From 644c8aab9d453f661b9233ea4b709c5958641fc2 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Mon, 5 Jan 2026 19:48:00 +0000 Subject: [PATCH] Patch edk2 for CVE-2025-2295 --- SPECS/edk2/CVE-2025-2295.patch | 54 ++++++++++++++++++++++++++++++++++ SPECS/edk2/edk2.spec | 6 +++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 SPECS/edk2/CVE-2025-2295.patch diff --git a/SPECS/edk2/CVE-2025-2295.patch b/SPECS/edk2/CVE-2025-2295.patch new file mode 100644 index 00000000000..43b746c7b14 --- /dev/null +++ b/SPECS/edk2/CVE-2025-2295.patch @@ -0,0 +1,54 @@ +From 7fe53cd8c73a4f62a51be20d33790f8307e83eeb Mon Sep 17 00:00:00 2001 +From: Madhavan +Date: Fri, 14 Mar 2025 14:15:13 -0400 +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI + bz4206 + +Used SafeUint32Add to calculate and validate OutTransferLength with +boundary check in IScsiOnR2TRcvd to avoid integer overflow + +Signed-off-by: Madhavan +Signed-off-by: rpm-build +Upstream-reference: https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda.patch +--- + NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c +index ef58764..fb48e63 100644 +--- a/NetworkPkg/IScsiDxe/IScsiProto.c ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c +@@ -1,7 +1,7 @@ + /** @file + The implementation of iSCSI protocol based on RFC3720. + +-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd ( + EFI_STATUS Status; + ISCSI_XFER_CONTEXT *XferContext; + UINT8 *Data; ++ UINT32 TransferLength; + + R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL); + if (R2THdr == NULL) { +@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd ( + XferContext->Offset = R2THdr->BufferOffset; + XferContext->DesiredLength = R2THdr->DesiredDataTransferLength; + +- if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) || ++ Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength); ++ if (EFI_ERROR (Status)) { ++ return EFI_PROTOCOL_ERROR; ++ } ++ ++ if ((TransferLength > Packet->OutTransferLength) || + (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength) + ) + { +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index 98ced46fe11..406b62b6e31 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -55,7 +55,7 @@ ExclusiveArch: x86_64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 11%{?dist} +Release: 12%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -141,6 +141,7 @@ Patch1004: CVE-2024-2511.patch Patch1005: CVE-2024-4603.patch Patch1006: CVE-2025-3770.patch Patch1007: CVE-2025-9230.patch +Patch1008: CVE-2025-2295.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -802,6 +803,9 @@ done /boot/efi/HvLoader.efi %changelog +* Mon Jan 05 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-12 +- Patch for CVE-2025-2295 + * Tue Nov 19 2025 Jyoti kanase - 20240524git3e722403cd16-11 - Patch for CVE-2025-2296