diff --git a/SPECS/hvloader/CVE-2025-3770.patch b/SPECS/hvloader/CVE-2025-3770.patch new file mode 100644 index 00000000000..4121d06013d --- /dev/null +++ b/SPECS/hvloader/CVE-2025-3770.patch @@ -0,0 +1,46 @@ +From 31f54fe8857834e782b358c813c99f89f9ed5dad Mon Sep 17 00:00:00 2001 +From: John Mathews +Date: Fri, 30 May 2025 11:06:49 -0700 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch +--- + UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index d302ca8d..017576ff 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -126,7 +126,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -217,6 +217,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.45.4 + diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index a564483963b..6b98257362c 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -4,7 +4,7 @@ Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 13%{?dist} +Release: 14%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -34,6 +34,7 @@ Patch16: CVE-2022-36765.patch Patch17: CVE-2023-45237.patch Patch18: CVE-2023-45236.patch Patch19: CVE-2024-38796.patch +Patch20: CVE-2025-3770.patch BuildRequires: bc BuildRequires: gcc @@ -79,6 +80,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Tue Aug 12 2025 Azure Linux Security Servicing Account - 1.0.1-14 +- Patch for CVE-2025-3770 + * Tue May 13 2025 Archana Shettigar - 1.0.1-13 - Fix CVE-2024-38796 with an upstream patch