master

分支 (31)

标签 (43)

管理

管理

master

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP2

openEuler-22.03-LTS-SP3

openEuler-20.03-LTS-SP4

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS

openEuler-22.03-LTS-SP4

openEuler-25.03

openEuler-22.03-LTS-SP1

sync-pr258-master-to-openEuler-24.09

sync-pr257-openEuler-22.03-LTS-SP3-to-openEuler-22.03-LTS-SP1

sync-pr257-openEuler-22.03-LTS-SP3-to-openEuler-22.03-LTS-SP4

openEuler-24.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP1

openEuler-24.03-LTS-Loongarch

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP4-update-20250403

openEuler-22.03-LTS-SP4-update-20250403

openEuler-24.03-LTS-SP1-update-20250403

openEuler-22.03-LTS-SP3-update-20250403

openEuler-24.03-LTS-update-20250403

openEuler-25.03-release

openEuler-24.03-LTS-update-20250321

openEuler-24.03-LTS-SP1-update-20250321

openEuler-24.03-LTS-update-20250228

openEuler-24.03-LTS-SP1-update-20250228

openEuler-22.03-LTS-SP3-update-20250228

openEuler-22.03-LTS-SP4-update-20250228

openEuler-20.03-LTS-SP4-update-20250228

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-update-before-20241025

openEuler-22.03-LTS-SP4-before-20241025

openEuler-24.03-LTS-update-before-20241025

openEuler-20.03-LTS-SP4-update-20241025

openEuler-22.03-LTS-SP1-update-20241025

openEuler-22.03-LTS-SP3-update-20241025

edk2
/
0066-NetworkPkg-TcpDxe-SECURITY-PATCH...

From b95e87d6764eb59e0e0814da5f33c4900cab57d4 Mon Sep 17 00:00:00 2001
From: ShenYage <shenyage1@huawei.com>
Date: Fri, 28 Feb 2025 16:04:22 +0800
Subject: [PATCH 1/2] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Relared
 Patch

BUG: Tianocore's EDK2 TCP implementation generates ISNs using fixed
increments from a fixed base value and thus is uceptible to TCP session injection
and session hijack attacks.

This commit is a patch for CVE-2023-45236. Generates ISNs using RngLib to get a high-quality random number.

Signed-off-by: ShenYage <shenyage1@huawei.com>
---
 NetworkPkg/TcpDxe/TcpDxe.inf | 1 +
 NetworkPkg/TcpDxe/TcpMain.h  | 1 +
 NetworkPkg/TcpDxe/TcpMisc.c  | 9 ++++++++-
 NetworkPkg/TcpDxe/TcpTimer.c | 7 ++++++-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index c0acbdca..9281f908 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -67,6 +67,7 @@
   DpcLib
   NetLib
   IpIoLib
+  RngLib


 [Protocols]
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index c0c9b7f4..fc66c00e 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -16,6 +16,7 @@
 #include <Library/IpIoLib.h>
 #include <Library/DevicePathLib.h>
 #include <Library/PrintLib.h>
+#include <Library/RngLib.h>

 #include "Socket.h"
 #include "TcpProto.h"
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index c93212d4..b5e6120d 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -516,7 +516,14 @@ TcpGetIss (
   VOID
   )
 {
-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+  UINT32  RandomVal;
+
+  if (GetRandomNumber32(&RandomVal)) {
+    mTcpGlobalIss += RandomVal;
+  } else {
+    mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+  }
+
   return mTcpGlobalIss;
 }

diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 5d2e1249..5c2ba1a1 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -481,9 +481,14 @@ TcpTickingDpc (
   LIST_ENTRY  *Next;
   TCP_CB      *Tcb;
   INT16       Index;
+  UINT32          RandomVal;

   mTcpTick++;
-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+  if (GetRandomNumber32(&RandomVal)) {
+    mTcpGlobalIss += RandomVal;
+  } else {
+    mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+  }

   //
   // Don't use LIST_FOR_EACH, which isn't delete safe.
--
2.33.0