+   Hob->SizeOfIoSpace     = SizeOfIoSpace;
+@@ -319,6 +350,10 @@ BuildMemoryAllocationHob (
+     );
+ 
+   Hob = CreateHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, sizeof (EFI_HOB_MEMORY_ALLOCATION));
++  ASSERT (Hob != NULL);
++  if (Hob == NULL) {
++    return;
++  }
+ 
+   ZeroMem (&(Hob->AllocDescriptor.Name), sizeof (EFI_GUID));
+   Hob->AllocDescriptor.MemoryBaseAddress = BaseAddress;
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0001.patch

@@ -0,0 +1,604 @@
+From 1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0 Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
+Date: Fri, 26 Jan 2024 05:54:46 +0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
+
+Bug Details:
+PixieFail Bug #1
+CVE-2023-45229
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Change Overview:
+
+Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
+the Inner Option from a DHCP6 Option.
+
+>
+> EFI_STATUS
+> Dhcp6SeekInnerOptionSafe (
+>  IN  UINT16  IaType,
+>  IN  UINT8   *Option,
+>  IN  UINT32  OptionLen,
+>  OUT UINT8   **IaInnerOpt,
+>  OUT UINT16  *IaInnerLen
+>  );
+>
+
+Lots of code cleanup to improve code readability.
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45229
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c   | 203 +++++++++++++++++++++-----------
+ 2 files changed, 256 insertions(+), 85 deletions(-)
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+index f2422c2f28..220e7c68f1 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+@@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE  DHCP6_INSTANCE;
+ #define DHCP6_SERVICE_SIGNATURE   SIGNATURE_32 ('D', 'H', '6', 'S')
+ #define DHCP6_INSTANCE_SIGNATURE  SIGNATURE_32 ('D', 'H', '6', 'I')
+ 
++#define DHCP6_PACKET_ALL        0
++#define DHCP6_PACKET_STATEFUL   1
++#define DHCP6_PACKET_STATELESS  2
++
++#define DHCP6_BASE_PACKET_SIZE  1024
++
++#define DHCP6_PORT_CLIENT  546
++#define DHCP6_PORT_SERVER  547
++
++#define DHCP_CHECK_MEDIA_WAITING_TIME  EFI_TIMER_PERIOD_SECONDS(20)
++
++#define DHCP6_INSTANCE_FROM_THIS(Instance)  CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
++#define DHCP6_SERVICE_FROM_THIS(Service)    CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
++
+ //
+ // For more information on DHCP options see RFC 8415, Section 21.1
+ //
+@@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE  DHCP6_INSTANCE;
+ //    |                      (option-len octets)                      |
+ //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ //
+-#define DHCP6_SIZE_OF_OPT_CODE  (sizeof(UINT16))
+-#define DHCP6_SIZE_OF_OPT_LEN   (sizeof(UINT16))
++#define DHCP6_SIZE_OF_OPT_CODE  (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
++#define DHCP6_SIZE_OF_OPT_LEN   (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
+ 
+-//
+ // Combined size of Code and Length
+-//
+ #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN  (DHCP6_SIZE_OF_OPT_CODE + \
+                                               DHCP6_SIZE_OF_OPT_LEN)
+ 
+@@ -73,34 +85,122 @@ STATIC_ASSERT (
+   "Combined size of Code and Length must be 4 per RFC 8415"
+   );
+ 
+-//
+ // Offset to the length is just past the code
+-//
+-#define DHCP6_OPT_LEN_OFFSET(a)  (a + DHCP6_SIZE_OF_OPT_CODE)
++#define DHCP6_OFFSET_OF_OPT_LEN(a)  (a + DHCP6_SIZE_OF_OPT_CODE)
+ STATIC_ASSERT (
+-  DHCP6_OPT_LEN_OFFSET (0) == 2,
++  DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
+   "Offset of length is + 2 past start of option"
+   );
+ 
+-#define DHCP6_OPT_DATA_OFFSET(a)  (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
++#define DHCP6_OFFSET_OF_OPT_DATA(a)  (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
+ STATIC_ASSERT (
+-  DHCP6_OPT_DATA_OFFSET (0) == 4,
++  DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
+   "Offset to option data should be +4 from start of option"
+   );
++//
++// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
++// are defined in RFC 8415 and are a deriviation of a TLV stucture
++// For more information on IA_NA see Section 21.4
++// For more information on IA_TA see Section 21.5
++//
++//
++//  The format of IA_NA and IA_TA option:
++//
++//     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |          OPTION_IA_NA         |          option-len           |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |                        IAID (4 octets)                        |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |                        T1 (only for IA_NA)                    |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |                        T2 (only for IA_NA)                    |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |                                                               |
++//    .                  IA_NA-options/IA_TA-options                  .
++//    .                                                               .
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//
++#define DHCP6_SIZE_OF_IAID           (sizeof(UINT32))
++#define DHCP6_SIZE_OF_TIME_INTERVAL  (sizeof(UINT32))
+ 
+-#define DHCP6_PACKET_ALL        0
+-#define DHCP6_PACKET_STATEFUL   1
+-#define DHCP6_PACKET_STATELESS  2
++// Combined size of IAID, T1, and T2
++#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2  (DHCP6_SIZE_OF_IAID +  \
++                                            DHCP6_SIZE_OF_TIME_INTERVAL + \
++                                            DHCP6_SIZE_OF_TIME_INTERVAL)
++STATIC_ASSERT (
++  DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
++  "Combined size of IAID, T1, T2 must be 12 per RFC 8415"
++  );
+ 
+-#define DHCP6_BASE_PACKET_SIZE  1024
++// This is the size of IA_TA without options
++#define DHCP6_MIN_SIZE_OF_IA_TA  (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
++                                  DHCP6_SIZE_OF_IAID)
++STATIC_ASSERT (
++  DHCP6_MIN_SIZE_OF_IA_TA == 8,
++  "Minimum combined size of IA_TA per RFC 8415"
++  );
+ 
+-#define DHCP6_PORT_CLIENT  546
+-#define DHCP6_PORT_SERVER  547
++// Offset to a IA_TA inner option
++#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a)  (a + DHCP6_MIN_SIZE_OF_IA_TA)
++STATIC_ASSERT (
++  DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
++  "Offset of IA_TA Inner option is + 8 past start of option"
++  );
+ 
+-#define DHCP_CHECK_MEDIA_WAITING_TIME  EFI_TIMER_PERIOD_SECONDS(20)
++// This is the size of IA_NA without options (16)
++#define DHCP6_MIN_SIZE_OF_IA_NA  DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
++                                 DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
++STATIC_ASSERT (
++  DHCP6_MIN_SIZE_OF_IA_NA == 16,
++  "Minimum combined size of IA_TA per RFC 8415"
++  );
+ 
+-#define DHCP6_INSTANCE_FROM_THIS(Instance)  CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
+-#define DHCP6_SERVICE_FROM_THIS(Service)    CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
++#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a)  (a + DHCP6_MIN_SIZE_OF_IA_NA)
++STATIC_ASSERT (
++  DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
++  "Offset of IA_NA Inner option is + 16 past start of option"
++  );
++
++#define DHCP6_OFFSET_OF_IA_NA_T1(a)  (a + \
++                                   DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
++                                   DHCP6_SIZE_OF_IAID)
++STATIC_ASSERT (
++  DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
++  "Offset of IA_NA Inner option is + 8 past start of option"
++  );
++
++#define DHCP6_OFFSET_OF_IA_NA_T2(a)  (a + \
++                                   DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
++                                   DHCP6_SIZE_OF_IAID + \
++                                   DHCP6_SIZE_OF_TIME_INTERVAL)
++STATIC_ASSERT (
++  DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
++  "Offset of IA_NA Inner option is + 12 past start of option"
++  );
++
++//
++// For more information see RFC 8415 Section 21.13
++//
++// The format of the Status Code Option:
++//
++//     0                   1                   2                   3
++//     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |       OPTION_STATUS_CODE      |         option-len            |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |          status-code          |                               |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
++//    .                                                               .
++//    .                        status-message                         .
++//    .                                                               .
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//
++#define DHCP6_OFFSET_OF_STATUS_CODE(a)  (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
++STATIC_ASSERT (
++  DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
++  "Offset of status is + 4 past start of option"
++  );
+ 
+ extern EFI_IPv6_ADDRESS    mAllDhcpRelayAndServersAddress;
+ extern EFI_DHCP6_PROTOCOL  gDhcp6ProtocolTemplate;
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+index bf5aa7a769..89d16484a5 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+@@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo (
+   // The inner options still start with 2 bytes option-code and 2 bytes option-len.
+   //
+   if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
+-    T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8)));
+-    T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12)));
++    T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
++    T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
+     //
+     // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
+     // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
+@@ -609,13 +609,14 @@ Dhcp6UpdateIaInfo (
+       return EFI_DEVICE_ERROR;
+     }
+ 
+-    IaInnerOpt = Option + 16;
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 12);
++    IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
++    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
+   } else {
+-    T1         = 0;
+-    T2         = 0;
+-    IaInnerOpt = Option + 8;
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 4);
++    T1 = 0;
++    T2 = 0;
++
++    IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
++    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
+   }
+ 
+   //
+@@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo (
+   Option  = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
+ 
+   if (Option != NULL) {
+-    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));
++    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+     if (StsCode != Dhcp6StsSuccess) {
+       return EFI_DEVICE_ERROR;
+     }
+@@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo (
+   return Status;
+ }
+ 
++/**
++  Seeks the Inner Options from a DHCP6 Option
++
++  @param[in]  IaType          The type of the IA option.
++  @param[in]  Option          The pointer to the DHCP6 Option.
++  @param[in]  OptionLen       The length of the DHCP6 Option.
++  @param[out] IaInnerOpt      The pointer to the IA inner option.
++  @param[out] IaInnerLen      The length of the IA inner option.
++
++  @retval EFI_SUCCESS         Seek the inner option successfully.
++  @retval EFI_DEVICE_ERROR    The OptionLen is invalid. On Error,
++                              the pointers are not modified
++**/
++EFI_STATUS
++Dhcp6SeekInnerOptionSafe (
++  IN  UINT16  IaType,
++  IN  UINT8   *Option,
++  IN  UINT32  OptionLen,
++  OUT UINT8   **IaInnerOpt,
++  OUT UINT16  *IaInnerLen
++  )
++{
++  UINT16  IaInnerLenTmp;
++  UINT8   *IaInnerOptTmp;
++
++  if (Option == NULL) {
++    ASSERT (Option != NULL);
++    return EFI_DEVICE_ERROR;
++  }
++
++  if (IaInnerOpt == NULL) {
++    ASSERT (IaInnerOpt != NULL);
++    return EFI_DEVICE_ERROR;
++  }
++
++  if (IaInnerLen == NULL) {
++    ASSERT (IaInnerLen != NULL);
++    return EFI_DEVICE_ERROR;
++  }
++
++  if (IaType == Dhcp6OptIana) {
++    // Verify we have a fully formed IA_NA
++    if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
++      return EFI_DEVICE_ERROR;
++    }
++
++    //
++    IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
++
++    // Verify the IaInnerLen is valid.
++    IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
++    if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
++      return EFI_DEVICE_ERROR;
++    }
++
++    IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
++  } else if (IaType == Dhcp6OptIata) {
++    // Verify the OptionLen is valid.
++    if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
++      return EFI_DEVICE_ERROR;
++    }
++
++    IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
++
++    // Verify the IaInnerLen is valid.
++    IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
++    if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
++      return EFI_DEVICE_ERROR;
++    }
++
++    IaInnerLenTmp -= DHCP6_SIZE_OF_IAID;
++  } else {
++    return EFI_DEVICE_ERROR;
++  }
++
++  *IaInnerOpt = IaInnerOptTmp;
++  *IaInnerLen = IaInnerLenTmp;
++
++  return EFI_SUCCESS;
++}
++
+ /**
+   Seek StatusCode Option in package. A Status Code option may appear in the
+   options field of a DHCP message and/or in the options field of another option.
+@@ -684,6 +766,12 @@ Dhcp6SeekStsOption (
+   UINT8   *IaInnerOpt;
+   UINT16  IaInnerLen;
+   UINT16  StsCode;
++  UINT32  OptionLen;
++
++  // OptionLen is the length of the Options excluding the DHCP header.
++  // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
++  // byte of the Option[] field.
++  OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
+ 
+   //
+   // Seek StatusCode option directly in DHCP message body. That is, search in
+@@ -691,12 +779,12 @@ Dhcp6SeekStsOption (
+   //
+   *Option = Dhcp6SeekOption (
+               Packet->Dhcp6.Option,
+-              Packet->Length - 4,
++              OptionLen,
+               Dhcp6OptStatusCode
+               );
+ 
+   if (*Option != NULL) {
+-    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4)));
++    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option))));
+     if (StsCode != Dhcp6StsSuccess) {
+       return EFI_DEVICE_ERROR;
+     }
+@@ -707,7 +795,7 @@ Dhcp6SeekStsOption (
+   //
+   *Option = Dhcp6SeekIaOption (
+               Packet->Dhcp6.Option,
+-              Packet->Length - sizeof (EFI_DHCP6_HEADER),
++              OptionLen,
+               &Instance->Config->IaDescriptor
+               );
+   if (*Option == NULL) {
+@@ -715,52 +803,35 @@ Dhcp6SeekStsOption (
+   }
+ 
+   //
+-  // The format of the IA_NA option is:
++  // Calculate the distance from Packet->Dhcp6.Option to the IA option.
+   //
+-  //     0                   1                   2                   3
+-  //     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |          OPTION_IA_NA         |          option-len           |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                        IAID (4 octets)                        |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                              T1                               |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                              T2                               |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                                                               |
+-  //    .                         IA_NA-options                         .
+-  //    .                                                               .
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++  // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
++  // the size of the whole packet, including the DHCP header, and Packet->Length
++  // is the length of the DHCP message body, excluding the DHCP header.
+   //
+-  // The format of the IA_TA option is:
++  // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
++  // DHCP6 option area to the start of the IA option.
+   //
+-  //     0                   1                   2                   3
+-  //     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |         OPTION_IA_TA          |          option-len           |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                        IAID (4 octets)                        |
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-  //    |                                                               |
+-  //    .                         IA_TA-options                         .
+-  //    .                                                               .
+-  //    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++  // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
++  // IA option to the end of the DHCP6 option area, thus subtract the space
++  // up until this option
+   //
++  OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
+ 
+   //
+-  // sizeof (option-code + option-len + IaId)           = 8
+-  // sizeof (option-code + option-len + IaId + T1)      = 12
+-  // sizeof (option-code + option-len + IaId + T1 + T2) = 16
+-  //
+-  // The inner options still start with 2 bytes option-code and 2 bytes option-len.
++  // Seek the inner option
+   //
+-  if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
+-    IaInnerOpt = *Option + 16;
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 12);
+-  } else {
+-    IaInnerOpt = *Option + 8;
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 4);
++  if (EFI_ERROR (
++        Dhcp6SeekInnerOptionSafe (
++          Instance->Config->IaDescriptor.Type,
++          *Option,
++          OptionLen,
++          &IaInnerOpt,
++          &IaInnerLen
++          )
++        ))
++  {
++    return EFI_DEVICE_ERROR;
+   }
+ 
+   //
+@@ -784,7 +855,7 @@ Dhcp6SeekStsOption (
+   //
+   *Option = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
+   if (*Option != NULL) {
+-    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4)));
++    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (*Option)))));
+     if (StsCode != Dhcp6StsSuccess) {
+       return EFI_DEVICE_ERROR;
+     }
+@@ -1105,7 +1176,7 @@ Dhcp6SendRequestMsg (
+   //
+   Option = Dhcp6SeekOption (
+              Instance->AdSelect->Dhcp6.Option,
+-             Instance->AdSelect->Length - 4,
++             Instance->AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptServerId
+              );
+   if (Option == NULL) {
+@@ -1289,7 +1360,7 @@ Dhcp6SendDeclineMsg (
+   //
+   Option = Dhcp6SeekOption (
+              LastReply->Dhcp6.Option,
+-             LastReply->Length - 4,
++             LastReply->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptServerId
+              );
+   if (Option == NULL) {
+@@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg (
+   //
+   Option = Dhcp6SeekOption (
+              LastReply->Dhcp6.Option,
+-             LastReply->Length - 4,
++             LastReply->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptServerId
+              );
+   if (Option == NULL) {
+@@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg (
+ 
+     Option = Dhcp6SeekOption (
+                LastReply->Dhcp6.Option,
+-               LastReply->Length - 4,
++               LastReply->Length - sizeof (EFI_DHCP6_HEADER),
+                Dhcp6OptServerId
+                );
+     if (Option == NULL) {
+@@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg (
+   //
+   Option = Dhcp6SeekOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - 4,
++             Packet->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptRapidCommit
+              );
+ 
+@@ -2354,7 +2425,7 @@ Dhcp6HandleReplyMsg (
+     //
+     // Any error status code option is found.
+     //
+-    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));
++    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option)))));
+     switch (StsCode) {
+       case Dhcp6StsUnspecFail:
+         //
+@@ -2487,7 +2558,7 @@ Dhcp6SelectAdvertiseMsg (
+   //
+   Option = Dhcp6SeekOption (
+              AdSelect->Dhcp6.Option,
+-             AdSelect->Length - 4,
++             AdSelect->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptServerUnicast
+              );
+ 
+@@ -2498,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg (
+       return EFI_OUT_OF_RESOURCES;
+     }
+ 
+-    CopyMem (Instance->Unicast, Option + 4, sizeof (EFI_IPv6_ADDRESS));
++    CopyMem (Instance->Unicast, DHCP6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS));
+   }
+ 
+   //
+@@ -2551,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg (
+   //
+   Option = Dhcp6SeekOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - 4,
++             Packet->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptRapidCommit
+              );
+ 
+@@ -2645,7 +2716,7 @@ Dhcp6HandleAdvertiseMsg (
+       CopyMem (Instance->AdSelect, Packet, Packet->Size);
+ 
+       if (Option != NULL) {
+-        Instance->AdPref = *(Option + 4);
++        Instance->AdPref = *(DHCP6_OFFSET_OF_OPT_DATA (Option));
+       }
+     } else {
+       //
+@@ -2714,11 +2785,11 @@ Dhcp6HandleStateful (
+   //
+   Option = Dhcp6SeekOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - 4,
++             Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
+              Dhcp6OptClientId
+              );
+ 
+-  if ((Option == NULL) || (CompareMem (Option + 4, ClientId->Duid, ClientId->Length) != 0)) {
++  if ((Option == NULL) || (CompareMem (DHCP6_OFFSET_OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) != 0)) {
+     goto ON_CONTINUE;
+   }
+ 
+@@ -2727,7 +2798,7 @@ Dhcp6HandleStateful (
+   //
+   Option = Dhcp6SeekOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - 4,
++             Packet->Length - DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN,
+              Dhcp6OptServerId
+              );
+ 
+@@ -2832,7 +2903,7 @@ Dhcp6HandleStateless (
+   //
+   Option = Dhcp6SeekOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - 4,
++             Packet->Length - sizeof (EFI_DHCP6_HEADER),
+              Dhcp6OptServerId
+              );
+ 
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0002.patch

@@ -0,0 +1,539 @@
+From 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097 Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
+Date: Fri, 26 Jan 2024 05:54:47 +0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit 
+ Tests
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
+
+These tests confirm that the report bug...
+
+"Out-of-bounds read when processing IA_NA/IA_TA options in a
+DHCPv6 Advertise message"
+
+..has been patched.
+
+The following functions are tested to confirm an out of bounds read is
+patched and that the correct statuses are returned:
+
+Dhcp6SeekInnerOptionSafe
+Dhcp6SeekStsOption
+
+TCBZ4534
+CVE-2023-45229
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45229
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c                 |   2 +-
+ .../GoogleTest/Dhcp6DxeGoogleTest.inf         |   1 +
+ .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 +++++++++++++++++-
+ .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h   |  58 +++
+ 4 files changed, 423 insertions(+), 3 deletions(-)
+ create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+index 89d16484a5..3b8feb4a20 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+@@ -816,7 +816,7 @@ Dhcp6SeekStsOption (
+   // IA option to the end of the DHCP6 option area, thus subtract the space
+   // up until this option
+   //
+-  OptionLen = OptionLen - (*Option - Packet->Dhcp6.Option);
++  OptionLen = OptionLen - (UINT32)(*Option - Packet->Dhcp6.Option);
+ 
+   //
+   // Seek the inner option
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+index 8e9119a371..12532ed30c 100644
+--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+@@ -18,6 +18,7 @@
+ [Sources]
+   Dhcp6DxeGoogleTest.cpp
+   Dhcp6IoGoogleTest.cpp
++  Dhcp6IoGoogleTest.h
+   ../Dhcp6Io.c
+   ../Dhcp6Utility.c
+ 
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+index 7ee40e4af4..7db253a7b8 100644
+--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+@@ -13,6 +13,7 @@ extern "C" {
+   #include <Library/BaseMemoryLib.h>
+   #include "../Dhcp6Impl.h"
+   #include "../Dhcp6Utility.h"
++  #include "Dhcp6IoGoogleTest.h"
+ }
+ 
+ ////////////////////////////////////////////////////////////////////////
+@@ -21,7 +22,35 @@ extern "C" {
+ 
+ #define DHCP6_PACKET_MAX_LEN  1500
+ 
++// This definition is used by this test but is also required to compile
++// by Dhcp6Io.c
++#define DHCPV6_OPTION_IA_NA  3
++#define DHCPV6_OPTION_IA_TA  4
++
++#define SEARCH_PATTERN      0xDEADC0DE
++#define SEARCH_PATTERN_LEN  sizeof(SEARCH_PATTERN)
++
+ ////////////////////////////////////////////////////////////////////////
++// Test structures for IA_NA and IA_TA options
++////////////////////////////////////////////////////////////////////////
++typedef struct {
++  UINT16    Code;
++  UINT16    Len;
++  UINT32    IAID;
++} DHCPv6_OPTION;
++
++typedef struct {
++  DHCPv6_OPTION    Header;
++  UINT32           T1;
++  UINT32           T2;
++  UINT8            InnerOptions[0];
++} DHCPv6_OPTION_IA_NA;
++
++typedef struct {
++  DHCPv6_OPTION    Header;
++  UINT8            InnerOptions[0];
++} DHCPv6_OPTION_IA_TA;
++
+ ////////////////////////////////////////////////////////////////////////
+ // Symbol Definitions
+ // These functions are not directly under test - but required to compile
+@@ -210,7 +239,7 @@ TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
+   Status = Dhcp6AppendETOption (
+              Dhcp6AppendETOptionTest::Packet,
+              &Cursor,
+-             &Instance, // Instance is not used in this function
++             &Instance,                    // Instance is not used in this function
+              &ElapsedTime
+              );
+ 
+@@ -240,7 +269,7 @@ TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
+   Status = Dhcp6AppendETOption (
+              Dhcp6AppendETOptionTest::Packet,
+              &Cursor,
+-             &Instance, // Instance is not used in this function
++             &Instance,                    // Instance is not used in this function
+              &ElapsedTime
+              );
+ 
+@@ -476,3 +505,335 @@ TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
+   // verify that the status is EFI_SUCCESS
+   ASSERT_EQ (Status, EFI_SUCCESS);
+ }
++
++////////////////////////////////////////////////////////////////////////
++// Dhcp6SeekInnerOptionSafe Tests
++////////////////////////////////////////////////////////////////////////
++
++// Define a fixture for your tests if needed
++class Dhcp6SeekInnerOptionSafeTest : public ::testing::Test {
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++  }
++};
++
++// Test Description:
++// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IANA option is found.
++TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAValidOptionExpectSuccess) {
++  EFI_STATUS           Result;
++  UINT8                Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
++  UINT32               OptionLength                                              = sizeof (Option);
++  DHCPv6_OPTION_IA_NA  *OptionPtr                                                = (DHCPv6_OPTION_IA_NA *)Option;
++  UINT32               SearchPattern                                             = SEARCH_PATTERN;
++
++  UINTN   SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT8   *InnerOptionPtr     = NULL;
++  UINT16  InnerOptionLength   = 0;
++
++  OptionPtr->Header.Code = Dhcp6OptIana;
++  OptionPtr->Header.Len  = HTONS (4 + 12); // Valid length has to be more than 12
++  OptionPtr->Header.IAID = 0x12345678;
++  OptionPtr->T1          = 0x11111111;
++  OptionPtr->T2          = 0x22222222;
++  CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
++
++  Result = Dhcp6SeekInnerOptionSafe (
++             Dhcp6OptIana,
++             Option,
++             OptionLength,
++             &InnerOptionPtr,
++             &InnerOptionLength
++             );
++  ASSERT_EQ (Result, EFI_SUCCESS);
++  ASSERT_EQ (InnerOptionLength, 4);
++  ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
++}
++
++// Test Description:
++// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_DEIVCE_ERROR when the IANA option size is invalid.
++TEST_F (Dhcp6SeekInnerOptionSafeTest, IANAInvalidSizeExpectFail) {
++  // Lets add an inner option of bytes we expect to find
++  EFI_STATUS           Status;
++  UINT8                Option[sizeof (DHCPv6_OPTION_IA_NA) + SEARCH_PATTERN_LEN] = { 0 };
++  UINT32               OptionLength                                              = sizeof (Option);
++  DHCPv6_OPTION_IA_NA  *OptionPtr                                                = (DHCPv6_OPTION_IA_NA *)Option;
++  UINT32               SearchPattern                                             = SEARCH_PATTERN;
++
++  UINTN   SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT8   *InnerOptionPtr     = NULL;
++  UINT16  InnerOptionLength   = 0;
++
++  OptionPtr->Header.Code = Dhcp6OptIana;
++  OptionPtr->Header.Len  = HTONS (4); // Set the length to lower than expected (12)
++  OptionPtr->Header.IAID = 0x12345678;
++  OptionPtr->T1          = 0x11111111;
++  OptionPtr->T2          = 0x22222222;
++  CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
++
++  // Set the InnerOptionLength to be less than the size of the option
++  Status = Dhcp6SeekInnerOptionSafe (
++             Dhcp6OptIana,
++             Option,
++             OptionLength,
++             &InnerOptionPtr,
++             &InnerOptionLength
++             );
++  ASSERT_EQ (Status, EFI_DEVICE_ERROR);
++
++  // Now set the OptionLength to be less than the size of the option
++  OptionLength = sizeof (DHCPv6_OPTION_IA_NA) - 1;
++  Status       = Dhcp6SeekInnerOptionSafe (
++                   Dhcp6OptIana,
++                   Option,
++                   OptionLength,
++                   &InnerOptionPtr,
++                   &InnerOptionLength
++                   );
++  ASSERT_EQ (Status, EFI_DEVICE_ERROR);
++}
++
++// Test Description:
++// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option is found
++TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAValidOptionExpectSuccess) {
++  // Lets add an inner option of bytes we expect to find
++  EFI_STATUS           Status;
++  UINT8                Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
++  UINT32               OptionLength                                              = sizeof (Option);
++  DHCPv6_OPTION_IA_TA  *OptionPtr                                                = (DHCPv6_OPTION_IA_TA *)Option;
++  UINT32               SearchPattern                                             = SEARCH_PATTERN;
++
++  UINTN   SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT8   *InnerOptionPtr     = NULL;
++  UINT16  InnerOptionLength   = 0;
++
++  OptionPtr->Header.Code = Dhcp6OptIata;
++  OptionPtr->Header.Len  = HTONS (4 + 4); // Valid length has to be more than 4
++  OptionPtr->Header.IAID = 0x12345678;
++  CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
++
++  Status = Dhcp6SeekInnerOptionSafe (
++             Dhcp6OptIata,
++             Option,
++             OptionLength,
++             &InnerOptionPtr,
++             &InnerOptionLength
++             );
++  ASSERT_EQ (Status, EFI_SUCCESS);
++  ASSERT_EQ (InnerOptionLength, 4);
++  ASSERT_EQ (CompareMem (InnerOptionPtr, &SearchPattern, SearchPatternLength), 0);
++}
++
++// Test Description:
++// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
++TEST_F (Dhcp6SeekInnerOptionSafeTest, IATAInvalidSizeExpectFail) {
++  // Lets add an inner option of bytes we expect to find
++  EFI_STATUS           Status;
++  UINT8                Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
++  UINT32               OptionLength                                              = sizeof (Option);
++  DHCPv6_OPTION_IA_TA  *OptionPtr                                                = (DHCPv6_OPTION_IA_TA *)Option;
++  UINT32               SearchPattern                                             = SEARCH_PATTERN;
++
++  UINTN   SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT8   *InnerOptionPtr     = NULL;
++  UINT16  InnerOptionLength   = 0;
++
++  OptionPtr->Header.Code = Dhcp6OptIata;
++  OptionPtr->Header.Len  = HTONS (2); // Set the length to lower than expected (4)
++  OptionPtr->Header.IAID = 0x12345678;
++  CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
++
++  Status = Dhcp6SeekInnerOptionSafe (
++             Dhcp6OptIata,
++             Option,
++             OptionLength,
++             &InnerOptionPtr,
++             &InnerOptionLength
++             );
++  ASSERT_EQ (Status, EFI_DEVICE_ERROR);
++
++  // Now lets try modifying the OptionLength to be less than the size of the option
++  OptionLength = sizeof (DHCPv6_OPTION_IA_TA) - 1;
++  Status       = Dhcp6SeekInnerOptionSafe (
++                   Dhcp6OptIata,
++                   Option,
++                   OptionLength,
++                   &InnerOptionPtr,
++                   &InnerOptionLength
++                   );
++  ASSERT_EQ (Status, EFI_DEVICE_ERROR);
++}
++
++// Test Description:
++// This test verifies that any other Option Type fails
++TEST_F (Dhcp6SeekInnerOptionSafeTest, InvalidOption) {
++  // Lets add an inner option of bytes we expect to find
++  EFI_STATUS           Result;
++  UINT8                Option[sizeof (DHCPv6_OPTION_IA_TA) + SEARCH_PATTERN_LEN] = { 0 };
++  UINT32               OptionLength                                              = sizeof (Option);
++  DHCPv6_OPTION_IA_TA  *OptionPtr                                                = (DHCPv6_OPTION_IA_TA *)Option;
++  UINT32               SearchPattern                                             = SEARCH_PATTERN;
++
++  UINTN   SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT8   *InnerOptionPtr     = NULL;
++  UINT16  InnerOptionLength   = 0;
++
++  OptionPtr->Header.Code = 0xC0DE;
++  OptionPtr->Header.Len  = HTONS (2); // Set the length to lower than expected (4)
++  OptionPtr->Header.IAID = 0x12345678;
++  CopyMem (OptionPtr->InnerOptions, &SearchPattern, SearchPatternLength);
++
++  Result = Dhcp6SeekInnerOptionSafe (0xC0DE, Option, OptionLength, &InnerOptionPtr, &InnerOptionLength);
++  ASSERT_EQ (Result, EFI_DEVICE_ERROR);
++}
++
++////////////////////////////////////////////////////////////////////////
++// Dhcp6SeekStsOption Tests
++////////////////////////////////////////////////////////////////////////
++
++#define PACKET_SIZE  (1500)
++
++class Dhcp6SeekStsOptionTest : public ::testing::Test {
++public:
++  DHCP6_INSTANCE Instance      = { 0 };
++  EFI_DHCP6_PACKET *Packet     = NULL;
++  EFI_DHCP6_CONFIG_DATA Config = { 0 };
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Allocate a packet
++    Packet = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
++    ASSERT_NE (Packet, nullptr);
++
++    // Initialize the packet
++    Packet->Size = PACKET_SIZE;
++
++    Instance.Config = &Config;
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++    FreePool (Packet);
++  }
++};
++
++// Test Description:
++// This test verifies that Dhcp6SeekStsOption returns EFI_DEVICE_ERROR when the option is invalid
++// This verifies that the calling function is working as expected
++TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) {
++  EFI_STATUS    Status;
++  UINT8         *Option             = NULL;
++  UINT32        SearchPattern       = SEARCH_PATTERN;
++  UINT16        SearchPatternLength = SEARCH_PATTERN_LEN;
++  UINT16        *Len                = NULL;
++  EFI_DHCP6_IA  Ia                  = { 0 };
++
++  Ia.Descriptor.Type                = DHCPV6_OPTION_IA_TA;
++  Ia.IaAddressCount                 = 1;
++  Ia.IaAddress[0].PreferredLifetime = 0xDEADBEEF;
++  Ia.IaAddress[0].ValidLifetime     = 0xDEADAAAA;
++  Ia.IaAddress[0].IpAddress         = mAllDhcpRelayAndServersAddress;
++
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++
++  Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
++
++  // Let's append the option to the packet
++  Status = Dhcp6AppendOption (
++             Dhcp6SeekStsOptionTest::Packet,
++             &Option,
++             Dhcp6OptStatusCode,
++             SearchPatternLength,
++             (UINT8 *)&SearchPattern
++             );
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  // Inner option length - this will be overwritten later
++  Len = (UINT16 *)(Option + 2);
++
++  // Fill in the inner IA option
++  Status = Dhcp6AppendIaOption (
++             Dhcp6SeekStsOptionTest::Packet,
++             &Option,
++             &Ia,
++             0x12345678,
++             0x11111111,
++             0x22222222
++             );
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  // overwrite the len of inner Ia option
++  *Len = HTONS (3);
++
++  Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_TA;
++
++  Option = NULL;
++  Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
++
++  ASSERT_EQ (Status, EFI_DEVICE_ERROR);
++}
++
++// Test Description:
++// This test verifies that Dhcp6SeekInnerOptionSafe returns EFI_SUCCESS when the IATA option size is invalid.
++TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) {
++  EFI_STATUS    Status              = EFI_NOT_FOUND;
++  UINT8         *Option             = NULL;
++  UINT32        SearchPattern       = SEARCH_PATTERN;
++  UINT16        SearchPatternLength = SEARCH_PATTERN_LEN;
++  EFI_DHCP6_IA  Ia                  = { 0 };
++
++  Ia.Descriptor.Type                = DHCPV6_OPTION_IA_NA;
++  Ia.IaAddressCount                 = 1;
++  Ia.IaAddress[0].PreferredLifetime = 0x11111111;
++  Ia.IaAddress[0].ValidLifetime     = 0x22222222;
++  Ia.IaAddress[0].IpAddress         = mAllDhcpRelayAndServersAddress;
++  Packet->Length                    = sizeof (EFI_DHCP6_HEADER);
++
++  Option = Dhcp6SeekStsOptionTest::Packet->Dhcp6.Option;
++
++  Status = Dhcp6AppendOption (
++             Dhcp6SeekStsOptionTest::Packet,
++             &Option,
++             Dhcp6OptStatusCode,
++             SearchPatternLength,
++             (UINT8 *)&SearchPattern
++             );
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  Status = Dhcp6AppendIaOption (
++             Dhcp6SeekStsOptionTest::Packet,
++             &Option,
++             &Ia,
++             0x12345678,
++             0x11111111,
++             0x22222222
++             );
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  Dhcp6SeekStsOptionTest::Instance.Config->IaDescriptor.Type = DHCPV6_OPTION_IA_NA;
++
++  Option = NULL;
++  Status = Dhcp6SeekStsOption (&(Dhcp6SeekStsOptionTest::Instance), Dhcp6SeekStsOptionTest::Packet, &Option);
++
++  ASSERT_EQ (Status, EFI_SUCCESS);
++}
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
+new file mode 100644
+index 0000000000..aed3b89082
+--- /dev/null
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h
+@@ -0,0 +1,58 @@
++/** @file
++  Acts as header for private functions under test in Dhcp6Io.c
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#ifndef DHCP6_IO_GOOGLE_TEST_H_
++#define DHCP6_IO_GOOGLE_TEST_H_
++
++////////////////////////////////////////////////////////////////////////////////
++// These are the functions that are being unit tested
++////////////////////////////////////////////////////////////////////////////////
++
++#include <Uefi.h>
++
++/**
++  Seeks the Inner Options from a DHCP6 Option
++
++  @param[in]  IaType          The type of the IA option.
++  @param[in]  Option          The pointer to the DHCP6 Option.
++  @param[in]  OptionLen       The length of the DHCP6 Option.
++  @param[out] IaInnerOpt      The pointer to the IA inner option.
++  @param[out] IaInnerLen      The length of the IA inner option.
++
++  @retval EFI_SUCCESS         Seek the inner option successfully.
++  @retval EFI_DEVICE_ERROR    The OptionLen is invalid.
++*/
++EFI_STATUS
++Dhcp6SeekInnerOptionSafe (
++  UINT16  IaType,
++  UINT8   *Option,
++  UINT32  OptionLen,
++  UINT8   **IaInnerOpt,
++  UINT16  *IaInnerLen
++  );
++
++/**
++  Seek StatusCode Option in package. A Status Code option may appear in the
++  options field of a DHCP message and/or in the options field of another option.
++  See details in section 22.13, RFC3315.
++
++  @param[in]       Instance        The pointer to the Dhcp6 instance.
++  @param[in]       Packet          The pointer to reply messages.
++  @param[out]      Option          The pointer to status code option.
++
++  @retval EFI_SUCCESS              Seek status code option successfully.
++  @retval EFI_DEVICE_ERROR         An unexpected error.
++
++**/
++EFI_STATUS
++Dhcp6SeekStsOption (
++  IN     DHCP6_INSTANCE    *Instance,
++  IN     EFI_DHCP6_PACKET  *Packet,
++  OUT    UINT8             **Option
++  );
++
++#endif // DHCP6_IO_GOOGLE_TEST_H
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0003.patch

@@ -0,0 +1,244 @@
+From 1c440a5eceedc64e892877eeac0f1a4938f5abbb Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Tue, 13 Feb 2024 10:46:00 -0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related 
+ Patch
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4673
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534
+
+This was not part of the Quarkslab bugs however the same pattern
+as CVE-2023-45229 exists in Dhcp6UpdateIaInfo.
+
+This patch replaces the code in question with the safe function
+created to patch CVE-2023-45229
+
+>
+>   if (EFI_ERROR (
+>        Dhcp6SeekInnerOptionSafe (
+>          Instance->Config->IaDescriptor.Type,
+>          Option,
+>          OptionLen,
+>          &IaInnerOpt,
+>          &IaInnerLen
+>          )
+>        ))
+>  {
+>    return EFI_DEVICE_ERROR;
+>  }
+>
+
+Additionally corrects incorrect usage of macro to read the status
+
+> - StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN
+ (Option)));
+> + StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)
+DHCP6_OFFSET_OF_STATUS_CODE (Option));
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
+
+CVE: CVE-2023-45229
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1c440a5eceedc64e892877eeac0f1a4938f5abbb]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 70 ++++++++++++++++++++++++++---------
+ NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | 22 +++++++++++
+ 2 files changed, 75 insertions(+), 17 deletions(-)
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+index 3b8feb4a20..a9bffae353 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+@@ -528,13 +528,23 @@ Dhcp6UpdateIaInfo (
+ {
+   EFI_STATUS  Status;
+   UINT8       *Option;
++  UINT32      OptionLen;
+   UINT8       *IaInnerOpt;
+   UINT16      IaInnerLen;
+   UINT16      StsCode;
+   UINT32      T1;
+   UINT32      T2;
+ 
++  T1 = 0;
++  T2 = 0;
++
+   ASSERT (Instance->Config != NULL);
++
++  // OptionLen is the length of the Options excluding the DHCP header.
++  // Length of the EFI_DHCP6_PACKET from the first byte of the Header field to the last
++  // byte of the Option[] field.
++  OptionLen = Packet->Length - sizeof (Packet->Dhcp6.Header);
++
+   //
+   // If the reply was received in response to a solicit with rapid commit option,
+   // request, renew or rebind message, the client updates the information it has
+@@ -549,13 +559,29 @@ Dhcp6UpdateIaInfo (
+   //
+   Option = Dhcp6SeekIaOption (
+              Packet->Dhcp6.Option,
+-             Packet->Length - sizeof (EFI_DHCP6_HEADER),
++             OptionLen,
+              &Instance->Config->IaDescriptor
+              );
+   if (Option == NULL) {
+     return EFI_DEVICE_ERROR;
+   }
+ 
++  //
++  // Calculate the distance from Packet->Dhcp6.Option to the IA option.
++  //
++  // Packet->Size and Packet->Length are both UINT32 type, and Packet->Size is
++  // the size of the whole packet, including the DHCP header, and Packet->Length
++  // is the length of the DHCP message body, excluding the DHCP header.
++  //
++  // (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of
++  // DHCP6 option area to the start of the IA option.
++  //
++  // Dhcp6SeekInnerOptionSafe() is searching starting from the start of the
++  // IA option to the end of the DHCP6 option area, thus subtract the space
++  // up until this option
++  //
++  OptionLen = OptionLen - (UINT32)(Option - Packet->Dhcp6.Option);
++
+   //
+   // The format of the IA_NA option is:
+   //
+@@ -591,32 +617,32 @@ Dhcp6UpdateIaInfo (
+   //
+ 
+   //
+-  // sizeof (option-code + option-len + IaId)           = 8
+-  // sizeof (option-code + option-len + IaId + T1)      = 12
+-  // sizeof (option-code + option-len + IaId + T1 + T2) = 16
+-  //
+-  // The inner options still start with 2 bytes option-code and 2 bytes option-len.
++  // Seek the inner option
+   //
++  if (EFI_ERROR (
++        Dhcp6SeekInnerOptionSafe (
++          Instance->Config->IaDescriptor.Type,
++          Option,
++          OptionLen,
++          &IaInnerOpt,
++          &IaInnerLen
++          )
++        ))
++  {
++    return EFI_DEVICE_ERROR;
++  }
++
+   if (Instance->Config->IaDescriptor.Type == Dhcp6OptIana) {
+     T1 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));
+     T2 = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));
+     //
+     // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,
+     // and both T1 and T2 are greater than 0, the client discards the IA_NA option and processes
+-    // the remainder of the message as though the server had not  included the invalid IA_NA option.
++    // the remainder of the message as though the server had not included the invalid IA_NA option.
+     //
+     if ((T1 > T2) && (T2 > 0)) {
+       return EFI_DEVICE_ERROR;
+     }
+-
+-    IaInnerOpt = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);
+-  } else {
+-    T1 = 0;
+-    T2 = 0;
+-
+-    IaInnerOpt = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+-    IaInnerLen = (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);
+   }
+ 
+   //
+@@ -642,7 +668,7 @@ Dhcp6UpdateIaInfo (
+   Option  = Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode);
+ 
+   if (Option != NULL) {
+-    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
++    StsCode = NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option))));
+     if (StsCode != Dhcp6StsSuccess) {
+       return EFI_DEVICE_ERROR;
+     }
+@@ -703,15 +729,21 @@ Dhcp6SeekInnerOptionSafe (
+   }
+ 
+   if (IaType == Dhcp6OptIana) {
++    //
+     // Verify we have a fully formed IA_NA
++    //
+     if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {
+       return EFI_DEVICE_ERROR;
+     }
+ 
++    //
++    // Get the IA Inner Option and Length
+     //
+     IaInnerOptTmp = DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);
+ 
++    //
+     // Verify the IaInnerLen is valid.
++    //
+     IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));
+     if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {
+       return EFI_DEVICE_ERROR;
+@@ -719,14 +751,18 @@ Dhcp6SeekInnerOptionSafe (
+ 
+     IaInnerLenTmp -= DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;
+   } else if (IaType == Dhcp6OptIata) {
++    //
+     // Verify the OptionLen is valid.
++    //
+     if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {
+       return EFI_DEVICE_ERROR;
+     }
+ 
+     IaInnerOptTmp = DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);
+ 
++    //
+     // Verify the IaInnerLen is valid.
++    //
+     IaInnerLenTmp = (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));
+     if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {
+       return EFI_DEVICE_ERROR;
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
+index 051a652f2b..ab0e1ac27f 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
+@@ -217,4 +217,26 @@ Dhcp6OnTimerTick (
+   IN VOID       *Context
+   );
+ 
++/**
++  Seeks the Inner Options from a DHCP6 Option
++
++  @param[in]  IaType          The type of the IA option.
++  @param[in]  Option          The pointer to the DHCP6 Option.
++  @param[in]  OptionLen       The length of the DHCP6 Option.
++  @param[out] IaInnerOpt      The pointer to the IA inner option.
++  @param[out] IaInnerLen      The length of the IA inner option.
++
++  @retval EFI_SUCCESS         Seek the inner option successfully.
++  @retval EFI_DEVICE_ERROR    The OptionLen is invalid. On Error,
++                              the pointers are not modified
++**/
++EFI_STATUS
++Dhcp6SeekInnerOptionSafe (
++  IN  UINT16  IaType,
++  IN  UINT8   *Option,
++  IN  UINT32  OptionLen,
++  OUT UINT8   **IaInnerOpt,
++  OUT UINT16  *IaInnerLen
++  );
++
+ #endif
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45229-0004.patch

@@ -0,0 +1,157 @@
+From 1d0b95f6457d225c5108302a9da74b4ed7aa5a38 Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
+Date: Fri, 26 Jan 2024 05:54:57 +0800
+Subject: [PATCH] NetworkPkg: : Adds a SecurityFix.yaml file
+
+This creates / adds a security file that tracks the security fixes
+found in this package and can be used to find the fixes that were
+applied.
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE_2023_45229
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 123 insertions(+)
+ create mode 100644 NetworkPkg/SecurityFixes.yaml
+
+diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
+new file mode 100644
+index 0000000000..7e900483fe
+--- /dev/null
++++ b/NetworkPkg/SecurityFixes.yaml
+@@ -0,0 +1,123 @@
++## @file
++# Security Fixes for SecurityPkg
++#
++# Copyright (c) Microsoft Corporation
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++CVE_2023_45229:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"
++  cve: CVE-2023-45229
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message"
++  note:
++  files_impacted:
++    - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
++    - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4534
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45229
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45230:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests"
++  cve: CVE-2023-45230
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option"
++  note:
++  files_impacted:
++    - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
++    - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4535
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45230
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45231:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests"
++  cve: CVE-2023-45231
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options"
++  note:
++  files_impacted:
++    - NetworkPkg/Ip6Dxe/Ip6Option.c
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4536
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45231
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45232:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
++  cve: CVE-2023-45232
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header"
++  note:
++  files_impacted:
++    - NetworkPkg/Ip6Dxe/Ip6Option.c
++    - NetworkPkg/Ip6Dxe/Ip6Option.h
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4537
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45232
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45233:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
++  cve: CVE-2023-45233
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header "
++  note: This was fixed along with CVE-2023-45233
++  files_impacted:
++    - NetworkPkg/Ip6Dxe/Ip6Option.c
++    - NetworkPkg/Ip6Dxe/Ip6Option.h
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4538
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45233
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45234:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests"
++  cve: CVE-2023-45234
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message"
++  note:
++  files_impacted:
++    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4539
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45234
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45235:
++  commit_titles:
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch"
++    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests"
++  cve: CVE-2023-45235
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message"
++  note:
++  files_impacted:
++    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
++    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4540
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45235
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45230-0002.patch

@@ -0,0 +1,604 @@
+From 5f3658197bf29c83b3349b0ab1d99cdb0c3814bc Mon Sep 17 00:00:00 2001
+From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
+Date: Fri, 26 Jan 2024 05:54:45 +0800
+Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit 
+ Tests
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535
+
+Confirms that reported issue...
+
+"Buffer overflow in the DHCPv6 client via a long Server ID option"
+
+..has been corrected by the provided patch.
+
+Tests the following functions to ensure they appropriately handle
+untrusted data (either too long or too small) to prevent a buffer
+overflow:
+
+Dhcp6AppendOption
+Dhcp6AppendETOption
+Dhcp6AppendIaOption
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45230
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../GoogleTest/Dhcp6DxeGoogleTest.cpp         |  20 +
+ .../GoogleTest/Dhcp6DxeGoogleTest.inf         |  43 ++
+ .../Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 ++++++++++++++++++
+ 3 files changed, 541 insertions(+)
+ create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
+ create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+ create mode 100644 NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
+new file mode 100644
+index 0000000000..9aeced2f91
+--- /dev/null
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp
+@@ -0,0 +1,20 @@
++/** @file
++  Acts as the main entry point for the tests for the Dhcp6Dxe module.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++////////////////////////////////////////////////////////////////////////////////
++// Run the tests
++////////////////////////////////////////////////////////////////////////////////
++int
++main (
++  int   argc,
++  char  *argv[]
++  )
++{
++  testing::InitGoogleTest (&argc, argv);
++  return RUN_ALL_TESTS ();
++}
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+new file mode 100644
+index 0000000000..8e9119a371
+--- /dev/null
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf
+@@ -0,0 +1,43 @@
++## @file
++# Unit test suite for the Dhcp6Dxe using Google Test
++#
++# Copyright (c) Microsoft Corporation.<BR>
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++[Defines]
++  INF_VERSION         = 0x00010017
++  BASE_NAME           = Dhcp6DxeGoogleTest
++  FILE_GUID           = 1D2A4C65-38C8-4C2F-BB60-B5FA49625AA9
++  VERSION_STRING      = 1.0
++  MODULE_TYPE         = HOST_APPLICATION
++#
++# The following information is for reference only and not required by the build tools.
++#
++#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
++#
++[Sources]
++  Dhcp6DxeGoogleTest.cpp
++  Dhcp6IoGoogleTest.cpp
++  ../Dhcp6Io.c
++  ../Dhcp6Utility.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
++  NetworkPkg/NetworkPkg.dec
++
++[LibraryClasses]
++  GoogleTestLib
++  DebugLib
++  NetLib
++  PcdLib
++
++[Protocols]
++  gEfiDhcp6ServiceBindingProtocolGuid
++
++[Pcd]
++  gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
++
++[Guids]
++  gZeroGuid
+diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+new file mode 100644
+index 0000000000..7ee40e4af4
+--- /dev/null
++++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+@@ -0,0 +1,478 @@
++/** @file
++  Tests for Dhcp6Io.c.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++extern "C" {
++  #include <Uefi.h>
++  #include <Library/BaseLib.h>
++  #include <Library/DebugLib.h>
++  #include <Library/BaseMemoryLib.h>
++  #include "../Dhcp6Impl.h"
++  #include "../Dhcp6Utility.h"
++}
++
++////////////////////////////////////////////////////////////////////////
++// Defines
++////////////////////////////////////////////////////////////////////////
++
++#define DHCP6_PACKET_MAX_LEN  1500
++
++////////////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////////////
++// Symbol Definitions
++// These functions are not directly under test - but required to compile
++////////////////////////////////////////////////////////////////////////
++
++// This definition is used by this test but is also required to compile
++// by Dhcp6Io.c
++EFI_IPv6_ADDRESS  mAllDhcpRelayAndServersAddress = {
++  { 0xFF, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 2 }
++};
++
++EFI_STATUS
++EFIAPI
++UdpIoSendDatagram (
++  IN  UDP_IO           *UdpIo,
++  IN  NET_BUF          *Packet,
++  IN  UDP_END_POINT    *EndPoint OPTIONAL,
++  IN  EFI_IP_ADDRESS   *Gateway  OPTIONAL,
++  IN  UDP_IO_CALLBACK  CallBack,
++  IN  VOID             *Context
++  )
++{
++  return EFI_SUCCESS;
++}
++
++EFI_STATUS
++EFIAPI
++UdpIoRecvDatagram (
++  IN  UDP_IO           *UdpIo,
++  IN  UDP_IO_CALLBACK  CallBack,
++  IN  VOID             *Context,
++  IN  UINT32           HeadLen
++  )
++{
++  return EFI_SUCCESS;
++}
++
++////////////////////////////////////////////////////////////////////////
++// Dhcp6AppendOptionTest Tests
++////////////////////////////////////////////////////////////////////////
++
++class Dhcp6AppendOptionTest : public ::testing::Test {
++public:
++  UINT8 *Buffer = NULL;
++  EFI_DHCP6_PACKET *Packet;
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++    Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
++    ASSERT_NE (Buffer, (UINT8 *)NULL);
++
++    Packet       = (EFI_DHCP6_PACKET *)Buffer;
++    Packet->Size = DHCP6_PACKET_MAX_LEN;
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++    if (Buffer != NULL) {
++      FreePool (Buffer);
++    }
++  }
++};
++
++// Test Description:
++// Attempt to append an option to a packet that is too small by a duid that is too large
++TEST_F (Dhcp6AppendOptionTest, InvalidDataExpectBufferTooSmall) {
++  UINT8           *Cursor;
++  EFI_DHCP6_DUID  *UntrustedDuid;
++  EFI_STATUS      Status;
++
++  UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
++  ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
++
++  UntrustedDuid->Length = NTOHS (0xFFFF);
++
++  Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
++
++  Status = Dhcp6AppendOption (
++             Dhcp6AppendOptionTest::Packet,
++             &Cursor,
++             HTONS (Dhcp6OptServerId),
++             UntrustedDuid->Length,
++             UntrustedDuid->Duid
++             );
++
++  ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
++}
++
++// Test Description:
++// Attempt to append an option to a packet that is large enough
++TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
++  UINT8           *Cursor;
++  EFI_DHCP6_DUID  *UntrustedDuid;
++  EFI_STATUS      Status;
++  UINTN           OriginalLength;
++
++  UINT8  Duid[6] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
++
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++  OriginalLength = Packet->Length;
++
++  UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
++  ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);
++
++  UntrustedDuid->Length = NTOHS (sizeof (Duid));
++  CopyMem (UntrustedDuid->Duid, Duid, sizeof (Duid));
++
++  Cursor = Dhcp6AppendOptionTest::Packet->Dhcp6.Option;
++
++  Status = Dhcp6AppendOption (
++             Dhcp6AppendOptionTest::Packet,
++             &Cursor,
++             HTONS (Dhcp6OptServerId),
++             UntrustedDuid->Length,
++             UntrustedDuid->Duid
++             );
++
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  // verify that the pointer to cursor moved by the expected amount
++  ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendOptionTest::Packet->Dhcp6.Option + sizeof (Duid) + 4);
++
++  // verify that the length of the packet is now the expected amount
++  ASSERT_EQ (Dhcp6AppendOptionTest::Packet->Length, OriginalLength + sizeof (Duid) + 4);
++}
++
++////////////////////////////////////////////////////////////////////////
++// Dhcp6AppendETOption Tests
++////////////////////////////////////////////////////////////////////////
++
++class Dhcp6AppendETOptionTest : public ::testing::Test {
++public:
++  UINT8 *Buffer = NULL;
++  EFI_DHCP6_PACKET *Packet;
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++    Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
++    ASSERT_NE (Buffer, (UINT8 *)NULL);
++
++    Packet         = (EFI_DHCP6_PACKET *)Buffer;
++    Packet->Size   = DHCP6_PACKET_MAX_LEN;
++    Packet->Length = sizeof (EFI_DHCP6_HEADER);
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++    if (Buffer != NULL) {
++      FreePool (Buffer);
++    }
++  }
++};
++
++// Test Description:
++// Attempt to append an option to a packet that is too small by a duid that is too large
++TEST_F (Dhcp6AppendETOptionTest, InvalidDataExpectBufferTooSmall) {
++  UINT8           *Cursor;
++  EFI_STATUS      Status;
++  DHCP6_INSTANCE  Instance;
++  UINT16          ElapsedTimeVal;
++  UINT16          *ElapsedTime;
++
++  Cursor      = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
++  ElapsedTime = &ElapsedTimeVal;
++
++  Packet->Length = Packet->Size - 2;
++
++  Status = Dhcp6AppendETOption (
++             Dhcp6AppendETOptionTest::Packet,
++             &Cursor,
++             &Instance, // Instance is not used in this function
++             &ElapsedTime
++             );
++
++  // verify that we error out because the packet is too small for the option header
++  ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
++
++  // reset the length
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++}
++
++// Test Description:
++// Attempt to append an option to a packet that is large enough
++TEST_F (Dhcp6AppendETOptionTest, ValidDataExpectSuccess) {
++  UINT8           *Cursor;
++  EFI_STATUS      Status;
++  DHCP6_INSTANCE  Instance;
++  UINT16          ElapsedTimeVal;
++  UINT16          *ElapsedTime;
++  UINTN           ExpectedSize;
++  UINTN           OriginalLength;
++
++  Cursor         = Dhcp6AppendETOptionTest::Packet->Dhcp6.Option;
++  ElapsedTime    = &ElapsedTimeVal;
++  ExpectedSize   = 6;
++  OriginalLength = Packet->Length;
++
++  Status = Dhcp6AppendETOption (
++             Dhcp6AppendETOptionTest::Packet,
++             &Cursor,
++             &Instance, // Instance is not used in this function
++             &ElapsedTime
++             );
++
++  // verify that the status is EFI_SUCCESS
++  ASSERT_EQ (Status, EFI_SUCCESS);
++
++  // verify that the pointer to cursor moved by the expected amount
++  ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendETOptionTest::Packet->Dhcp6.Option + ExpectedSize);
++
++  // verify that the length of the packet is now the expected amount
++  ASSERT_EQ (Dhcp6AppendETOptionTest::Packet->Length, OriginalLength + ExpectedSize);
++}
++
++////////////////////////////////////////////////////////////////////////
++// Dhcp6AppendIaOption Tests
++////////////////////////////////////////////////////////////////////////
++
++class Dhcp6AppendIaOptionTest : public ::testing::Test {
++public:
++  UINT8 *Buffer = NULL;
++  EFI_DHCP6_PACKET *Packet;
++  EFI_DHCP6_IA *Ia;
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++    Buffer = (UINT8 *)AllocateZeroPool (DHCP6_PACKET_MAX_LEN);
++    ASSERT_NE (Buffer, (UINT8 *)NULL);
++
++    Packet       = (EFI_DHCP6_PACKET *)Buffer;
++    Packet->Size = DHCP6_PACKET_MAX_LEN;
++
++    Ia = (EFI_DHCP6_IA *)AllocateZeroPool (sizeof (EFI_DHCP6_IA) + sizeof (EFI_DHCP6_IA_ADDRESS) * 2);
++    ASSERT_NE (Ia, (EFI_DHCP6_IA *)NULL);
++
++    CopyMem (Ia->IaAddress, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
++    CopyMem (Ia->IaAddress + 1, mAllDhcpRelayAndServersAddress.Addr, sizeof (EFI_IPv6_ADDRESS));
++
++    Ia->IaAddressCount = 2;
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++    if (Buffer != NULL) {
++      FreePool (Buffer);
++    }
++
++    if (Ia != NULL) {
++      FreePool (Ia);
++    }
++  }
++};
++
++// Test Description:
++// Attempt to append an option to a packet that doesn't have enough space
++// for the option header
++TEST_F (Dhcp6AppendIaOptionTest, IaNaInvalidDataExpectBufferTooSmall) {
++  UINT8       *Cursor;
++  EFI_STATUS  Status;
++
++  Packet->Length = Packet->Size - 2;
++
++  Ia->Descriptor.Type = Dhcp6OptIana;
++  Ia->Descriptor.IaId = 0x12345678;
++
++  Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
++
++  Status = Dhcp6AppendIaOption (
++             Dhcp6AppendIaOptionTest::Packet,
++             &Cursor,
++             Ia,
++             0x12345678,
++             0x11111111,
++             Dhcp6OptIana
++             );
++
++  // verify that we error out because the packet is too small for the option header
++  ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
++
++  // reset the length
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++}
++
++// Test Description:
++// Attempt to append an option to a packet that doesn't have enough space
++// for the option header
++TEST_F (Dhcp6AppendIaOptionTest, IaTaInvalidDataExpectBufferTooSmall) {
++  UINT8       *Cursor;
++  EFI_STATUS  Status;
++
++  // Use up nearly all the space in the packet
++  Packet->Length = Packet->Size - 2;
++
++  Ia->Descriptor.Type = Dhcp6OptIata;
++  Ia->Descriptor.IaId = 0x12345678;
++
++  Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
++
++  Status = Dhcp6AppendIaOption (
++             Dhcp6AppendIaOptionTest::Packet,
++             &Cursor,
++             Ia,
++             0,
++             0,
++             Dhcp6OptIata
++             );
++
++  // verify that we error out because the packet is too small for the option header
++  ASSERT_EQ (Status, EFI_BUFFER_TOO_SMALL);
++
++  // reset the length
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++}
++
++TEST_F (Dhcp6AppendIaOptionTest, IaNaValidDataExpectSuccess) {
++  UINT8       *Cursor;
++  EFI_STATUS  Status;
++  UINTN       ExpectedSize;
++  UINTN       OriginalLength;
++
++  //
++  // 2 bytes for the option header type
++  //
++  ExpectedSize = 2;
++  //
++  // 2 bytes for the option header length
++  //
++  ExpectedSize += 2;
++  //
++  // 4 bytes for the IAID
++  //
++  ExpectedSize += 4;
++  //
++  // + 4 bytes for the T1
++  //
++  ExpectedSize += 4;
++  //
++  // + 4 bytes for the T2
++  //
++  ExpectedSize += 4;
++  //
++  // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
++  //   + 2 bytes for the option header type
++  //   + 2 bytes for the option header length
++  //   + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
++  //
++  ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
++
++  Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
++
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++  OriginalLength = Packet->Length;
++
++  Ia->Descriptor.Type = Dhcp6OptIana;
++  Ia->Descriptor.IaId = 0x12345678;
++
++  Status = Dhcp6AppendIaOption (
++             Dhcp6AppendIaOptionTest::Packet,
++             &Cursor,
++             Ia,
++             0x12345678,
++             0x12345678,
++             Dhcp6OptIana
++             );
++
++  // verify that the pointer to cursor moved by the expected amount
++  ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
++
++  // verify that the length of the packet is now the expected amount
++  ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
++
++  // verify that the status is EFI_SUCCESS
++  ASSERT_EQ (Status, EFI_SUCCESS);
++}
++
++TEST_F (Dhcp6AppendIaOptionTest, IaTaValidDataExpectSuccess) {
++  UINT8       *Cursor;
++  EFI_STATUS  Status;
++  UINTN       ExpectedSize;
++  UINTN       OriginalLength;
++
++  //
++  // 2 bytes for the option header type
++  //
++  ExpectedSize = 2;
++  //
++  // 2 bytes for the option header length
++  //
++  ExpectedSize += 2;
++  //
++  // 4 bytes for the IAID
++  //
++  ExpectedSize += 4;
++  //
++  // + (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
++  //   + 2 bytes for the option header type
++  //   + 2 bytes for the option header length
++  //   + sizeof (EFI_DHCP6_IA_ADDRESS) for the IA Address
++  //
++  ExpectedSize += (4 + sizeof (EFI_DHCP6_IA_ADDRESS)) * 2;
++
++  Cursor = Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option;
++
++  Packet->Length = sizeof (EFI_DHCP6_HEADER);
++  OriginalLength = Packet->Length;
++
++  Ia->Descriptor.Type = Dhcp6OptIata;
++  Ia->Descriptor.IaId = 0x12345678;
++
++  Status = Dhcp6AppendIaOption (
++             Dhcp6AppendIaOptionTest::Packet,
++             &Cursor,
++             Ia,
++             0,
++             0,
++             Dhcp6OptIata
++             );
++
++  // verify that the pointer to cursor moved by the expected amount
++  ASSERT_EQ (Cursor, (UINT8 *)Dhcp6AppendIaOptionTest::Packet->Dhcp6.Option + ExpectedSize);
++
++  // verify that the length of the packet is now the expected amount
++  ASSERT_EQ (Dhcp6AppendIaOptionTest::Packet->Length, OriginalLength + ExpectedSize);
++
++  // verify that the status is EFI_SUCCESS
++  ASSERT_EQ (Status, EFI_SUCCESS);
++}
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0001.patch

@@ -0,0 +1,65 @@
+From bbfee34f4188ac00371abe1389ae9c9fb989a0cd Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:48 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Bug Overview:
+PixieFail Bug #3
+CVE-2023-45231
+CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+CWE-125 Out-of-bounds Read
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+Change Overview:
+
+Adds a check to prevent truncated options from being parsed
++  //
++  // Cannot process truncated options.
++  // Cannot process options with a length of 0 as there is no Type
+field.
++  //
++  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
++    return FALSE;
++  }
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
+index 199eea124d..8718d5d875 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
++++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
+@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
+     return FALSE;
+   }
+ 
++  //
++  // Cannot process truncated options.
++  // Cannot process options with a length of 0 as there is no Type field.
++  //
++  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
++    return FALSE;
++  }
++
+   Offset = 0;
+ 
+   //
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45231-0002.patch

@@ -0,0 +1,250 @@
+From 6f77463d72807ec7f4ed6518c3dac29a1040df9f Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:49 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
+
+Validates that the patch for...
+
+Out-of-bounds read when handling a ND Redirect message with truncated
+options
+
+.. has been fixed
+
+Tests the following function to ensure that an out of bounds read does
+not occur
+Ip6OptionValidation
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45231
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp    |  20 +++
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf    |  42 ++++++
+ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 ++++++++++++++++++
+ 3 files changed, 191 insertions(+)
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+new file mode 100644
+index 0000000000..6ebfd5fdfb
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp
+@@ -0,0 +1,20 @@
++/** @file
++  Acts as the main entry point for the tests for the Ip6Dxe module.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++////////////////////////////////////////////////////////////////////////////////
++// Run the tests
++////////////////////////////////////////////////////////////////////////////////
++int
++main (
++  int   argc,
++  char  *argv[]
++  )
++{
++  testing::InitGoogleTest (&argc, argv);
++  return RUN_ALL_TESTS ();
++}
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+new file mode 100644
+index 0000000000..6e4de0745f
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+@@ -0,0 +1,42 @@
++## @file
++# Unit test suite for the Ip6Dxe using Google Test
++#
++# Copyright (c) Microsoft Corporation.<BR>
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++[Defines]
++  INF_VERSION         = 0x00010017
++  BASE_NAME           = Ip6DxeUnitTest
++  FILE_GUID           = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
++  VERSION_STRING      = 1.0
++  MODULE_TYPE         = HOST_APPLICATION
++#
++# The following information is for reference only and not required by the build tools.
++#
++#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
++#
++[Sources]
++  Ip6DxeGoogleTest.cpp
++  Ip6OptionGoogleTest.cpp
++  ../Ip6Option.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
++  NetworkPkg/NetworkPkg.dec
++
++[LibraryClasses]
++  GoogleTestLib
++  DebugLib
++  NetLib
++  PcdLib
++
++[Protocols]
++  gEfiDhcp6ServiceBindingProtocolGuid
++
++[Pcd]
++  gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
++
++[Guids]
++  gZeroGuid
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+new file mode 100644
+index 0000000000..f2cd90e1a9
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+@@ -0,0 +1,129 @@
++/** @file
++  Tests for Ip6Option.c.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++extern "C" {
++  #include <Uefi.h>
++  #include <Library/BaseLib.h>
++  #include <Library/DebugLib.h>
++  #include "../Ip6Impl.h"
++  #include "../Ip6Option.h"
++}
++
++/////////////////////////////////////////////////////////////////////////
++// Defines
++///////////////////////////////////////////////////////////////////////
++
++#define IP6_PREFIX_INFO_OPTION_DATA_LEN    32
++#define OPTION_HEADER_IP6_PREFIX_DATA_LEN  (sizeof (IP6_OPTION_HEADER) + IP6_PREFIX_INFO_OPTION_DATA_LEN)
++
++////////////////////////////////////////////////////////////////////////
++// Symbol Definitions
++// These functions are not directly under test - but required to compile
++////////////////////////////////////////////////////////////////////////
++UINT32  mIp6Id;
++
++EFI_STATUS
++Ip6SendIcmpError (
++  IN IP6_SERVICE       *IpSb,
++  IN NET_BUF           *Packet,
++  IN EFI_IPv6_ADDRESS  *SourceAddress       OPTIONAL,
++  IN EFI_IPv6_ADDRESS  *DestinationAddress,
++  IN UINT8             Type,
++  IN UINT8             Code,
++  IN UINT32            *Pointer             OPTIONAL
++  )
++{
++  // ..
++  return EFI_SUCCESS;
++}
++
++////////////////////////////////////////////////////////////////////////
++// Ip6OptionValidation Tests
++////////////////////////////////////////////////////////////////////////
++
++// Define a fixture for your tests if needed
++class Ip6OptionValidationTest : public ::testing::Test {
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++  }
++};
++
++// Test Description:
++// Null option should return false
++TEST_F (Ip6OptionValidationTest, NullOptionShouldReturnFalse) {
++  UINT8   *option   = nullptr;
++  UINT16  optionLen = 10; // Provide a suitable length
++
++  EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
++}
++
++// Test Description:
++// Truncated option should return false
++TEST_F (Ip6OptionValidationTest, TruncatedOptionShouldReturnFalse) {
++  UINT8   option[]  = { 0x01 }; // Provide a truncated option
++  UINT16  optionLen = 1;
++
++  EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
++}
++
++// Test Description:
++// Ip6OptionPrefixInfo Option with zero length should return false
++TEST_F (Ip6OptionValidationTest, OptionWithZeroLengthShouldReturnFalse) {
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = Ip6OptionPrefixInfo;
++  optionHeader.Length = 0;
++  UINT8  option[sizeof (IP6_OPTION_HEADER)];
++
++  CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
++  UINT16  optionLen = sizeof (IP6_OPTION_HEADER);
++
++  EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
++}
++
++// Test Description:
++// Ip6OptionPrefixInfo Option with valid length should return true
++TEST_F (Ip6OptionValidationTest, ValidPrefixInfoOptionShouldReturnTrue) {
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = Ip6OptionPrefixInfo;
++  optionHeader.Length = 4; // Length 4 * 8 = 32
++  UINT8  option[OPTION_HEADER_IP6_PREFIX_DATA_LEN];
++
++  CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
++
++  EXPECT_TRUE (Ip6IsNDOptionValid (option, IP6_PREFIX_INFO_OPTION_DATA_LEN));
++}
++
++// Test Description:
++// Ip6OptionPrefixInfo Option with invalid length should return false
++TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse) {
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = Ip6OptionPrefixInfo;
++  optionHeader.Length = 3; // Length 3 * 8 = 24 (Invalid)
++  UINT8  option[sizeof (IP6_OPTION_HEADER)];
++
++  CopyMem (option, &optionHeader, sizeof (IP6_OPTION_HEADER));
++  UINT16  optionLen = sizeof (IP6_OPTION_HEADER);
++
++  EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
++}
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0001.patch

@@ -0,0 +1,360 @@
+From 4df0229ef992d4f2721a8508787ebf9dc81fbd6e Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:50 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
+
+Bug Details:
+PixieFail Bug #4
+CVE-2023-45232
+CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+
+Infinite loop when parsing unknown options in the Destination Options
+header
+
+PixieFail Bug #5
+CVE-2023-45233
+CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
+
+Infinite loop when parsing a PadN option in the Destination Options
+header
+
+Change Overview:
+
+Most importantly this change corrects the following incorrect math
+and cleans up the code.
+
+>   // It is a PadN option
+>   //
+> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
+> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
+> + Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+
+> case Ip6OptionSkip:
+> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
+>   OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
+>   Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+
+Additionally, this change also corrects incorrect math where the calling
+function was calculating the HDR EXT optionLen as a uint8 instead of a
+uint16
+
+> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
+> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
+IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;
+
+Additionally this check adds additional logic to santize the incoming
+data
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45232, CVE-2023-45233
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/Ip6Dxe/Ip6Nd.h     | 35 ++++++++++++++++
+ NetworkPkg/Ip6Dxe/Ip6Option.c | 76 ++++++++++++++++++++++++++++++-----
+ NetworkPkg/Ip6Dxe/Ip6Option.h | 71 ++++++++++++++++++++++++++++++++
+ 3 files changed, 171 insertions(+), 11 deletions(-)
+
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
+index 860934a167..bf64e9114e 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
++++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
+@@ -56,13 +56,48 @@ VOID
+   VOID  *Context
+   );
+ 
++//
++// Per RFC8200 Section 4.2
++//
++//   Two of the currently-defined extension headers -- the Hop-by-Hop
++//   Options header and the Destination Options header -- carry a variable
++//   number of type-length-value (TLV) encoded "options", of the following
++//   format:
++//
++//      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
++//      |  Option Type  |  Opt Data Len |  Option Data
++//      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
++//
++//      Option Type          8-bit identifier of the type of option.
++//
++//      Opt Data Len         8-bit unsigned integer.  Length of the Option
++//                           Data field of this option, in octets.
++//
++//      Option Data          Variable-length field.  Option-Type-specific
++//                           data.
++//
+ typedef struct _IP6_OPTION_HEADER {
++  ///
++  /// identifier of the type of option.
++  ///
+   UINT8    Type;
++  ///
++  /// Length of the Option Data field of this option, in octets.
++  ///
+   UINT8    Length;
++  ///
++  /// Option-Type-specific data.
++  ///
+ } IP6_OPTION_HEADER;
+ 
+ STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long.");
+ 
++#define IP6_NEXT_OPTION_OFFSET(offset, length)  (offset + sizeof(IP6_OPTION_HEADER) + length)
++STATIC_ASSERT (
++  IP6_NEXT_OPTION_OFFSET (0, 0) == 2,
++  "The next option is minimally the combined size of the option tag and length"
++  );
++
+ typedef struct _IP6_ETHE_ADDR_OPTION {
+   UINT8    Type;
+   UINT8    Length;
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
+index 8718d5d875..fd97ce116f 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
++++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
+@@ -17,7 +17,8 @@
+   @param[in]  IpSb              The IP6 service data.
+   @param[in]  Packet            The to be validated packet.
+   @param[in]  Option            The first byte of the option.
+-  @param[in]  OptionLen         The length of the whole option.
++  @param[in]  OptionLen         The length of all options, expressed in byte length of octets.
++                                Maximum length is 2046 bytes or ((n + 1) * 8) - 2 where n is 255.
+   @param[in]  Pointer           Identifies the octet offset within
+                                 the invoking packet where the error was detected.
+ 
+@@ -31,12 +32,33 @@ Ip6IsOptionValid (
+   IN IP6_SERVICE  *IpSb,
+   IN NET_BUF      *Packet,
+   IN UINT8        *Option,
+-  IN UINT8        OptionLen,
++  IN UINT16       OptionLen,
+   IN UINT32       Pointer
+   )
+ {
+-  UINT8  Offset;
+-  UINT8  OptionType;
++  UINT16  Offset;
++  UINT8   OptionType;
++  UINT8   OptDataLen;
++
++  if (Option == NULL) {
++    ASSERT (Option != NULL);
++    return FALSE;
++  }
++
++  if ((OptionLen <= 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) {
++    ASSERT (OptionLen > 0 && OptionLen <= IP6_MAX_EXT_DATA_LENGTH);
++    return FALSE;
++  }
++
++  if (Packet == NULL) {
++    ASSERT (Packet != NULL);
++    return FALSE;
++  }
++
++  if (IpSb == NULL) {
++    ASSERT (IpSb != NULL);
++    return FALSE;
++  }
+ 
+   Offset = 0;
+ 
+@@ -54,7 +76,8 @@ Ip6IsOptionValid (
+         //
+         // It is a PadN option
+         //
+-        Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
++        OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
++        Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+         break;
+       case Ip6OptionRouterAlert:
+         //
+@@ -69,7 +92,8 @@ Ip6IsOptionValid (
+         //
+         switch (OptionType & Ip6OptionMask) {
+           case Ip6OptionSkip:
+-            Offset = (UINT8)(Offset + *(Option + Offset + 1));
++            OptDataLen = ((IP6_OPTION_HEADER *)(Option + Offset))->Length;
++            Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);
+             break;
+           case Ip6OptionDiscard:
+             return FALSE;
+@@ -308,7 +332,7 @@ Ip6IsExtsValid (
+   UINT32               Pointer;
+   UINT32               Offset;
+   UINT8                *Option;
+-  UINT8                OptionLen;
++  UINT16               OptionLen;
+   BOOLEAN              Flag;
+   UINT8                CountD;
+   UINT8                CountA;
+@@ -385,6 +409,36 @@ Ip6IsExtsValid (
+       // Fall through
+       //
+       case IP6_DESTINATION:
++        //
++        // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23
++        //
++        // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++        // |  Next Header  |  Hdr Ext Len  |                               |
++        // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
++        // |                                                               |
++        // .                                                               .
++        // .                            Options                            .
++        // .                                                               .
++        // |                                                               |
++        // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++        //
++        //
++        //   Next Header    8-bit selector.  Identifies the type of header
++        //                  immediately following the Destination Options
++        //                  header.  Uses the same values as the IPv4
++        //                  Protocol field [RFC-1700 et seq.].
++        //
++        //   Hdr Ext Len    8-bit unsigned integer.  Length of the
++        //                  Destination Options header in 8-octet units, not
++        //                  including the first 8 octets.
++        //
++        //   Options        Variable-length field, of length such that the
++        //                  complete Destination Options header is an
++        //                  integer multiple of 8 octets long.  Contains one
++        //                  or  more TLV-encoded options, as described in
++        //                  section 4.2.
++        //
++
+         if (*NextHeader == IP6_DESTINATION) {
+           CountD++;
+         }
+@@ -398,7 +452,7 @@ Ip6IsExtsValid (
+ 
+         Offset++;
+         Option    = ExtHdrs + Offset;
+-        OptionLen = (UINT8)((*Option + 1) * 8 - 2);
++        OptionLen = IP6_HDR_EXT_LEN (*Option) - sizeof (IP6_EXT_HDR);
+         Option++;
+         Offset++;
+ 
+@@ -430,7 +484,7 @@ Ip6IsExtsValid (
+           //
+           // Ignore the routing header and proceed to process the next header.
+           //
+-          Offset = Offset + (RoutingHead->HeaderLen + 1) * 8;
++          Offset = Offset + IP6_HDR_EXT_LEN (RoutingHead->HeaderLen);
+ 
+           if (UnFragmentLen != NULL) {
+             *UnFragmentLen = Offset;
+@@ -441,7 +495,7 @@ Ip6IsExtsValid (
+           // to the packet's source address, pointing to the unrecognized routing
+           // type.
+           //
+-          Pointer = Offset + 2 + sizeof (EFI_IP6_HEADER);
++          Pointer = Offset + sizeof (IP6_EXT_HDR) + sizeof (EFI_IP6_HEADER);
+           if ((IpSb != NULL) && (Packet != NULL) &&
+               !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddress))
+           {
+@@ -527,7 +581,7 @@ Ip6IsExtsValid (
+         //
+         // RFC2402, Payload length is specified in 32-bit words, minus "2".
+         //
+-        OptionLen = (UINT8)((*Option + 2) * 4);
++        OptionLen = ((UINT16)(*Option + 2) * 4);
+         Offset    = Offset + OptionLen;
+         break;
+ 
+diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h
+index bd8e223c8a..fb07c28f5a 100644
+--- a/NetworkPkg/Ip6Dxe/Ip6Option.h
++++ b/NetworkPkg/Ip6Dxe/Ip6Option.h
+@@ -12,6 +12,77 @@
+ 
+ #define IP6_FRAGMENT_OFFSET_MASK  (~0x3)
+ 
++//
++// For more information see RFC 8200, Section 4.3, 4.4, and 4.6
++//
++//  This example format is from section 4.6
++//  This does not apply to fragment headers
++//
++//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//    |  Next Header  |  Hdr Ext Len  |                               |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
++//    |                                                               |
++//    .                                                               .
++//    .                  Header-Specific Data                         .
++//    .                                                               .
++//    |                                                               |
++//    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++//
++//      Next Header           8-bit selector.  Identifies the type of
++//                            header immediately following the extension
++//                            header.  Uses the same values as the IPv4
++//                            Protocol field [IANA-PN].
++//
++//      Hdr Ext Len           8-bit unsigned integer.  Length of the
++//                            Destination Options header in 8-octet units,
++//                            not including the first 8 octets.
++
++//
++// These defines apply to the following:
++//   1. Hop by Hop
++//   2. Routing
++//   3. Destination
++//
++typedef struct _IP6_EXT_HDR {
++  ///
++  /// The Next Header field identifies the type of header immediately
++  ///
++  UINT8    NextHeader;
++  ///
++  /// The Hdr Ext Len field specifies the length of the Hop-by-Hop Options
++  ///
++  UINT8    HdrExtLen;
++  ///
++  /// Header-Specific Data
++  ///
++} IP6_EXT_HDR;
++
++STATIC_ASSERT (
++  sizeof (IP6_EXT_HDR) == 2,
++  "The combined size of Next Header and Len is two 8 bit fields"
++  );
++
++//
++// IPv6 extension headers contain an 8-bit length field which describes the size of
++// the header. However, the length field only includes the size of the extension
++// header options, not the size of the first 8 bytes of the header. Therefore, in
++// order to calculate the full size of the extension header, we add 1 (to account
++// for the first 8 bytes omitted by the length field reporting) and then multiply
++// by 8 (since the size is represented in 8-byte units).
++//
++// a is the length field of the extension header (UINT8)
++// The result may be up to 2046 octets (UINT16)
++//
++#define IP6_HDR_EXT_LEN(a)  (((UINT16)((UINT8)(a)) + 1) * 8)
++
++// This is the maxmimum length permissible by a extension header
++// Length is UINT8 of 8 octets not including the first 8 octets
++#define IP6_MAX_EXT_DATA_LENGTH  (IP6_HDR_EXT_LEN (MAX_UINT8) - sizeof(IP6_EXT_HDR))
++STATIC_ASSERT (
++  IP6_MAX_EXT_DATA_LENGTH == 2046,
++  "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2"
++  );
++
+ typedef struct _IP6_FRAGMENT_HEADER {
+   UINT8     NextHeader;
+   UINT8     Reserved;
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45232-CVE-2023-45233-0002.patch

@@ -0,0 +1,417 @@
+From c9c87f08dd6ace36fa843424522c3558a8374cac Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:51 +0800
+Subject: [PATCH] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538
+
+Unit tests to confirm that..
+
+Infinite loop when parsing unknown options in the Destination Options
+header
+
+and
+
+Infinite loop when parsing a PadN option in the Destination Options
+header
+
+... have been patched
+
+This patch tests the following functions:
+Ip6IsOptionValid
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45232, CVE-2023-45233
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c9c87f08dd6ace36fa843424522c3558a8374cac]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf    |  10 +-
+ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 278 ++++++++++++++++++
+ .../Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h   |  40 +++
+ 3 files changed, 324 insertions(+), 4 deletions(-)
+ create mode 100644 NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
+
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+index 6e4de0745f..ba29dbabad 100644
+--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf
+@@ -1,13 +1,13 @@
+ ## @file
+-# Unit test suite for the Ip6Dxe using Google Test
++# Unit test suite for the Ip6DxeGoogleTest using Google Test
+ #
+ # Copyright (c) Microsoft Corporation.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ [Defines]
+   INF_VERSION         = 0x00010017
+-  BASE_NAME           = Ip6DxeUnitTest
+-  FILE_GUID           = 4F05D17D-D3E7-4AAE-820C-576D46D2D34A
++  BASE_NAME           = Ip6DxeGoogleTest
++  FILE_GUID           = AE39981C-B7FE-41A8-A9C2-F41910477CA3
+   VERSION_STRING      = 1.0
+   MODULE_TYPE         = HOST_APPLICATION
+ #
+@@ -16,9 +16,11 @@
+ #  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+ #
+ [Sources]
++  ../Ip6Option.c
++  Ip6OptionGoogleTest.h
+   Ip6DxeGoogleTest.cpp
+   Ip6OptionGoogleTest.cpp
+-  ../Ip6Option.c
++  Ip6OptionGoogleTest.h
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+index f2cd90e1a9..29f8a4a96e 100644
+--- a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp
+@@ -12,6 +12,7 @@ extern "C" {
+   #include <Library/DebugLib.h>
+   #include "../Ip6Impl.h"
+   #include "../Ip6Option.h"
++  #include "Ip6OptionGoogleTest.h"
+ }
+ 
+ /////////////////////////////////////////////////////////////////////////
+@@ -127,3 +128,280 @@ TEST_F (Ip6OptionValidationTest, InvalidPrefixInfoOptionLengthShouldReturnFalse)
+ 
+   EXPECT_FALSE (Ip6IsNDOptionValid (option, optionLen));
+ }
++
++////////////////////////////////////////////////////////////////////////
++// Ip6IsOptionValid Tests
++////////////////////////////////////////////////////////////////////////
++
++// Define a fixture for your tests if needed
++class Ip6IsOptionValidTest : public ::testing::Test {
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    // Initialize any resources or variables
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    // Clean up any resources or variables
++  }
++};
++
++// Test Description
++// Verify that a NULL option is Invalid
++TEST_F (Ip6IsOptionValidTest, NullOptionShouldReturnTrue) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  IP6_SERVICE  *IpSb = NULL;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  EXPECT_FALSE (Ip6IsOptionValid (IpSb, &Packet, NULL, 0, 0));
++}
++
++// Test Description
++// Verify that an unknown option with a length of 0 and type of <unknown> does not cause an infinite loop
++TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength0) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = 23;   // Unknown Option
++  optionHeader.Length = 0;    // This will cause an infinite loop if the function is not working correctly
++
++  // This should be a valid option even though the length is 0
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify that an unknown option with a length of 1 and type of <unknown> does not cause an infinite loop
++TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLength1) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = 23;   // Unknown Option
++  optionHeader.Length = 1;    // This will cause an infinite loop if the function is not working correctly
++
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify that an unknown option with a length of 2 and type of <unknown> does not cause an infinite loop
++TEST_F (Ip6IsOptionValidTest, VerifyIpSkipUnknownOption) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = 23;   // Unknown Option
++  optionHeader.Length = 2;    // Valid length for an unknown option
++
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify that Ip6OptionPad1 is valid with a length of 0
++TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPad1) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = Ip6OptionPad1;
++  optionHeader.Length = 0;
++
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify that Ip6OptionPadN doesn't overflow with various lengths
++TEST_F (Ip6IsOptionValidTest, VerifyIp6OptionPadN) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = Ip6OptionPadN;
++  optionHeader.Length = 0xFF;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFE;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFD;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFC;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify an unknown option doesn't cause an infinite loop with various lengths
++TEST_F (Ip6IsOptionValidTest, VerifyNoInfiniteLoopOnUnknownOptionLengthAttemptOverflow) {
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  IP6_OPTION_HEADER  optionHeader;
++
++  optionHeader.Type   = 23;   // Unknown Option
++  optionHeader.Length = 0xFF;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFE;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFD;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++
++  optionHeader.Length = 0xFC;
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, (UINT8 *)&optionHeader, sizeof (optionHeader), 0));
++}
++
++// Test Description
++// Verify that the function supports multiple options
++TEST_F (Ip6IsOptionValidTest, MultiOptionSupport) {
++  UINT16   HdrLen;
++  NET_BUF  Packet = { 0 };
++  // we need to define enough of the packet to make the function work
++  // The function being tested will pass IpSb to Ip6SendIcmpError which is defined above
++  UINT32  DeadCode = 0xDeadC0de;
++  // Don't actually use this pointer, just pass it to the function, nothing will be done with it
++  IP6_SERVICE  *IpSb = (IP6_SERVICE *)&DeadCode;
++
++  EFI_IPv6_ADDRESS  SourceAddress      = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IPv6_ADDRESS  DestinationAddress = { 0x20, 0x01, 0x0d, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x42, 0x83, 0x29 };
++  EFI_IP6_HEADER    Ip6Header          = { 0 };
++
++  Ip6Header.SourceAddress      = SourceAddress;
++  Ip6Header.DestinationAddress = DestinationAddress;
++  Packet.Ip.Ip6                = &Ip6Header;
++
++  UINT8              ExtHdr[1024] = { 0 };
++  UINT8              *Cursor      = ExtHdr;
++  IP6_OPTION_HEADER  *Option      = (IP6_OPTION_HEADER *)ExtHdr;
++
++  // Let's start chaining options
++
++  Option->Type   = 23;   // Unknown Option
++  Option->Length = 0xFC;
++
++  Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
++
++  Option       = (IP6_OPTION_HEADER *)Cursor;
++  Option->Type = Ip6OptionPad1;
++
++  Cursor += sizeof (1);
++
++  // Type and length aren't processed, instead it just moves the pointer forward by 4 bytes
++  Option         = (IP6_OPTION_HEADER *)Cursor;
++  Option->Type   = Ip6OptionRouterAlert;
++  Option->Length = 4;
++
++  Cursor += sizeof (IP6_OPTION_HEADER) + 4;
++
++  Option         = (IP6_OPTION_HEADER *)Cursor;
++  Option->Type   = Ip6OptionPadN;
++  Option->Length = 0xFC;
++
++  Cursor += sizeof (IP6_OPTION_HEADER) + 0xFC;
++
++  Option         = (IP6_OPTION_HEADER *)Cursor;
++  Option->Type   = Ip6OptionRouterAlert;
++  Option->Length = 4;
++
++  Cursor += sizeof (IP6_OPTION_HEADER) + 4;
++
++  // Total 524
++
++  HdrLen = (UINT16)(Cursor - ExtHdr);
++
++  EXPECT_TRUE (Ip6IsOptionValid (IpSb, &Packet, ExtHdr, HdrLen, 0));
++}
+diff --git a/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
+new file mode 100644
+index 0000000000..0509b6ae30
+--- /dev/null
++++ b/NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h
+@@ -0,0 +1,40 @@
++/** @file
++  Exposes the functions needed to test the Ip6Option module.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#ifndef IP6_OPTION_HEADER_GOOGLE_TEST_H_
++#define IP6_OPTION_HEADER_GOOGLE_TEST_H_
++
++#include <Uefi.h>
++#include "../Ip6Impl.h"
++
++/**
++  Validate the IP6 option format for both the packets we received
++  and that we will transmit. It will compute the ICMPv6 error message fields
++  if the option is malformatted.
++
++  @param[in]  IpSb              The IP6 service data.
++  @param[in]  Packet            The to be validated packet.
++  @param[in]  Option            The first byte of the option.
++  @param[in]  OptionLen         The length of the whole option.
++  @param[in]  Pointer           Identifies the octet offset within
++                                the invoking packet where the error was detected.
++
++
++  @retval TRUE     The option is properly formatted.
++  @retval FALSE    The option is malformatted.
++
++**/
++BOOLEAN
++Ip6IsOptionValid (
++  IN IP6_SERVICE  *IpSb,
++  IN NET_BUF      *Packet,
++  IN UINT8        *Option,
++  IN UINT16       OptionLen,
++  IN UINT32       Pointer
++  );
++
++#endif // __IP6_OPTION_HEADER_GOOGLE_TEST_H__
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0001.patch

@@ -0,0 +1,154 @@
+From 1b53515d53d303166b2bbd31e2cc7f16fd0aecd7 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:52 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
+
+Bug Details:
+PixieFail Bug #6
+CVE-2023-45234
+CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
+CWE-119 Improper Restriction of Operations within the Bounds of
+ a Memory Buffer
+
+Buffer overflow when processing DNS Servers option in a DHCPv6
+Advertise message
+
+Change Overview:
+
+Introduces a function to cache the Dns Server and perform sanitizing
+on the incoming DnsServerLen to ensure that the length is valid
+
+> + EFI_STATUS
+> + PxeBcCacheDnsServerAddresses (
+> +  IN PXEBC_PRIVATE_DATA        *Private,
+> +  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
+> +  )
+
+Additional code cleanup
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45234
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 +++++++++++++++++++++++++---
+ 1 file changed, 65 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+index 425e0cf806..2b2d372889 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+@@ -3,6 +3,7 @@
+ 
+   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
+   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) Microsoft Corporation
+ 
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -1312,6 +1313,65 @@ PxeBcSelectDhcp6Offer (
+   }
+ }
+ 
++/**
++  Cache the DHCPv6 DNS Server addresses
++
++  @param[in] Private               The pointer to PXEBC_PRIVATE_DATA.
++  @param[in] Cache6                The pointer to PXEBC_DHCP6_PACKET_CACHE.
++
++  @retval    EFI_SUCCESS           Cache the DHCPv6 DNS Server address successfully.
++  @retval    EFI_OUT_OF_RESOURCES  Failed to allocate resources.
++  @retval    EFI_DEVICE_ERROR      The DNS Server Address Length provided by a untrusted
++                                   option is not a multiple of 16 bytes (sizeof (EFI_IPv6_ADDRESS)).
++**/
++EFI_STATUS
++PxeBcCacheDnsServerAddresses (
++  IN PXEBC_PRIVATE_DATA        *Private,
++  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
++  )
++{
++  UINT16  DnsServerLen;
++
++  DnsServerLen = NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen);
++  //
++  // Make sure that the number is nonzero
++  //
++  if (DnsServerLen == 0) {
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // Make sure the DnsServerlen is a multiple of EFI_IPv6_ADDRESS (16)
++  //
++  if (DnsServerLen % sizeof (EFI_IPv6_ADDRESS) != 0) {
++    return EFI_DEVICE_ERROR;
++  }
++
++  //
++  // This code is currently written to only support a single DNS Server instead
++  // of multiple such as is spec defined (RFC3646, Section 3). The proper behavior
++  // would be to allocate the full space requested, CopyMem all of the data,
++  // and then add a DnsServerCount field to Private and update additional code
++  // that depends on this.
++  //
++  // To support multiple DNS servers the `AllocationSize` would need to be changed to DnsServerLen
++  //
++  // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
++  //
++  Private->DnsServer = AllocateZeroPool (sizeof (EFI_IPv6_ADDRESS));
++  if (Private->DnsServer == NULL) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  //
++  // Intentionally only copy over the first server address.
++  // To support multiple DNS servers, the `Length` would need to be changed to DnsServerLen
++  //
++  CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
++
++  return EFI_SUCCESS;
++}
++
+ /**
+   Handle the DHCPv6 offer packet.
+ 
+@@ -1335,6 +1395,7 @@ PxeBcHandleDhcp6Offer (
+   UINT32                    SelectIndex;
+   UINT32                    Index;
+ 
++  ASSERT (Private != NULL);
+   ASSERT (Private->SelectIndex > 0);
+   SelectIndex = (UINT32)(Private->SelectIndex - 1);
+   ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
+@@ -1342,15 +1403,13 @@ PxeBcHandleDhcp6Offer (
+   Status = EFI_SUCCESS;
+ 
+   //
+-  // First try to cache DNS server address if DHCP6 offer provides.
++  // First try to cache DNS server addresses if DHCP6 offer provides.
+   //
+   if (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] != NULL) {
+-    Private->DnsServer = AllocateZeroPool (NTOHS (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen));
+-    if (Private->DnsServer == NULL) {
+-      return EFI_OUT_OF_RESOURCES;
++    Status = PxeBcCacheDnsServerAddresses (Private, Cache6);
++    if (EFI_ERROR (Status)) {
++      return Status;
+     }
+-
+-    CopyMem (Private->DnsServer, Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, sizeof (EFI_IPv6_ADDRESS));
+   }
+ 
+   if (Cache6->OfferType == PxeOfferTypeDhcpBinl) {
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45234-0002.patch

@@ -0,0 +1,485 @@
+From 458c582685fc0e8057d2511c5a0394078d988c17 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:53 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit 
+ Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539
+
+Unit tests to that the bug..
+
+Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
+message
+
+..has been patched
+
+This contains tests for the following functions:
+PxeBcHandleDhcp6Offer
+PxeBcCacheDnsServerAddresses
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45234
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/458c582685fc0e8057d2511c5a0394078d988c17]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../GoogleTest/PxeBcDhcp6GoogleTest.cpp       | 300 ++++++++++++++++++
+ .../GoogleTest/PxeBcDhcp6GoogleTest.h         |  50 +++
+ .../GoogleTest/UefiPxeBcDxeGoogleTest.cpp     |  19 ++
+ .../GoogleTest/UefiPxeBcDxeGoogleTest.inf     |  48 +++
+ 4 files changed, 417 insertions(+)
+ create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+ create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+ create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
+ create mode 100644 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+new file mode 100644
+index 0000000000..8260eeee50
+--- /dev/null
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+@@ -0,0 +1,300 @@
++/** @file
++  Host based unit test for PxeBcDhcp6.c.
++
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++extern "C" {
++  #include <Uefi.h>
++  #include <Library/BaseLib.h>
++  #include <Library/DebugLib.h>
++  #include "../PxeBcImpl.h"
++  #include "../PxeBcDhcp6.h"
++  #include "PxeBcDhcp6GoogleTest.h"
++}
++
++///////////////////////////////////////////////////////////////////////////////
++// Definitions
++///////////////////////////////////////////////////////////////////////////////
++
++#define PACKET_SIZE  (1500)
++
++typedef struct {
++  UINT16    OptionCode;   // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
++  UINT16    OptionLen;    // The length of the option (e.g., 16 bytes)
++  UINT8     ServerId[16]; // The 16-byte DHCPv6 Server Identifier
++} DHCP6_OPTION_SERVER_ID;
++
++///////////////////////////////////////////////////////////////////////////////
++/// Symbol Definitions
++///////////////////////////////////////////////////////////////////////////////
++
++EFI_STATUS
++MockUdpWrite (
++  IN EFI_PXE_BASE_CODE_PROTOCOL      *This,
++  IN UINT16                          OpFlags,
++  IN EFI_IP_ADDRESS                  *DestIp,
++  IN EFI_PXE_BASE_CODE_UDP_PORT      *DestPort,
++  IN EFI_IP_ADDRESS                  *GatewayIp   OPTIONAL,
++  IN EFI_IP_ADDRESS                  *SrcIp       OPTIONAL,
++  IN OUT EFI_PXE_BASE_CODE_UDP_PORT  *SrcPort     OPTIONAL,
++  IN UINTN                           *HeaderSize  OPTIONAL,
++  IN VOID                            *HeaderPtr   OPTIONAL,
++  IN UINTN                           *BufferSize,
++  IN VOID                            *BufferPtr
++  )
++{
++  return EFI_SUCCESS;
++}
++
++EFI_STATUS
++MockUdpRead (
++  IN EFI_PXE_BASE_CODE_PROTOCOL      *This,
++  IN UINT16                          OpFlags,
++  IN OUT EFI_IP_ADDRESS              *DestIp      OPTIONAL,
++  IN OUT EFI_PXE_BASE_CODE_UDP_PORT  *DestPort    OPTIONAL,
++  IN OUT EFI_IP_ADDRESS              *SrcIp       OPTIONAL,
++  IN OUT EFI_PXE_BASE_CODE_UDP_PORT  *SrcPort     OPTIONAL,
++  IN UINTN                           *HeaderSize  OPTIONAL,
++  IN VOID                            *HeaderPtr   OPTIONAL,
++  IN OUT UINTN                       *BufferSize,
++  IN VOID                            *BufferPtr
++  )
++{
++  return EFI_SUCCESS;
++}
++
++EFI_STATUS
++MockConfigure (
++  IN EFI_UDP6_PROTOCOL     *This,
++  IN EFI_UDP6_CONFIG_DATA  *UdpConfigData OPTIONAL
++  )
++{
++  return EFI_SUCCESS;
++}
++
++// Needed by PxeBcSupport
++EFI_STATUS
++EFIAPI
++QueueDpc (
++  IN EFI_TPL            DpcTpl,
++  IN EFI_DPC_PROCEDURE  DpcProcedure,
++  IN VOID               *DpcContext    OPTIONAL
++  )
++{
++  return EFI_SUCCESS;
++}
++
++///////////////////////////////////////////////////////////////////////////////
++// PxeBcHandleDhcp6OfferTest Tests
++///////////////////////////////////////////////////////////////////////////////
++
++class PxeBcHandleDhcp6OfferTest : public ::testing::Test {
++public:
++  PXEBC_PRIVATE_DATA Private = { 0 };
++  EFI_UDP6_PROTOCOL Udp6Read;
++  EFI_PXE_BASE_CODE_MODE Mode = { 0 };
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
++
++    // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
++    // The function under test really only needs the following:
++    //  UdpWrite
++    //  UdpRead
++
++    Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
++    Private.PxeBc.UdpRead  = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
++
++    // Need to setup EFI_UDP6_PROTOCOL
++    // The function under test really only needs the following:
++    //  Configure
++
++    Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
++    Private.Udp6Read   = &Udp6Read;
++
++    // Need to setup the EFI_PXE_BASE_CODE_MODE
++    Private.PxeBc.Mode = &Mode;
++
++    // for this test it doesn't really matter what the Dhcpv6 ack is set to
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    if (Private.Dhcp6Request != NULL) {
++      FreePool (Private.Dhcp6Request);
++    }
++
++    // Clean up any resources or variables
++  }
++};
++
++// Note:
++// Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a
++// properly setup Private structure. Attempting to properly test this function
++// without a signficant refactor is a fools errand. Instead, we will test
++// that we can prevent an overflow in the function.
++TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
++  PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
++  EFI_DHCP6_PACKET_OPTION   Option  = { 0 };
++
++  Private.SelectIndex = 1; // SelectIndex is 1-based
++  Cache6              = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
++
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
++  // Setup the DHCPv6 offer packet
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen  = NTOHS (1337);
++
++  ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
++}
++
++class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
++public:
++  PXEBC_PRIVATE_DATA Private = { 0 };
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++  }
++};
++
++// Test Description
++// Test that we cache the DNS server address from the DHCPv6 offer packet
++TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) {
++  UINT8                     SearchPattern[16] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF };
++  EFI_DHCP6_PACKET_OPTION   *Option;
++  PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
++
++  Option = (EFI_DHCP6_PACKET_OPTION *)AllocateZeroPool (sizeof (EFI_DHCP6_PACKET_OPTION) + sizeof (SearchPattern));
++  ASSERT_NE (Option, nullptr);
++
++  Option->OpCode = DHCP6_OPT_SERVER_ID;
++  Option->OpLen  = NTOHS (sizeof (SearchPattern));
++  CopyMem (Option->Data, SearchPattern, sizeof (SearchPattern));
++
++  Private.SelectIndex                         = 1; // SelectIndex is 1-based
++  Cache6                                      = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = Option;
++
++  Private.DnsServer = nullptr;
++
++  ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
++  ASSERT_NE (Private.DnsServer, nullptr);
++  ASSERT_EQ (CompareMem (Private.DnsServer, SearchPattern, sizeof (SearchPattern)), 0);
++
++  if (Private.DnsServer) {
++    FreePool (Private.DnsServer);
++  }
++
++  if (Option) {
++    FreePool (Option);
++  }
++}
++// Test Description
++// Test that we can prevent an overflow in the function
++TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) {
++  EFI_DHCP6_PACKET_OPTION   Option  = { 0 };
++  PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
++
++  Private.SelectIndex                         = 1; // SelectIndex is 1-based
++  Cache6                                      = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
++  // Setup the DHCPv6 offer packet
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen  = NTOHS (1337);
++
++  Private.DnsServer = NULL;
++
++  ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
++  ASSERT_EQ (Private.DnsServer, nullptr);
++
++  if (Private.DnsServer) {
++    FreePool (Private.DnsServer);
++  }
++}
++
++// Test Description
++// Test that we can prevent an underflow in the function
++TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptUnderflowTest) {
++  EFI_DHCP6_PACKET_OPTION   Option  = { 0 };
++  PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
++
++  Private.SelectIndex                         = 1; // SelectIndex is 1-based
++  Cache6                                      = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
++  // Setup the DHCPv6 offer packet
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen  = NTOHS (2);
++
++  Private.DnsServer = NULL;
++
++  ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_DEVICE_ERROR);
++  ASSERT_EQ (Private.DnsServer, nullptr);
++
++  if (Private.DnsServer) {
++    FreePool (Private.DnsServer);
++  }
++}
++
++// Test Description
++// Test that we can handle recursive dns (multiple dns entries)
++TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
++  EFI_DHCP6_PACKET_OPTION   Option  = { 0 };
++  PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
++
++  Private.SelectIndex                         = 1; // SelectIndex is 1-based
++  Cache6                                      = &Private.OfferBuffer[Private.SelectIndex - 1].Dhcp6;
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER] = &Option;
++  // Setup the DHCPv6 offer packet
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpCode = DHCP6_OPT_SERVER_ID;
++
++  EFI_IPv6_ADDRESS  addresses[2] = {
++    // 2001:db8:85a3::8a2e:370:7334
++    { 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x34 },
++    // fe80::d478:91c3:ecd7:4ff9
++    { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x78, 0x91, 0xc3, 0xec, 0xd7, 0x4f, 0xf9 }
++  };
++
++  CopyMem (Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->Data, &addresses, sizeof (addresses));
++
++  Cache6->OptList[PXEBC_DHCP6_IDX_DNS_SERVER]->OpLen = NTOHS (sizeof (addresses));
++
++  Private.DnsServer = NULL;
++
++  ASSERT_EQ (PxeBcCacheDnsServerAddresses (&(PxeBcCacheDnsServerAddressesTest::Private), Cache6), EFI_SUCCESS);
++
++  ASSERT_NE (Private.DnsServer, nullptr);
++
++  //
++  // This is expected to fail until DnsServer supports multiple DNS servers
++  //
++  // This is tracked in https://bugzilla.tianocore.org/show_bug.cgi?id=1886
++  //
++  // Disabling:
++  // ASSERT_EQ (CompareMem(Private.DnsServer, &addresses, sizeof(addresses)), 0);
++
++  if (Private.DnsServer) {
++    FreePool (Private.DnsServer);
++  }
++}
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+new file mode 100644
+index 0000000000..b17c314791
+--- /dev/null
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+@@ -0,0 +1,50 @@
++/** @file
++  This file exposes the internal interfaces which may be unit tested
++  for the PxeBcDhcp6Dxe driver.
++
++  Copyright (c) Microsoft Corporation.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#ifndef PXE_BC_DHCP6_GOOGLE_TEST_H_
++#define PXE_BC_DHCP6_GOOGLE_TEST_H_
++
++//
++// Minimal includes needed to compile
++//
++#include <Uefi.h>
++#include "../PxeBcImpl.h"
++
++/**
++  Handle the DHCPv6 offer packet.
++
++  @param[in]  Private             The pointer to PXEBC_PRIVATE_DATA.
++
++  @retval     EFI_SUCCESS           Handled the DHCPv6 offer packet successfully.
++  @retval     EFI_NO_RESPONSE       No response to the following request packet.
++  @retval     EFI_OUT_OF_RESOURCES  Failed to allocate resources.
++  @retval     EFI_BUFFER_TOO_SMALL  Can't cache the offer pacet.
++
++**/
++EFI_STATUS
++PxeBcHandleDhcp6Offer (
++  IN PXEBC_PRIVATE_DATA  *Private
++  );
++
++/**
++  Cache the DHCPv6 Server address
++
++  @param[in] Private               The pointer to PXEBC_PRIVATE_DATA.
++  @param[in] Cache6                The pointer to PXEBC_DHCP6_PACKET_CACHE.
++
++  @retval    EFI_SUCCESS           Cache the DHCPv6 Server address successfully.
++  @retval    EFI_OUT_OF_RESOURCES  Failed to allocate resources.
++  @retval    EFI_DEVICE_ERROR      Failed to cache the DHCPv6 Server address.
++**/
++EFI_STATUS
++PxeBcCacheDnsServerAddresses (
++  IN PXEBC_PRIVATE_DATA        *Private,
++  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
++  );
++
++#endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
+new file mode 100644
+index 0000000000..cc4fdf525b
+--- /dev/null
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp
+@@ -0,0 +1,19 @@
++/** @file
++  Acts as the main entry point for the tests for the UefiPxeBcDxe module.
++  Copyright (c) Microsoft Corporation
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++#include <gtest/gtest.h>
++
++////////////////////////////////////////////////////////////////////////////////
++// Run the tests
++////////////////////////////////////////////////////////////////////////////////
++int
++main (
++  int   argc,
++  char  *argv[]
++  )
++{
++  testing::InitGoogleTest (&argc, argv);
++  return RUN_ALL_TESTS ();
++}
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+new file mode 100644
+index 0000000000..301dcdf611
+--- /dev/null
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+@@ -0,0 +1,48 @@
++## @file
++# Unit test suite for the UefiPxeBcDxe using Google Test
++#
++# Copyright (c) Microsoft Corporation.<BR>
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++[Defines]
++INF_VERSION    = 0x00010005
++BASE_NAME      = UefiPxeBcDxeGoogleTest
++FILE_GUID      = 77D45C64-EC1E-4174-887B-886E89FD1EDF
++MODULE_TYPE    = HOST_APPLICATION
++VERSION_STRING = 1.0
++
++#
++# The following information is for reference only and not required by the build tools.
++#
++#  VALID_ARCHITECTURES           = IA32 X64
++#
++
++[Sources]
++  UefiPxeBcDxeGoogleTest.cpp
++  PxeBcDhcp6GoogleTest.cpp
++  PxeBcDhcp6GoogleTest.h
++  ../PxeBcDhcp6.c
++  ../PxeBcSupport.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
++  NetworkPkg/NetworkPkg.dec
++
++[LibraryClasses]
++  GoogleTestLib
++  DebugLib
++  NetLib
++  PcdLib
++
++[Protocols]
++  gEfiDhcp6ServiceBindingProtocolGuid
++  gEfiDns6ServiceBindingProtocolGuid
++  gEfiDns6ProtocolGuid
++
++[Pcd]
++  gEfiNetworkPkgTokenSpaceGuid.PcdDhcp6UidType
++
++[Guids]
++  gZeroGuid
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0001.patch

@@ -0,0 +1,243 @@
+From fac297724e6cc343430cd0104e55cd7a96d1151e Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:55 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
+
+Bug Details:
+PixieFail Bug #7
+CVE-2023-45235
+CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
+CWE-119 Improper Restriction of Operations within the Bounds of
+ a Memory Buffer
+
+Buffer overflow when handling Server ID option from a DHCPv6 proxy
+Advertise message
+
+Change Overview:
+
+Performs two checks
+
+1. Checks that the length of the duid is accurate
+> + //
+> + // Check that the minimum and maximum requirements are met
+> + //
+> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
+(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
+> +  Status = EFI_INVALID_PARAMETER;
+> +  goto ON_ERROR;
+> + }
+
+2. Ensures that the amount of data written to the buffer is tracked and
+never exceeds that
+> + //
+> + // Check that the option length is valid.
+> + //
+> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
+ > DiscoverLenNeeded) {
+> +     Status = EFI_OUT_OF_RESOURCES;
+> +     goto ON_ERROR;
+> + }
+
+Additional code clean up and fix for memory leak in case Option was NULL
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45235
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 ++++++++++++++++++++++------
+ NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++
+ 2 files changed, 78 insertions(+), 16 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+index 2b2d372889..7fd1281c11 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+@@ -887,6 +887,7 @@ PxeBcRequestBootService (
+   EFI_STATUS                       Status;
+   EFI_DHCP6_PACKET                 *IndexOffer;
+   UINT8                            *Option;
++  UINTN                            DiscoverLenNeeded;
+ 
+   PxeBc      = &Private->PxeBc;
+   Request    = Private->Dhcp6Request;
+@@ -899,7 +900,8 @@ PxeBcRequestBootService (
+     return EFI_DEVICE_ERROR;
+   }
+ 
+-  Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
++  DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
++  Discover          = AllocateZeroPool (DiscoverLenNeeded);
+   if (Discover == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+@@ -924,16 +926,34 @@ PxeBcRequestBootService (
+                DHCP6_OPT_SERVER_ID
+                );
+     if (Option == NULL) {
+-      return EFI_NOT_FOUND;
++      Status = EFI_NOT_FOUND;
++      goto ON_ERROR;
+     }
+ 
+     //
+     // Add Server ID Option.
+     //
+     OpLen = NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen);
+-    CopyMem (DiscoverOpt, Option, OpLen + 4);
+-    DiscoverOpt += (OpLen + 4);
+-    DiscoverLen += (OpLen + 4);
++
++    //
++    // Check that the minimum and maximum requirements are met
++    //
++    if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
++      Status = EFI_INVALID_PARAMETER;
++      goto ON_ERROR;
++    }
++
++    //
++    // Check that the option length is valid.
++    //
++    if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) {
++      Status = EFI_OUT_OF_RESOURCES;
++      goto ON_ERROR;
++    }
++
++    CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++    DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++    DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+   }
+ 
+   while (RequestLen < Request->Length) {
+@@ -944,16 +964,24 @@ PxeBcRequestBootService (
+         (OpCode != DHCP6_OPT_SERVER_ID)
+         )
+     {
++      //
++      // Check that the option length is valid.
++      //
++      if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
++        Status = EFI_OUT_OF_RESOURCES;
++        goto ON_ERROR;
++      }
++
+       //
+       // Copy all the options except IA option and Server ID
+       //
+-      CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
+-      DiscoverOpt += (OpLen + 4);
+-      DiscoverLen += (OpLen + 4);
++      CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++      DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++      DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+     }
+ 
+-    RequestOpt += (OpLen + 4);
+-    RequestLen += (OpLen + 4);
++    RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++    RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+   }
+ 
+   //
+@@ -2154,6 +2182,7 @@ PxeBcDhcp6Discover (
+   UINT16                           OpLen;
+   UINT32                           Xid;
+   EFI_STATUS                       Status;
++  UINTN                            DiscoverLenNeeded;
+ 
+   PxeBc    = &Private->PxeBc;
+   Mode     = PxeBc->Mode;
+@@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover (
+     return EFI_DEVICE_ERROR;
+   }
+ 
+-  Discover = AllocateZeroPool (sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
++  DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
++  Discover          = AllocateZeroPool (DiscoverLenNeeded);
+   if (Discover == NULL) {
+     return EFI_OUT_OF_RESOURCES;
+   }
+@@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover (
+   DiscoverLen             = sizeof (EFI_DHCP6_HEADER);
+   RequestLen              = DiscoverLen;
+ 
++  //
++  // The request packet is generated by the UEFI network stack. In the DHCP4 DORA and DHCP6 SARR sequence,
++  // the first (discover in DHCP4 and solicit in DHCP6) and third (request in both DHCP4 and DHCP6) are
++  // generated by the DHCP client (the UEFI network stack in this case). By the time this function executes,
++  // the DHCP sequence already has been executed once (see UEFI Specification Figures 24.2 and 24.3), with
++  // Private->Dhcp6Request being a cached copy of the DHCP6 request packet that UEFI network stack previously
++  // generated and sent.
++  //
++  // Therefore while this code looks like it could overflow, in practice it's not possible.
++  //
+   while (RequestLen < Request->Length) {
+     OpCode = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode);
+     OpLen  = NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen);
+     if ((OpCode != EFI_DHCP6_IA_TYPE_NA) &&
+         (OpCode != EFI_DHCP6_IA_TYPE_TA))
+     {
++      if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {
++        Status = EFI_OUT_OF_RESOURCES;
++        goto ON_ERROR;
++      }
++
+       //
+       // Copy all the options except IA option.
+       //
+-      CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);
+-      DiscoverOpt += (OpLen + 4);
+-      DiscoverLen += (OpLen + 4);
++      CopyMem (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++      DiscoverOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++      DiscoverLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+     }
+ 
+-    RequestOpt += (OpLen + 4);
+-    RequestLen += (OpLen + 4);
++    RequestOpt += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
++    RequestLen += (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);
+   }
+ 
+   Status = PxeBc->UdpWrite (
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+index c86f6d391b..6357d27fae 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+@@ -34,6 +34,23 @@
+ #define PXEBC_ADDR_START_DELIMITER        '['
+ #define PXEBC_ADDR_END_DELIMITER          ']'
+ 
++//
++// A DUID consists of a 2-octet type code represented in network byte
++// order, followed by a variable number of octets that make up the
++// actual identifier.  The length of the DUID (not including the type
++// code) is at least 1 octet and at most 128 octets.
++//
++#define PXEBC_MIN_SIZE_OF_DUID  (sizeof(UINT16) + 1)
++#define PXEBC_MAX_SIZE_OF_DUID  (sizeof(UINT16) + 128)
++
++//
++// This define represents the combineds code and length field from
++// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1
++//
++#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN  \
++      (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \
++      sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
++
+ #define GET_NEXT_DHCP6_OPTION(Opt) \
+   (EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \
+   sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1)
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45235-0002.patch

@@ -0,0 +1,379 @@
+From ff2986358f75d8f58ef08a66fe673539c9c48f41 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 26 Jan 2024 05:54:56 +0800
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit 
+ Tests
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540
+
+Unit tests to confirm that the bug..
+
+Buffer overflow when handling Server ID option from a DHCPv6 proxy
+Advertise message
+
+..has been patched.
+
+This patch contains unit tests for the following functions:
+PxeBcRequestBootService
+PxeBcDhcp6Discover
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45235
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/ff2986358f75d8f58ef08a66fe673539c9c48f41]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ .../GoogleTest/PxeBcDhcp6GoogleTest.cpp       | 278 +++++++++++++++++-
+ .../GoogleTest/PxeBcDhcp6GoogleTest.h         |  18 ++
+ 2 files changed, 294 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+index 8260eeee50..bd423ebadf 100644
+--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+@@ -4,7 +4,9 @@
+   Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+-#include <gtest/gtest.h>
++#include <Library/GoogleTestLib.h>
++#include <GoogleTest/Library/MockUefiLib.h>
++#include <GoogleTest/Library/MockUefiRuntimeServicesTableLib.h>
+ 
+ extern "C" {
+   #include <Uefi.h>
+@@ -19,7 +21,8 @@ extern "C" {
+ // Definitions
+ ///////////////////////////////////////////////////////////////////////////////
+ 
+-#define PACKET_SIZE  (1500)
++#define PACKET_SIZE            (1500)
++#define REQUEST_OPTION_LENGTH  (120)
+ 
+ typedef struct {
+   UINT16    OptionCode;   // The option code for DHCP6_OPT_SERVER_ID (e.g., 0x03)
+@@ -76,6 +79,26 @@ MockConfigure (
+ }
+ 
+ // Needed by PxeBcSupport
++EFI_STATUS
++PxeBcDns6 (
++  IN PXEBC_PRIVATE_DATA  *Private,
++  IN     CHAR16          *HostName,
++  OUT EFI_IPv6_ADDRESS   *IpAddress
++  )
++{
++  return EFI_SUCCESS;
++}
++
++UINT32
++PxeBcBuildDhcp6Options (
++  IN  PXEBC_PRIVATE_DATA       *Private,
++  OUT EFI_DHCP6_PACKET_OPTION  **OptList,
++  IN  UINT8                    *Buffer
++  )
++{
++  return EFI_SUCCESS;
++}
++
+ EFI_STATUS
+ EFIAPI
+ QueueDpc (
+@@ -159,6 +182,10 @@ TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
+   ASSERT_EQ (PxeBcHandleDhcp6Offer (&(PxeBcHandleDhcp6OfferTest::Private)), EFI_DEVICE_ERROR);
+ }
+ 
++///////////////////////////////////////////////////////////////////////////////
++// PxeBcCacheDnsServerAddresses Tests
++///////////////////////////////////////////////////////////////////////////////
++
+ class PxeBcCacheDnsServerAddressesTest : public ::testing::Test {
+ public:
+   PXEBC_PRIVATE_DATA Private = { 0 };
+@@ -298,3 +325,250 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, MultipleDnsEntries) {
+     FreePool (Private.DnsServer);
+   }
+ }
++
++///////////////////////////////////////////////////////////////////////////////
++// PxeBcRequestBootServiceTest Test Cases
++///////////////////////////////////////////////////////////////////////////////
++
++class PxeBcRequestBootServiceTest : public ::testing::Test {
++public:
++  PXEBC_PRIVATE_DATA Private = { 0 };
++  EFI_UDP6_PROTOCOL Udp6Read;
++
++protected:
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
++
++    // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
++    // The function under test really only needs the following:
++    //  UdpWrite
++    //  UdpRead
++
++    Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
++    Private.PxeBc.UdpRead  = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
++
++    // Need to setup EFI_UDP6_PROTOCOL
++    // The function under test really only needs the following:
++    //  Configure
++
++    Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
++    Private.Udp6Read   = &Udp6Read;
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    if (Private.Dhcp6Request != NULL) {
++      FreePool (Private.Dhcp6Request);
++    }
++
++    // Clean up any resources or variables
++  }
++};
++
++TEST_F (PxeBcRequestBootServiceTest, ServerDiscoverBasicUsageTest) {
++  PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
++
++  DHCP6_OPTION_SERVER_ID  Server = { 0 };
++
++  Server.OptionCode =  HTONS (DHCP6_OPT_SERVER_ID);
++  Server.OptionLen  = HTONS (16); // valid length
++  UINT8  Index = 0;
++
++  EFI_DHCP6_PACKET  *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
++
++  UINT8  *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
++
++  CopyMem (Cursor, &Server, sizeof (Server));
++  Cursor += sizeof (Server);
++
++  // Update the packet length
++  Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
++  Packet->Size   = PACKET_SIZE;
++
++  ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
++}
++
++TEST_F (PxeBcRequestBootServiceTest, AttemptDiscoverOverFlowExpectFailure) {
++  PxeBcRequestBootServiceTest::Private.OfferBuffer[0].Dhcp6.OfferType = PxeOfferTypeProxyBinl;
++
++  DHCP6_OPTION_SERVER_ID  Server = { 0 };
++
++  Server.OptionCode =  HTONS (DHCP6_OPT_SERVER_ID);
++  Server.OptionLen  = HTONS (1500); // This length would overflow without a check
++  UINT8  Index = 0;
++
++  EFI_DHCP6_PACKET  *Packet = (EFI_DHCP6_PACKET *)&Private.OfferBuffer[Index].Dhcp6.Packet.Offer;
++
++  UINT8  *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
++
++  CopyMem (Cursor, &Server, sizeof (Server));
++  Cursor += sizeof (Server);
++
++  // Update the packet length
++  Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
++  Packet->Size   = PACKET_SIZE;
++
++  // This is going to be stopped by the duid overflow check
++  ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_INVALID_PARAMETER);
++}
++
++TEST_F (PxeBcRequestBootServiceTest, RequestBasicUsageTest) {
++  EFI_DHCP6_PACKET_OPTION  RequestOpt = { 0 }; // the data section doesn't really matter
++
++  RequestOpt.OpCode = HTONS (0x1337);
++  RequestOpt.OpLen  = 0; // valid length
++
++  UINT8  Index = 0;
++
++  EFI_DHCP6_PACKET  *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
++
++  UINT8  *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
++
++  CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
++  Cursor += sizeof (RequestOpt);
++
++  // Update the packet length
++  Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
++  Packet->Size   = PACKET_SIZE;
++
++  ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_SUCCESS);
++}
++
++TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) {
++  EFI_DHCP6_PACKET_OPTION  RequestOpt = { 0 }; // the data section doesn't really matter
++
++  RequestOpt.OpCode = HTONS (0x1337);
++  RequestOpt.OpLen  = 1500; // this length would overflow without a check
++
++  UINT8  Index = 0;
++
++  EFI_DHCP6_PACKET  *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
++
++  UINT8  *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
++
++  CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
++  Cursor += sizeof (RequestOpt);
++
++  // Update the packet length
++  Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
++  Packet->Size   = PACKET_SIZE;
++
++  ASSERT_EQ (PxeBcRequestBootService (&(PxeBcRequestBootServiceTest::Private), Index), EFI_OUT_OF_RESOURCES);
++}
++
++///////////////////////////////////////////////////////////////////////////////
++// PxeBcDhcp6Discover Test
++///////////////////////////////////////////////////////////////////////////////
++
++class PxeBcDhcp6DiscoverTest : public ::testing::Test {
++public:
++  PXEBC_PRIVATE_DATA Private = { 0 };
++  EFI_UDP6_PROTOCOL Udp6Read;
++
++protected:
++  MockUefiRuntimeServicesTableLib RtServicesMock;
++
++  // Add any setup code if needed
++  virtual void
++  SetUp (
++    )
++  {
++    Private.Dhcp6Request = (EFI_DHCP6_PACKET *)AllocateZeroPool (PACKET_SIZE);
++
++    // Need to setup the EFI_PXE_BASE_CODE_PROTOCOL
++    // The function under test really only needs the following:
++    //  UdpWrite
++    //  UdpRead
++
++    Private.PxeBc.UdpWrite = (EFI_PXE_BASE_CODE_UDP_WRITE)MockUdpWrite;
++    Private.PxeBc.UdpRead  = (EFI_PXE_BASE_CODE_UDP_READ)MockUdpRead;
++
++    // Need to setup EFI_UDP6_PROTOCOL
++    // The function under test really only needs the following:
++    //  Configure
++
++    Udp6Read.Configure = (EFI_UDP6_CONFIGURE)MockConfigure;
++    Private.Udp6Read   = &Udp6Read;
++  }
++
++  // Add any cleanup code if needed
++  virtual void
++  TearDown (
++    )
++  {
++    if (Private.Dhcp6Request != NULL) {
++      FreePool (Private.Dhcp6Request);
++    }
++
++    // Clean up any resources or variables
++  }
++};
++
++// Test Description
++// This will cause an overflow by an untrusted packet during the option parsing
++TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) {
++  EFI_IPv6_ADDRESS         DestIp     = { 0 };
++  EFI_DHCP6_PACKET_OPTION  RequestOpt = { 0 }; // the data section doesn't really matter
++
++  RequestOpt.OpCode = HTONS (0x1337);
++  RequestOpt.OpLen  = HTONS (0xFFFF); // overflow
++
++  UINT8  *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
++
++  CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
++  Cursor += sizeof (RequestOpt);
++
++  Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
++
++  EXPECT_CALL (RtServicesMock, gRT_GetTime)
++    .WillOnce (::testing::Return (0));
++
++  ASSERT_EQ (
++    PxeBcDhcp6Discover (
++      &(PxeBcDhcp6DiscoverTest::Private),
++      0,
++      NULL,
++      FALSE,
++      (EFI_IP_ADDRESS *)&DestIp
++      ),
++    EFI_OUT_OF_RESOURCES
++    );
++}
++
++// Test Description
++// This will test that we can handle a packet with a valid option length
++TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) {
++  EFI_IPv6_ADDRESS         DestIp     = { 0 };
++  EFI_DHCP6_PACKET_OPTION  RequestOpt = { 0 }; // the data section doesn't really matter
++
++  RequestOpt.OpCode = HTONS (0x1337);
++  RequestOpt.OpLen  = HTONS (0x30);
++
++  UINT8  *Cursor = (UINT8 *)(Private.Dhcp6Request->Dhcp6.Option);
++
++  CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
++  Cursor += sizeof (RequestOpt);
++
++  Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
++
++  EXPECT_CALL (RtServicesMock, gRT_GetTime)
++    .WillOnce (::testing::Return (0));
++
++  ASSERT_EQ (
++    PxeBcDhcp6Discover (
++      &(PxeBcDhcp6DiscoverTest::Private),
++      0,
++      NULL,
++      FALSE,
++      (EFI_IP_ADDRESS *)&DestIp
++      ),
++    EFI_SUCCESS
++    );
++}
+diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+index b17c314791..0d825e4425 100644
+--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
++++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h
+@@ -47,4 +47,22 @@ PxeBcCacheDnsServerAddresses (
+   IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
+   );
+ 
++/**
++  Build and send out the request packet for the bootfile, and parse the reply.
++
++  @param[in]  Private               The pointer to PxeBc private data.
++  @param[in]  Index                 PxeBc option boot item type.
++
++  @retval     EFI_SUCCESS           Successfully discovered the boot file.
++  @retval     EFI_OUT_OF_RESOURCES  Failed to allocate resources.
++  @retval     EFI_NOT_FOUND         Can't get the PXE reply packet.
++  @retval     Others                Failed to discover the boot file.
++
++**/
++EFI_STATUS
++PxeBcRequestBootService (
++  IN  PXEBC_PRIVATE_DATA  *Private,
++  IN  UINT32              Index
++  );
++
+ #endif // PXE_BC_DHCP6_GOOGLE_TEST_H_
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch

@@ -0,0 +1,829 @@
+From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Wed, 8 May 2024 22:56:29 -0700
+Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
+REF: https://www.rfc-editor.org/rfc/rfc1948.txt
+REF: https://www.rfc-editor.org/rfc/rfc6528.txt
+REF: https://www.rfc-editor.org/rfc/rfc9293.txt
+
+Bug Overview:
+PixieFail Bug #8
+CVE-2023-45236
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
+
+Updates TCP ISN generation to use a cryptographic hash of the
+connection's identifying parameters and a secret key.
+This prevents an attacker from guessing the ISN used for some other
+connection.
+
+This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
+
+RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection
+
+   A TCP implementation MUST use the above type of "clock" for clock-
+   driven selection of initial sequence numbers (MUST-8), and SHOULD
+   generate its initial sequence numbers with the expression:
+
+   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+   where M is the 4 microsecond timer, and F() is a pseudorandom
+   function (PRF) of the connection's identifying parameters ("localip,
+   localport, remoteip, remoteport") and a secret key ("secretkey")
+   (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
+   an attacker could still guess at sequence numbers from the ISN used
+   for some other connection.  The PRF could be implemented as a
+   cryptographic hash of the concatenation of the TCP connection
+   parameters and some secret data.  For discussion of the selection of
+   a specific hash algorithm and management of the secret key data,
+   please see Section 3 of [42].
+
+   For each connection there is a send sequence number and a receive
+   sequence number.  The initial send sequence number (ISS) is chosen by
+   the data sending TCP peer, and the initial receive sequence number
+   (IRS) is learned during the connection-establishing procedure.
+
+   For a connection to be established or initialized, the two TCP peers
+   must synchronize on each other's initial sequence numbers.  This is
+   done in an exchange of connection-establishing segments carrying a
+   control bit called "SYN" (for synchronize) and the initial sequence
+   numbers.  As a shorthand, segments carrying the SYN bit are also
+   called "SYNs".  Hence, the solution requires a suitable mechanism for
+   picking an initial sequence number and a slightly involved handshake
+   to exchange the ISNs.
+
+Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+CVE: CVE-2023-45236
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ NetworkPkg/SecurityFixes.yaml |  22 +++
+ NetworkPkg/TcpDxe/TcpDriver.c |  92 ++++++++++++-
+ NetworkPkg/TcpDxe/TcpDxe.inf  |   8 +-
+ NetworkPkg/TcpDxe/TcpFunc.h   |  23 ++--
+ NetworkPkg/TcpDxe/TcpInput.c  |  13 +-
+ NetworkPkg/TcpDxe/TcpMain.h   |  59 ++++++--
+ NetworkPkg/TcpDxe/TcpMisc.c   | 244 ++++++++++++++++++++++++++++++++--
+ NetworkPkg/TcpDxe/TcpTimer.c  |   3 +-
+ 8 files changed, 415 insertions(+), 49 deletions(-)
+
+diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
+index 2b2c794697..ab355419cc 100644
+--- a/NetworkPkg/SecurityFixes.yaml
++++ b/NetworkPkg/SecurityFixes.yaml
+@@ -121,6 +121,28 @@ CVE_2023_45235:
+     - http://www.openwall.com/lists/oss-security/2024/01/16/2
+     - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+     - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
++CVE_2023_45236:
++  commit_titles:
++    - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
++  cve: CVE-2023-45236
++  date_reported: 2023-08-28 13:56 UTC
++  description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
++  note:
++  files_impacted:
++    - NetworkPkg/Include/Library/NetLib.h
++    - NetworkPkg/TcpDxe/TcpDriver.c
++    - NetworkPkg/TcpDxe/TcpDxe.inf
++    - NetworkPkg/TcpDxe/TcpFunc.h
++    - NetworkPkg/TcpDxe/TcpInput.c
++    - NetworkPkg/TcpDxe/TcpMain.h
++    - NetworkPkg/TcpDxe/TcpMisc.c
++    - NetworkPkg/TcpDxe/TcpTimer.c
++  links:
++    - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
++    - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
++    - http://www.openwall.com/lists/oss-security/2024/01/16/2
++    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
++    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+ CVE_2023_45237:
+   commit_titles:
+     - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
+diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
+index 8fe6badd68..40bba4080c 100644
+--- a/NetworkPkg/TcpDxe/TcpDriver.c
++++ b/NetworkPkg/TcpDxe/TcpDriver.c
+@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL  gTcpServiceBinding = {
+   TcpServiceBindingDestroyChild
+ };
+ 
++//
++// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
++// if the platform does not provide one.
++//
++EFI_HANDLE  mHash2ServiceHandle = NULL;
++
+ /**
+   Create and start the heartbeat timer for the TCP driver.
+ 
+@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
+   EFI_STATUS  Status;
+   UINT32      Random;
+ 
++  //
++  // Initialize the Secret used for hashing TCP sequence numbers
++  //
++  // Normally this should be regenerated periodically, but since
++  // this is only used for UEFI networking and not a general purpose
++  // operating system, it is not necessary to regenerate it.
++  //
++  Status = PseudoRandomU32 (&mTcpGlobalSecret);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
++    return Status;
++  }
++
++  //
++  // Get a random number used to generate a random port number
++  // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
++  //
+   Status = PseudoRandomU32 (&Random);
+   if (EFI_ERROR (Status)) {
+     DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
+@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
+   }
+ 
+   //
+-  // Initialize ISS and random port.
++  // Initialize the random port.
+   //
+-  mTcpGlobalIss   = Random % mTcpGlobalIss;
+   mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
+   mTcp6RandomPort = mTcp4RandomPort;
+ 
+@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
+   @param[in]  IpVersion          IP_VERSION_4 or IP_VERSION_6.
+ 
+   @retval EFI_OUT_OF_RESOURCES   Failed to allocate some resources.
++  @retval EFI_UNSUPPORTED        Service Binding Protocols are unavailable.
++  @retval EFI_ALREADY_STARTED    The TCP driver is already started on the controller.
+   @retval EFI_SUCCESS            A new IP6 service binding private was created.
+ 
+ **/
+@@ -234,11 +258,13 @@ TcpCreateService (
+   IN UINT8       IpVersion
+   )
+ {
+-  EFI_STATUS        Status;
+-  EFI_GUID          *IpServiceBindingGuid;
+-  EFI_GUID          *TcpServiceBindingGuid;
+-  TCP_SERVICE_DATA  *TcpServiceData;
+-  IP_IO_OPEN_DATA   OpenData;
++  EFI_STATUS                    Status;
++  EFI_GUID                      *IpServiceBindingGuid;
++  EFI_GUID                      *TcpServiceBindingGuid;
++  TCP_SERVICE_DATA              *TcpServiceData;
++  IP_IO_OPEN_DATA               OpenData;
++  EFI_SERVICE_BINDING_PROTOCOL  *Hash2ServiceBinding;
++  EFI_HASH2_PROTOCOL            *Hash2Protocol;
+ 
+   if (IpVersion == IP_VERSION_4) {
+     IpServiceBindingGuid  = &gEfiIp4ServiceBindingProtocolGuid;
+@@ -272,6 +298,33 @@ TcpCreateService (
+     return EFI_UNSUPPORTED;
+   }
+ 
++  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
++  if (EFI_ERROR (Status)) {
++    //
++    // If we can't find the Hashing protocol, then we need to create one.
++    //
++
++    //
++    // Platform is expected to publish the hash service binding protocol to support TCP.
++    //
++    Status = gBS->LocateProtocol (
++                    &gEfiHash2ServiceBindingProtocolGuid,
++                    NULL,
++                    (VOID **)&Hash2ServiceBinding
++                    );
++    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    //
++    // Create an instance of the hash protocol for this controller.
++    //
++    Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    if (EFI_ERROR (Status)) {
++      return EFI_UNSUPPORTED;
++    }
++  }
++
+   //
+   // Create the TCP service data.
+   //
+@@ -423,6 +476,7 @@ TcpDestroyService (
+   EFI_STATUS                               Status;
+   LIST_ENTRY                               *List;
+   TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT  Context;
++  EFI_SERVICE_BINDING_PROTOCOL             *Hash2ServiceBinding;
+ 
+   ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
+ 
+@@ -439,6 +493,30 @@ TcpDestroyService (
+     return EFI_SUCCESS;
+   }
+ 
++  //
++  // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
++  //
++  if (mHash2ServiceHandle != NULL) {
++    Status = gBS->LocateProtocol (
++                    &gEfiHash2ServiceBindingProtocolGuid,
++                    NULL,
++                    (VOID **)&Hash2ServiceBinding
++                    );
++    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    //
++    // Destroy the instance of the hashing protocol for this controller.
++    //
++    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    if (EFI_ERROR (Status)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    mHash2ServiceHandle = NULL;
++  }
++
+   Status = gBS->OpenProtocol (
+                   NicHandle,
+                   ServiceBindingGuid,
+diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
+index cf5423f4c5..76de4cf9ec 100644
+--- a/NetworkPkg/TcpDxe/TcpDxe.inf
++++ b/NetworkPkg/TcpDxe/TcpDxe.inf
+@@ -6,6 +6,7 @@
+ #  stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
+ #
+ #  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
++#  Copyright (c) Microsoft Corporation
+ #
+ #  SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+@@ -68,7 +69,6 @@
+   NetLib
+   IpIoLib
+ 
+-
+ [Protocols]
+   ## SOMETIMES_CONSUMES
+   ## SOMETIMES_PRODUCES
+@@ -81,6 +81,12 @@
+   gEfiIp6ServiceBindingProtocolGuid             ## TO_START
+   gEfiTcp6ProtocolGuid                          ## BY_START
+   gEfiTcp6ServiceBindingProtocolGuid            ## BY_START
++  gEfiHash2ProtocolGuid                         ## BY_START
++  gEfiHash2ServiceBindingProtocolGuid           ## BY_START
++
++[Guids]
++  gEfiHashAlgorithmMD5Guid                      ## CONSUMES
++  gEfiHashAlgorithmSha256Guid                   ## CONSUMES
+ 
+ [Depex]
+   gEfiHash2ServiceBindingProtocolGuid
+diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
+index a7af01fff2..c707bee3e5 100644
+--- a/NetworkPkg/TcpDxe/TcpFunc.h
++++ b/NetworkPkg/TcpDxe/TcpFunc.h
+@@ -2,7 +2,7 @@
+   Declaration of external functions shared in TCP driver.
+ 
+   Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -36,8 +36,11 @@ VOID
+ 
+   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpInitTcbLocal (
+   IN OUT TCP_CB  *Tcb
+   );
+@@ -128,17 +131,6 @@ TcpCloneTcb (
+   IN TCP_CB  *Tcb
+   );
+ 
+-/**
+-  Compute an ISS to be used by a new connection.
+-
+-  @return The result ISS.
+-
+-**/
+-TCP_SEQNO
+-TcpGetIss (
+-  VOID
+-  );
+-
+ /**
+   Get the local mss.
+ 
+@@ -202,8 +194,11 @@ TcpFormatNetbuf (
+   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
+                                 connection.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpOnAppConnect (
+   IN OUT TCP_CB  *Tcb
+   );
+diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
+index fb1aa827f8..0477a15d0c 100644
+--- a/NetworkPkg/TcpDxe/TcpInput.c
++++ b/NetworkPkg/TcpDxe/TcpInput.c
+@@ -724,6 +724,7 @@ TcpInput (
+   TCP_SEQNO   Urg;
+   UINT16      Checksum;
+   INT32       Usable;
++  EFI_STATUS  Status;
+ 
+   ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
+ 
+@@ -872,7 +873,17 @@ TcpInput (
+       Tcb->LocalEnd.Port  = Head->DstPort;
+       Tcb->RemoteEnd.Port = Head->SrcPort;
+ 
+-      TcpInitTcbLocal (Tcb);
++      Status = TcpInitTcbLocal (Tcb);
++      if (EFI_ERROR (Status)) {
++        DEBUG (
++          (DEBUG_ERROR,
++           "TcpInput: discard a segment because failed to init local end for TCB %p\n",
++           Tcb)
++          );
++
++        goto DISCARD;
++      }
++
+       TcpInitTcbPeer (Tcb, Seg, &Option);
+ 
+       TcpSetState (Tcb, TCP_SYN_RCVD);
+diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
+index c0c9b7f46e..4d5566ab93 100644
+--- a/NetworkPkg/TcpDxe/TcpMain.h
++++ b/NetworkPkg/TcpDxe/TcpMain.h
+@@ -3,7 +3,7 @@
+   It is the common head file for all Tcp*.c in TCP driver.
+ 
+   Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -13,6 +13,7 @@
+ 
+ #include <Protocol/ServiceBinding.h>
+ #include <Protocol/DriverBinding.h>
++#include <Protocol/Hash2.h>
+ #include <Library/IpIoLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/PrintLib.h>
+@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE      *gTcpControllerNameTable;
+ 
+ extern LIST_ENTRY  mTcpRunQue;
+ extern LIST_ENTRY  mTcpListenQue;
+-extern TCP_SEQNO   mTcpGlobalIss;
++extern TCP_SEQNO   mTcpGlobalSecret;
+ extern UINT32      mTcpTick;
+ 
+ ///
+@@ -45,14 +46,6 @@ extern UINT32      mTcpTick;
+ 
+ #define TCP_EXPIRE_TIME  65535
+ 
+-///
+-/// The implementation selects the initial send sequence number and the unit to
+-/// be added when it is increased.
+-///
+-#define TCP_BASE_ISS         0x4d7e980b
+-#define TCP_ISS_INCREMENT_1  2048
+-#define TCP_ISS_INCREMENT_2  100
+-
+ typedef union {
+   EFI_TCP4_CONFIG_DATA    Tcp4CfgData;
+   EFI_TCP6_CONFIG_DATA    Tcp6CfgData;
+@@ -774,4 +767,50 @@ Tcp6Poll (
+   IN EFI_TCP6_PROTOCOL  *This
+   );
+ 
++/**
++  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
++  and remote IP addresses and ports.
++
++  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
++  Where the ISN is computed as follows:
++    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
++
++  Otherwise:
++    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
++
++    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
++    connection's identifying parameters ("localip, localport, remoteip, remoteport")
++    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
++    outside (MUST-9), or an attacker could still guess at sequence numbers from the
++    ISN used for some other connection. The PRF could be implemented as a
++    cryptographic hash of the concatenation of the TCP connection parameters and some
++    secret data. For discussion of the selection of a specific hash algorithm and
++    management of the secret key data."
++
++  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
++  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
++  @param[in]       LocalPort      The local port number of the TCP connection.
++  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
++  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
++  @param[in]       RemotePort     The remote port number of the TCP connection.
++  @param[out]      Isn            A pointer to the variable that will receive the Initial
++                                  Sequence Number (ISN).
++
++  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
++                                  retrieved.
++  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
++  @retval EFI_UNSUPPORTED         The operation is not supported.
++
++**/
++EFI_STATUS
++TcpGetIsn (
++  IN UINT8       *LocalIp,
++  IN UINTN       LocalIpSize,
++  IN UINT16      LocalPort,
++  IN UINT8       *RemoteIp,
++  IN UINTN       RemoteIpSize,
++  IN UINT16      RemotePort,
++  OUT TCP_SEQNO  *Isn
++  );
++
+ #endif
+diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
+index c93212d47d..3310306f63 100644
+--- a/NetworkPkg/TcpDxe/TcpMisc.c
++++ b/NetworkPkg/TcpDxe/TcpMisc.c
+@@ -3,7 +3,7 @@
+ 
+   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
+   Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -20,7 +20,34 @@ LIST_ENTRY  mTcpListenQue = {
+   &mTcpListenQue
+ };
+ 
+-TCP_SEQNO  mTcpGlobalIss = TCP_BASE_ISS;
++//
++// The Session secret
++// This must be initialized to a random value at boot time
++//
++TCP_SEQNO  mTcpGlobalSecret;
++
++//
++// Union to hold either an IPv4 or IPv6 address
++// This is used to simplify the ISN hash computation
++//
++typedef union {
++  UINT8    IPv4[4];
++  UINT8    IPv6[16];
++} NETWORK_ADDRESS;
++
++//
++// The ISN is computed by hashing this structure
++// It is initialized with the local and remote IP addresses and ports
++// and the secret
++//
++//
++typedef struct {
++  UINT16             LocalPort;
++  UINT16             RemotePort;
++  NETWORK_ADDRESS    LocalAddress;
++  NETWORK_ADDRESS    RemoteAddress;
++  TCP_SEQNO          Secret;
++} ISN_HASH_CTX;
+ 
+ CHAR16  *mTcpStateName[] = {
+   L"TCP_CLOSED",
+@@ -41,12 +68,18 @@ CHAR16  *mTcpStateName[] = {
+ 
+   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpInitTcbLocal (
+   IN OUT TCP_CB  *Tcb
+   )
+ {
++  TCP_SEQNO   Isn;
++  EFI_STATUS  Status;
++
+   //
+   // Compute the checksum of the fixed parts of pseudo header
+   //
+@@ -57,6 +90,16 @@ TcpInitTcbLocal (
+                      0x06,
+                      0
+                      );
++
++    Status = TcpGetIsn (
++               Tcb->LocalEnd.Ip.v4.Addr,
++               sizeof (IPv4_ADDRESS),
++               Tcb->LocalEnd.Port,
++               Tcb->RemoteEnd.Ip.v4.Addr,
++               sizeof (IPv4_ADDRESS),
++               Tcb->RemoteEnd.Port,
++               &Isn
++               );
+   } else {
+     Tcb->HeadSum = NetIp6PseudoHeadChecksum (
+                      &Tcb->LocalEnd.Ip.v6,
+@@ -64,9 +107,25 @@ TcpInitTcbLocal (
+                      0x06,
+                      0
+                      );
++
++    Status = TcpGetIsn (
++               Tcb->LocalEnd.Ip.v6.Addr,
++               sizeof (IPv6_ADDRESS),
++               Tcb->LocalEnd.Port,
++               Tcb->RemoteEnd.Ip.v6.Addr,
++               sizeof (IPv6_ADDRESS),
++               Tcb->RemoteEnd.Port,
++               &Isn
++               );
++  }
++
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
++    ASSERT (FALSE);
++    return Status;
+   }
+ 
+-  Tcb->Iss    = TcpGetIss ();
++  Tcb->Iss    = Isn;
+   Tcb->SndUna = Tcb->Iss;
+   Tcb->SndNxt = Tcb->Iss;
+ 
+@@ -82,6 +141,8 @@ TcpInitTcbLocal (
+   Tcb->RetxmitSeqMax = 0;
+ 
+   Tcb->ProbeTimerOn = FALSE;
++
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+@@ -506,18 +567,162 @@ TcpCloneTcb (
+ }
+ 
+ /**
+-  Compute an ISS to be used by a new connection.
+-
+-  @return The resulting ISS.
++  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
++  and remote IP addresses and ports.
++
++  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
++  Where the ISN is computed as follows:
++    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
++
++  Otherwise:
++    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
++
++    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
++    connection's identifying parameters ("localip, localport, remoteip, remoteport")
++    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
++    outside (MUST-9), or an attacker could still guess at sequence numbers from the
++    ISN used for some other connection. The PRF could be implemented as a
++    cryptographic hash of the concatenation of the TCP connection parameters and some
++    secret data. For discussion of the selection of a specific hash algorithm and
++    management of the secret key data."
++
++  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
++  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
++  @param[in]       LocalPort      The local port number of the TCP connection.
++  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
++  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
++  @param[in]       RemotePort     The remote port number of the TCP connection.
++  @param[out]      Isn            A pointer to the variable that will receive the Initial
++                                  Sequence Number (ISN).
++
++  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
++                                  retrieved.
++  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
++  @retval EFI_UNSUPPORTED         The operation is not supported.
+ 
+ **/
+-TCP_SEQNO
+-TcpGetIss (
+-  VOID
++EFI_STATUS
++TcpGetIsn (
++  IN UINT8       *LocalIp,
++  IN UINTN       LocalIpSize,
++  IN UINT16      LocalPort,
++  IN UINT8       *RemoteIp,
++  IN UINTN       RemoteIpSize,
++  IN UINT16      RemotePort,
++  OUT TCP_SEQNO  *Isn
+   )
+ {
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+-  return mTcpGlobalIss;
++  EFI_STATUS          Status;
++  EFI_HASH2_PROTOCOL  *Hash2Protocol;
++  EFI_HASH2_OUTPUT    HashResult;
++  ISN_HASH_CTX        IsnHashCtx;
++  EFI_TIME            TimeStamp;
++
++  //
++  // Check that the ISN pointer is valid
++  //
++  if (Isn == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // The local ip may be a v4 or v6 address and may not be NULL
++  //
++  if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // the local ip may be a v4 or v6 address
++  //
++  if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // Locate the Hash Protocol
++  //
++  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
++
++    //
++    // TcpCreateService(..) is expected to be called prior to this function
++    //
++    ASSERT_EFI_ERROR (Status);
++    return Status;
++  }
++
++  //
++  // Initialize the hash algorithm
++  //
++  Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
++    return Status;
++  }
++
++  IsnHashCtx.LocalPort  = LocalPort;
++  IsnHashCtx.RemotePort = RemotePort;
++  IsnHashCtx.Secret     = mTcpGlobalSecret;
++
++  //
++  // Check the IP address family and copy accordingly
++  //
++  if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
++    CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
++  } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
++    CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
++  } else {
++    return EFI_INVALID_PARAMETER; // Unsupported address size
++  }
++
++  //
++  // Repeat the process for the remote IP address
++  //
++  if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
++    CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
++  } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
++    CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
++  } else {
++    return EFI_INVALID_PARAMETER; // Unsupported address size
++  }
++
++  //
++  // Compute the hash
++  // Update the hash with the data
++  //
++  Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
++    return Status;
++  }
++
++  //
++  // Finalize the hash and retrieve the result
++  //
++  Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
++    return Status;
++  }
++
++  Status = gRT->GetTime (&TimeStamp, NULL);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  //
++  // copy the first 4 bytes of the hash result into the ISN
++  //
++  CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
++
++  //
++  // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
++  //
++  *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
++
++  return Status;
+ }
+ 
+ /**
+@@ -721,17 +926,28 @@ TcpFormatNetbuf (
+   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
+                                 connection.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpOnAppConnect (
+   IN OUT TCP_CB  *Tcb
+   )
+ {
+-  TcpInitTcbLocal (Tcb);
++  EFI_STATUS  Status;
++
++  Status = TcpInitTcbLocal (Tcb);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
+   TcpSetState (Tcb, TCP_SYN_SENT);
+ 
+   TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
+   TcpToSendData (Tcb, 1);
++
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
+index 5d2e124977..065b1bdf5f 100644
+--- a/NetworkPkg/TcpDxe/TcpTimer.c
++++ b/NetworkPkg/TcpDxe/TcpTimer.c
+@@ -2,7 +2,7 @@
+   TCP timer related functions.
+ 
+   Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -483,7 +483,6 @@ TcpTickingDpc (
+   INT16       Index;
+ 
+   mTcpTick++;
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+ 
+   //
+   // Don't use LIST_FOR_EACH, which isn't delete safe.
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch

@@ -0,0 +1,78 @@
+From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001
+From: Pierre Gondois <pierre.gondois@arm.com>
+Date: Fri, 11 Aug 2023 16:33:06 +0200
+Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms
+
+BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
+
+The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
+implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+To allow the RngDxe to detect when such implementation is used,
+a GetRngGuid() function is added in a following patch.
+
+Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr
+to describe a Rng algorithm accessed through Arm's RNDR instruction.
+[1] states that the implementation of this algorithm should be
+compliant to NIST SP900-80. The compliance is not guaranteed.
+
+[1] Arm Architecture Reference Manual Armv8, for A-profile architecture
+sK12.1 'Properties of the generated random number'
+
+Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+CVE: CVE-2023-45237
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ MdePkg/Include/Protocol/Rng.h | 10 ++++++++++
+ MdePkg/MdePkg.dec             |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
+index baf425587b..38bde53240 100644
+--- a/MdePkg/Include/Protocol/Rng.h
++++ b/MdePkg/Include/Protocol/Rng.h
+@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
+   { \
+     0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \
+   }
++///
++/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant
++/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be
++/// inclusive of different geographies.
++///
++#define EFI_RNG_ALGORITHM_ARM_RNDR \
++  { \
++    0x43d2fde3, 0x9d4e, 0x4d79,  {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \
++  }
+ 
+ /**
+   Returns information about the random number generation implementation.
+@@ -146,5 +155,6 @@ extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
+ extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmRaw;
++extern EFI_GUID  gEfiRngAlgorithmArmRndr;
+ 
+ #endif
+diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
+index 59b405928b..a449dbc556 100644
+--- a/MdePkg/MdePkg.dec
++++ b/MdePkg/MdePkg.dec
+@@ -594,6 +594,7 @@
+   gEfiRngAlgorithmX9313DesGuid       = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }}
+   gEfiRngAlgorithmX931AesGuid        = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }}
+   gEfiRngAlgorithmRaw                = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }}
++  gEfiRngAlgorithmArmRndr            = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }}
+ 
+   ## Include/Protocol/AdapterInformation.h
+   gEfiAdapterInfoMediaStateGuid       = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }}
+-- 
+2.40.0
+

meta/recipes-core/ovmf/ovmf_git.bb

@@ -27,6 +27,34 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0006-reproducible.patch \
            file://0001-BaseTools-fix-gcc12-warning.patch \
            file://0001-BaseTools-fix-gcc12-warning-1.patch \
+           file://CVE-2022-36763-0001.patch \
+           file://CVE-2022-36763-0002.patch \
+           file://CVE-2022-36763-0003.patch \
+           file://CVE-2022-36764-0001.patch \
+           file://CVE-2022-36764-0002.patch \
+           file://CVE-2022-36764-0003.patch \
+           file://CVE-2023-45230-0001.patch \
+           file://CVE-2023-45230-0002.patch \
+           file://CVE-2023-45231-0001.patch \
+           file://CVE-2023-45231-0002.patch \
+           file://CVE-2023-45232-CVE-2023-45233-0001.patch \
+           file://CVE-2023-45232-CVE-2023-45233-0002.patch \
+           file://CVE-2023-45234-0001.patch \
+           file://CVE-2023-45234-0002.patch \
+           file://CVE-2023-45235-0001.patch \
+           file://CVE-2023-45235-0002.patch \
+           file://CVE-2023-45229-0001.patch \
+           file://CVE-2023-45229-0002.patch \
+           file://CVE-2023-45229-0003.patch \
+           file://CVE-2023-45229-0004.patch \
+           file://CVE-2023-45237-0001.patch \
+           file://CVE-2023-45237-0002.patch \
+           file://CVE-2023-45236.patch \
+           file://CVE-2022-36765-0001.patch \
+           file://CVE-2022-36765-0002.patch \
+           file://CVE-2022-36765-0003.patch \
+           file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
+           file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \
            "
 
 PV = "edk2-stable202202"
@@ -212,6 +240,7 @@ do_compile:class-target() {
 
 do_install:class-native() {
     install -d ${D}/${bindir}/edk2_basetools
+    find ${S}/BaseTools -name \*.pyc -exec rm -rf \{\} \;
     cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR}
 }
 

meta/recipes-core/udev/udev-extraconf/network.sh

@@ -6,38 +6,6 @@ echo "$INTERFACE" | grep -q wifi && exit 0
 # udevd does clearenv(). Export shell PATH to children.
 export PATH
 
-# Check if /etc/init.d/network has been run yet to see if we are 
-# called by starting /etc/rcS.d/S03udev and not by hotplugging a device
-#
-# At this stage, network interfaces should not be brought up
-# automatically because:
-# a)	/etc/init.d/network has not been run yet (security issue)
-# b) 	/var has not been populated yet so /etc/resolv,conf points to 
-#	oblivion, making the network unusable
-#
-
-spoofp="`grep ^spoofprotect /etc/network/options`"
-if test -z "$spoofp"
-then
-	# This is the default from /etc/init.d/network
-	spoofp_val=yes
-else
-	spoofp_val=${spoofp#spoofprotect=}
-fi
-
-test "$spoofp_val" = yes && spoofp_val=1 || spoofp_val=0
-
-# I think it is safe to assume that "lo" will always be there ;)
-if test "`cat /proc/sys/net/ipv4/conf/lo/rp_filter`" != "$spoofp_val" -a -n "$spoofp_val"
-then
-	echo "$INTERFACE" >> /dev/udev_network_queue	
-	exit 0
-fi
-
-#
-# Code taken from pcmcia-cs:/etc/pcmcia/network
-#
-
 # if this interface has an entry in /etc/network/interfaces, let ifupdown
 # handle it
 if grep -q "iface \+$INTERFACE" /etc/network/interfaces; then

meta/recipes-devtools/llvm/llvm_git.bb

@@ -94,6 +94,8 @@ EXTRA_OECMAKE:append:class-nativesdk = "\
                   -DLLVM_TABLEGEN=${STAGING_BINDIR_NATIVE}/llvm-tblgen${PV} \
                   -DLLVM_CONFIG_PATH=${STAGING_BINDIR_NATIVE}/llvm-config${PV} \
                  "
+# Unless DEBUG_BUILD is enabled, pass -g1 to massively reduce the size of the debug symbols
+DEBUG_FLAGS:append = "${@oe.utils.vartrue('DEBUG_BUILD', '', ' -g1', d)}"
 
 do_configure:prepend() {
 # Fix paths in llvm-config

meta/recipes-devtools/ninja/ninja/885b4efb41c039789b81f0dc0d67c1ed0faea17c.patch

@@ -0,0 +1,62 @@
+From 9cf13cd1ecb7ae649394f4133d121a01e191560b Mon Sep 17 00:00:00 2001
+From: Byoungchan Lee <byoungchan.lee@gmx.com>
+Date: Mon, 9 Oct 2023 20:13:20 +0900
+Subject: [PATCH 1/2] Replace pipes.quote with shlex.quote in configure.py
+
+Python 3.12 deprecated the pipes module and it will be removed
+in Python 3.13. In configure.py, I have replaced the usage of pipes.quote
+with shlex.quote, which is the exactly same function as pipes.quote.
+
+For more details, refer to PEP 0594: https://peps.python.org/pep-0594
+
+Upstream-Status: Backport [https://github.com/ninja-build/ninja/commit/885b4efb41c039789b81f0dc0d67c1ed0faea17c]
+
+Signed-off-by: Markus Volk <f_l_k@t-online.de>
+---
+ configure.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.py b/configure.py
+index 588250aa8a..c6973cd1a5 100755
+--- a/configure.py
++++ b/configure.py
+@@ -21,7 +21,7 @@
+ 
+ from optparse import OptionParser
+ import os
+-import pipes
++import shlex
+ import string
+ import subprocess
+ import sys
+@@ -262,7 +262,7 @@ def _run_command(self, cmdline):
+ env_keys = set(['CXX', 'AR', 'CFLAGS', 'CXXFLAGS', 'LDFLAGS'])
+ configure_env = dict((k, os.environ[k]) for k in os.environ if k in env_keys)
+ if configure_env:
+-    config_str = ' '.join([k + '=' + pipes.quote(configure_env[k])
++    config_str = ' '.join([k + '=' + shlex.quote(configure_env[k])
+                            for k in configure_env])
+     n.variable('configure_env', config_str + '$ ')
+ n.newline()
+
+From 0a9c9c5f50c60de4a7acfed8aaa048c74cd2f43b Mon Sep 17 00:00:00 2001
+From: Byoungchan Lee <byoungchan.lee@gmx.com>
+Date: Mon, 9 Oct 2023 20:13:50 +0900
+Subject: [PATCH 2/2] Remove unused module string in configure.py
+
+---
+ configure.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/configure.py b/configure.py
+index c6973cd1a5..939153df60 100755
+--- a/configure.py
++++ b/configure.py
+@@ -22,7 +22,6 @@
+ from optparse import OptionParser
+ import os
+ import shlex
+-import string
+ import subprocess
+ import sys
+ 

meta/recipes-devtools/ninja/ninja_1.10.2.bb

@@ -8,7 +8,10 @@ DEPENDS = "re2c-native ninja-native"
 
 SRCREV = "e72d1d581c945c158ed68d9bc48911063022a2c6"
 
-SRC_URI = "git://github.com/ninja-build/ninja.git;branch=release;protocol=https"
+SRC_URI = " \
+	git://github.com/ninja-build/ninja.git;branch=release;protocol=https \
+	file://885b4efb41c039789b81f0dc0d67c1ed0faea17c.patch \
+"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
 S = "${WORKDIR}/git"

meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch

@@ -0,0 +1,34 @@
+From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001
+From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
+Date: Sun, 1 Oct 2023 14:10:25 +0100
+Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
+
+This ensures that the resulting revision can not be misinterpreted as an
+option.
+
+Upstream-Status: Backport
+[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4]
+
+CVE: CVE-2023-5752
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ src/pip/_internal/vcs/mercurial.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
+index 2a005e0..e440c12 100644
+--- a/src/pip/_internal/vcs/mercurial.py
++++ b/src/pip/_internal/vcs/mercurial.py
+@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
+ 
+     @staticmethod
+     def get_base_rev_args(rev: str) -> List[str]:
+-        return [rev]
++        return [f"-r={rev}"]
+ 
+     def fetch_new(
+         self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
+-- 
+2.25.1
+

meta/recipes-devtools/python/python3-pip_22.0.3.bb

@@ -34,9 +34,11 @@ LIC_FILES_CHKSUM = "\
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI += "file://0001-change-shebang-to-python3.patch"
-SRC_URI += "file://no_shebang_mangling.patch"
-SRC_URI += "file://reproducible.patch"
+SRC_URI += "file://0001-change-shebang-to-python3.patch \
+            file://no_shebang_mangling.patch \
+            file://reproducible.patch \
+            file://CVE-2023-5752.patch \
+           "
 
 SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"