azurelinux-security · azurelinux-security · Jan 6, 2026
diff --git a/SPECS/hvloader/CVE-2025-2295.patch b/SPECS/hvloader/CVE-2025-2295.patch
@@ -0,0 +1,54 @@
+From 3547c3abd37d9319c4db82f2bc12f69ad4ff05ab Mon Sep 17 00:00:00 2001
+From: Madhavan <madavtechy@gmail.com>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+
+Signed-off-by: Madhavan <madavtechy@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda.patch
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef587649..e9f3fa7c 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
++  UINT32                   TransferLength;
+
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
++  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
++  if (EFI_ERROR (Status)) {
++    return EFI_PROTOCOL_ERROR;
++  }
++
++  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.45.4
+
diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec
@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch18: 	CVE-2023-45236.patch
 Patch19: 	CVE-2024-38796.patch
 Patch20:  	CVE-2025-3770.patch
 Patch21:        CVE-2025-2296.patch
+Patch22:        CVE-2025-2295.patch
 
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -81,6 +82,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-16
+- Patch for CVE-2025-2295
+
 * Wed Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
 - Patch for CVE-2025-2296