Patch edk2 for CVE-2025-3770

azurelinux-security · azurelinux-security · commit daf2b6939c55 · 2025-08-11T11:34:32.000Z
diff --git a/SPECS/edk2/CVE-2025-3770.patch b/SPECS/edk2/CVE-2025-3770.patch
@@ -0,0 +1,46 @@
+From 48d5b0a7b11a656d3ff58542900d318ec811f638 Mon Sep 17 00:00:00 2001
+From: John Mathews <john.mathews@intel.com>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <john.mathews@intel.com>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch
+---
+ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index 644366b..6e1cd45 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -113,7 +113,7 @@ ProtFlatMode:
+     mov eax, strict dword 0               ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+     mov     cr3, rax
+-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
++    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
+ 
+     mov     cl, strict byte 0            ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr:
+     mov     ax, [rbx + DSC_SS]
+     mov     ss, eax
+ 
++    mov     rax, cr4                    ; enable MCE
++    bts     rax, 6
++    mov     cr4, rax
++
+     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
+ 
+ ; enable CET if supported
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    8%{?dist}
+Release:    9%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -138,6 +138,7 @@ Patch1002: CVE-2024-4741.patch
 Patch1003: CVE-2024-13176.patch
 Patch1004: CVE-2024-2511.patch
 Patch1005: CVE-2024-4603.patch
+Patch1006: CVE-2025-3770.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -799,6 +800,9 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Aug 11 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-9
+- Patch for CVE-2025-3770
+
 * Thu Apr 24 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-8
 - Fix CVE-2024-38796
 
