BaseTools/Conf/tools_def.template | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 pass -fno-stack-protector to all gcc toolchains
 The upstream build rules inexplicably pass -fno-stack-protector only
 when building for i386 and amd64.  Add this essential argument to the
 generic rules for gcc 4.8 and later.
Last-Updated: 2019-03-14

BaseTools/Source/C/GNUmakefile | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 do not attempt to compile removed brotlicompress source
 BrotliCompress is not currently used, and including an embedded
 copy of its source could cause false-positives when scanning for
 security issues. This code is stripped from our orig.tar (at the request
 of the Ubuntu security team), so we also need to disable the build.

BaseTools/Conf/tools_def.template | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 explicitly target generic x86-64 abi
 The system compiler may be configured to target a higher x86-64 psABI by
 default, so explicitly target the generic psABI to retain compatibility
 with older machine types.

ArmVirtPkg/ArmVirt.dsc.inc | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 revert "armvirtpkg: make efi_loader_data non-executable"
 The versions of GRUB most distros are shipping still depend on executable
 EFI_LOADER_DATA. Revert this upstream change until the necessary fixes are
 more generally available.

ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S | 12 5 + 7 - 0 !
1 file changed, 5 insertions(+), 7 deletions(-)

 [patch 1/2] armvirtpkg/armplatformlibqemu: ensure that vfp is on
 before running C code

Now that we build the early code without strict alignment and without
suppressing the use of SIMD registers, ensure that the VFP unit is on
before entering C code.

While at it, simplyify the mov_i macro, which is only used for 32-bit
quantities.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

ArmVirtPkg/ArmVirtQemu.dsc | 5 5 + 0 - 0 !
ArmVirtPkg/Library/ArmPlatformLibQemu/AArch64/ArmPlatformHelper.S | 15 15 + 0 - 0 !
2 files changed, 20 insertions(+)

 [patch 2/2] armvirtpkg/armvirtqemu: avoid early id map on thunderx

The early ID map used by ArmVirtQemu uses ASID scoped non-global
mappings, as this allows us to switch to the permanent ID map seamlessly
without the need for explicit TLB maintenance.

However, this triggers a known erratum on ThunderX, which does not
tolerate non-global mappings that are executable at EL1, as this appears
to result in I-cache corruption. (Linux disables the KPTI based Meltdown
mitigation on ThunderX for the same reason)

So work around this, by detecting the CPU implementor and part number,
and proceeding without the early ID map if a ThunderX CPU is detected.

Note that this requires the C code to be built with strict alignment
again, as we may end up executing it with the MMU and caches off.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 69 40 + 29 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf | 4 3 + 1 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c | 275 275 + 0 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h | 113 113 + 0 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c | 303 303 + 0 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf | 28 28 + 0 - 0 !
SecurityPkg/SecurityPkg.ci.yaml | 1 1 + 0 - 0 !
SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 1 + 0 - 0 !
8 files changed, 764 insertions(+), 30 deletions(-)

 [patch 1/8] securitypkg: dxetpm2measurebootlib: security patch 4117 -
 CVE 2022-36763

This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36763.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
[ dannf: adjusted context in SecurityPkg/Test/SecurityPkgHostTest.dsc ]

SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 40 27 + 13 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf | 4 3 + 1 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c | 241 241 + 0 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h | 114 114 + 0 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c | 301 301 + 0 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf | 28 28 + 0 - 0 !
SecurityPkg/SecurityPkg.ci.yaml | 1 1 + 0 - 0 !
SecurityPkg/Test/SecurityPkgHostTest.dsc | 1 1 + 0 - 0 !
8 files changed, 716 insertions(+), 14 deletions(-)

 [patch 2/8] securitypkg: dxetpmmeasurebootlib: security patch 4117 -
 CVE 2022-36763

This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36763.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

SecurityPkg/SecurityFixes.yaml | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 [patch 3/8] securitypkg: : adding cve 2022-36763 to
 SecurityFixes.yaml

This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 12 8 + 4 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c | 46 45 + 1 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h | 28 27 + 1 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c | 60 51 + 9 - 0 !
4 files changed, 131 insertions(+), 15 deletions(-)

 [patch 4/8] securitypkg: dxetpm2measurebootlib: security patch 4118 -
 CVE 2022-36764

This commit contains the patch files and tests for DxeTpm2MeasureBootLib
CVE 2022-36764.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 13 9 + 4 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c | 44 44 + 0 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h | 23 23 + 0 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c | 98 92 + 6 - 0 !
4 files changed, 168 insertions(+), 10 deletions(-)

 [patch 5/8] securitypkg: dxetpmmeasurebootlib: security patch 4118 -
 CVE 2022-36764

This commit contains the patch files and tests for DxeTpmMeasureBootLib
CVE 2022-36764.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

SecurityPkg/SecurityFixes.yaml | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 [patch 6/8] securitypkg: : adding cve 2022-36764 to
 SecurityFixes.yaml

This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 8 4 + 4 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c | 8 4 + 4 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h | 8 4 + 4 - 0 !
SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c | 26 13 + 13 - 0 !
4 files changed, 25 insertions(+), 25 deletions(-)

 [patch 1/3] securitypkg: dxetpm2measurebootlib: security patch
 4117/4118 symbol rename

Updates the sanitation function names to be lib unique names

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <7b18434c8a8b561654efd40ced3becb8b378c8f1.1705529990.git.doug.edk2@gmail.com>

SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c | 8 4 + 4 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c | 10 5 + 5 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h | 8 4 + 4 - 0 !
SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c | 26 13 + 13 - 0 !
4 files changed, 26 insertions(+), 26 deletions(-)

 [patch 2/3] securitypkg: dxetpmmeasurebootlib: security patch
 4117/4118 symbol rename

Updates the sanitation function names to be lib unique names

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <355aa846a99ca6ac0f7574cf5982661da0d9fea6.1705529990.git.doug.edk2@gmail.com>

SecurityPkg/SecurityFixes.yaml | 28 17 + 11 - 0 !
1 file changed, 17 insertions(+), 11 deletions(-)

 [patch 3/3] securitypkg: : updating securityfixes.yaml after symbol
 rename

Adding the new commit titles for the symbol renames

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Message-Id: <5e0e851e97459e183420178888d4fcdadc2f1ae1.1705529990.git.doug.edk2@gmail.com>

UefiPayloadPkg/Library/PayloadEntryHobLib/Hob.c | 43 43 + 0 - 0 !
UefiPayloadPkg/UefiPayloadEntry/UniversalPayloadEntry.c | 8 5 + 3 - 0 !
2 files changed, 48 insertions(+), 3 deletions(-)

 [patch 8/8] uefipayloadpkg/hob: integer overflow in createhob()

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4166

Fix integer overflow in various CreateHob instances.
Fixes: CVE-2022-36765

The CreateHob() function aligns the requested size to 8
performing the following operation:
```
HobLength = (UINT16)((HobLength + 0x7) & (~0x7));
```

No checks are performed to ensure this value doesn't
overflow, and could lead to CreateHob() returning a smaller
HOB than requested, which could lead to OOB HOB accesses.

Reported-by: Marc Beatove <mbeatove@google.com>
Cc: Guo Dong <guo.dong@intel.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: James Lu <james.lu@intel.com>

NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 43 + 0 - 0 !
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 276 + 133 - 0 !
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 300 + 73 - 0 !
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 82 49 + 33 - 0 !
4 files changed, 668 insertions(+), 239 deletions(-)

 [patch 01/15] networkpkg: dhcp6dxe: security patch cve-2023-45230
 Patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535

Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds
 of a Memory Buffer

Changes Overview:
> -UINT8 *
> +EFI_STATUS
>  Dhcp6AppendOption (
> -  IN OUT UINT8   *Buf,
> -  IN     UINT16  OptType,
> -  IN     UINT16  OptLen,
> -  IN     UINT8   *Data
> +  IN OUT EFI_DHCP6_PACKET  *Packet,
> +  IN OUT UINT8             **PacketCursor,
> +  IN     UINT16            OptType,
> +  IN     UINT16            OptLen,
> +  IN     UINT8             *Data
>    );

Dhcp6AppendOption() and variants can return errors now.  All callsites
are adapted accordingly.

It gets passed in EFI_DHCP6_PACKET as additional parameter ...

> +  //
> +  // Verify the PacketCursor is within the packet
> +  //
> +  if (  (*PacketCursor < Packet->Dhcp6.Option)
> +     || (*PacketCursor >= Packet->Dhcp6.Option +
 (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> +  {
> +    return EFI_INVALID_PARAMETER;
> +  }

... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.

Lots of checks added.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/NetworkPkg.ci.yaml | 7 6 + 1 - 0 !
NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 98 + 0 - 0 !
2 files changed, 104 insertions(+), 1 deletion(-)

 [patch 02/15] networkpkg: : add unit tests to ci and create host test
 DSC

Adds Host Based testing to the NetworkPkg

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.cpp | 20 20 + 0 - 0 !
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf | 43 43 + 0 - 0 !
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 478 478 + 0 - 0 !
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 1 + 0 - 0 !
4 files changed, 542 insertions(+)

 [patch 03/15] networkpkg: dhcp6dxe: security patch cve-2023-45230
 Unit Tests

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535

Confirms that reported issue...

"Buffer overflow in the DHCPv6 client via a long Server ID option"

..has been corrected by the provided patch.

Tests the following functions to ensure they appropriately handle
untrusted data (either too long or too small) to prevent a buffer
overflow:

Dhcp6AppendOption
Dhcp6AppendETOption
Dhcp6AppendIaOption

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 119 + 19 - 0 !
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 137 + 66 - 0 !
2 files changed, 256 insertions(+), 85 deletions(-)

 [patch 04/15] networkpkg: dhcp6dxe: security patch cve-2023-45229
 Patch

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534

Bug Details:
PixieFail Bug #1
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Change Overview:

Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking
the Inner Option from a DHCP6 Option.

>
> EFI_STATUS
> Dhcp6SeekInnerOptionSafe (
>  IN  UINT16  IaType,
>  IN  UINT8   *Option,
>  IN  UINT32  OptionLen,
>  OUT UINT8   **IaInnerOpt,
>  OUT UINT16  *IaInnerLen
>  );
>

Lots of code cleanup to improve code readability.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 2 1 + 1 - 0 !
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6DxeGoogleTest.inf | 1 1 + 0 - 0 !
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 365 363 + 2 - 0 !
NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.h | 58 58 + 0 - 0 !
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 1 + 0 - 0 !
5 files changed, 424 insertions(+), 3 deletions(-)

 [patch 05/15] networkpkg: dhcp6dxe: security patch cve-2023-45229
 Unit Tests

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534

These tests confirm that the report bug...

"Out-of-bounds read when processing IA_NA/IA_TA options in a
DHCPv6 Advertise message"

..has been patched.

The following functions are tested to confirm an out of bounds read is
patched and that the correct statuses are returned:

Dhcp6SeekInnerOptionSafe
Dhcp6SeekStsOption

TCBZ4534
CVE-2023-45229
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Ip6Dxe/Ip6Option.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 06/15] networkpkg: ip6dxe: security patch cve-2023-45231 patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Out-of-bounds read when handling a ND Redirect message with truncated
options

Change Overview:

Adds a check to prevent truncated options from being parsed
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type
field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.cpp | 20 20 + 0 - 0 !
NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 42 42 + 0 - 0 !
NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 129 129 + 0 - 0 !
NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 1 + 0 - 0 !
4 files changed, 192 insertions(+)

 [patch 07/15] networkpkg: ip6dxe: security patch cve-2023-45231 unit
 Tests

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Validates that the patch for...

Out-of-bounds read when handling a ND Redirect message with truncated
options

.. has been fixed

Tests the following function to ensure that an out of bounds read does
not occur
Ip6OptionValidation

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 35 + 0 - 0 !
NetworkPkg/Ip6Dxe/Ip6Option.c | 76 65 + 11 - 0 !
NetworkPkg/Ip6Dxe/Ip6Option.h | 71 71 + 0 - 0 !
3 files changed, 171 insertions(+), 11 deletions(-)

 [patch 08/15] networkpkg: ip6dxe: security patch cve-2023-45232 patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538

Bug Details:
PixieFail Bug #4
CVE-2023-45232
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Infinite loop when parsing unknown options in the Destination Options
header

PixieFail Bug #5
CVE-2023-45233
CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Infinite loop when parsing a PadN option in the Destination Options
header

Change Overview:

Most importantly this change corrects the following incorrect math
and cleans up the code.

>   // It is a PadN option
>   //
> - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2);
> + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
> + Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);

> case Ip6OptionSkip:
> - Offset = (UINT8)(Offset + *(Option + Offset + 1));
>   OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length;
>   Offset     = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen);

Additionally, this change also corrects incorrect math where the calling
function was calculating the HDR EXT optionLen as a uint8 instead of a
uint16

> - OptionLen = (UINT8)((*Option + 1) * 8 - 2);
> + OptionLen = IP6_HDR_EXT_LEN (*Option) -
IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN;

Additionally this check adds additional logic to santize the incoming
data

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Ip6Dxe/GoogleTest/Ip6DxeGoogleTest.inf | 10 6 + 4 - 0 !
NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.cpp | 278 278 + 0 - 0 !
NetworkPkg/Ip6Dxe/GoogleTest/Ip6OptionGoogleTest.h | 40 40 + 0 - 0 !
3 files changed, 324 insertions(+), 4 deletions(-)

 [patch 09/15] networkpkg: ip6dxe: security patch cve-2023-45232 unit
 Tests

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538

Unit tests to confirm that..

Infinite loop when parsing unknown options in the Destination Options
header

and

Infinite loop when parsing a PadN option in the Destination Options
header

... have been patched

This patch tests the following functions:
Ip6IsOptionValid

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 71 65 + 6 - 0 !
1 file changed, 65 insertions(+), 6 deletions(-)

 [patch 10/15] networkpkg: uefipxebcdxe: security patch cve-2023-45234
 Patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539

Bug Details:
PixieFail Bug #6
CVE-2023-45234
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when processing DNS Servers option in a DHCPv6
Advertise message

Change Overview:

Introduces a function to cache the Dns Server and perform sanitizing
on the incoming DnsServerLen to ensure that the length is valid

> + EFI_STATUS
> + PxeBcCacheDnsServerAddresses (
> +  IN PXEBC_PRIVATE_DATA        *Private,
> +  IN PXEBC_DHCP6_PACKET_CACHE  *Cache6
> +  )

Additional code cleanup

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Test/NetworkPkgHostTest.dsc | 1 1 + 0 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp | 300 300 + 0 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h | 50 50 + 0 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.cpp | 19 19 + 0 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf | 48 48 + 0 - 0 !
5 files changed, 418 insertions(+)

 [patch 11/15] networkpkg: uefipxebcdxe: security patch cve-2023-45234
 Unit Tests

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539

Unit tests to that the bug..

Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise
message

..has been patched

This contains tests for the following functions:
PxeBcHandleDhcp6Offer
PxeBcCacheDnsServerAddresses

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 77 61 + 16 - 0 !
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 17 + 0 - 0 !
2 files changed, 78 insertions(+), 16 deletions(-)

 [patch 13/15] networkpkg: uefipxebcdxe: security patch cve-2023-45235
 Patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540

Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message

Change Overview:

Performs two checks

1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> +  Status = EFI_INVALID_PARAMETER;
> +  goto ON_ERROR;
> + }

2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
 > DiscoverLenNeeded) {
> +     Status = EFI_OUT_OF_RESOURCES;
> +     goto ON_ERROR;
> + }

Additional code clean up and fix for memory leak in case Option was NULL

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/Test/NetworkPkgHostTest.dsc | 5 4 + 1 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp | 278 276 + 2 - 0 !
NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.h | 18 18 + 0 - 0 !
3 files changed, 298 insertions(+), 3 deletions(-)

 [patch 14/15] networkpkg: uefipxebcdxe: security patch cve-2023-45235
 Unit Tests

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540

Unit tests to confirm that the bug..

Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message

..has been patched.

This patch contains unit tests for the following functions:
PxeBcRequestBootService
PxeBcDhcp6Discover

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

NetworkPkg/SecurityFixes.yaml | 123 123 + 0 - 0 !
1 file changed, 123 insertions(+)

 [patch 15/15] networkpkg: : adds a securityfix.yaml file

This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

ShellPkg/Application/Shell/Shell.c | 14 14 + 0 - 0 !
ShellPkg/Application/Shell/Shell.h | 3 3 + 0 - 0 !
ShellPkg/Application/Shell/Shell.inf | 2 2 + 0 - 0 !
ShellPkg/ShellPkg.dsc | 1 1 + 0 - 0 !
4 files changed, 20 insertions(+)

 shell: disable the shell when secureboot is enabled and not in
 SetupMode

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>

MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] mdepkg: fix overflow issue in basepecofflib

The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is
also a UINT32 value. The current code does not check for overflow when
adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a
check to ensure that the addition does not overflow.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
Authored-by: sriraamx gobichettipalayam <sri..@intel.com>

MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] mdepkg: improving readability of cve patch for
 PeCoffLoaderRelocateImage

This change adds parantheses to the if condition detecting overflow in
the PeCoffLoaderRelocateImage function to improve readability.

Follow on change for:
    REF!: https://github.com/tianocore/edk2/pull/6249

Signed-off-by: Doug Flick <dougflick@microsoft.com>

MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 [patch] mdemodulepkg: potential uint32 overflow in s3 resumecount

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677

Attacker able to modify physical memory and ResumeCount.
System will crash/DoS when ResumeCount reaches its MAX_UINT32.

Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>

Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>