Skip to content

[AutoPR- Security] Patch hvloader for CVE-2025-3770 [MEDIUM] #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[AutoPR- Security] Patch hvloader for CVE-2025-3770 [MEDIUM] #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions SPECS/hvloader/CVE-2025-3770.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
From 31f54fe8857834e782b358c813c99f89f9ed5dad Mon Sep 17 00:00:00 2001
From: John Mathews <[email protected]>
Date: Fri, 30 May 2025 11:06:49 -0700
Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
SMM entry

Mitigates CVE-2025-3770

Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
has been reloaded.

Signed-off-by: John Mathews <[email protected]>
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch
---
UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
index d302ca8d..017576ff 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
@@ -126,7 +126,7 @@ ProtFlatMode:
mov eax, strict dword 0 ; source operand will be patched
ASM_PFX(gPatchSmiCr3):
mov cr3, rax
- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3
+ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3

mov cl, strict byte 0 ; source operand will be patched
ASM_PFX(gPatch5LevelPagingNeeded):
@@ -217,6 +217,10 @@ SmiHandlerIdtrAbsAddr:
mov ax, [rbx + DSC_SS]
mov ss, eax

+ mov rax, cr4 ; enable MCE
+ bts rax, 6
+ mov cr4, rax
+
mov rbx, [rsp + 0x8] ; rbx <- CpuIndex

; enable CET if supported
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/hvloader/hvloader.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader.
Name: hvloader
Version: 1.0.1
Release: 13%{?dist}
Release: 14%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -34,6 +34,7 @@ Patch16: CVE-2022-36765.patch
Patch17: CVE-2023-45237.patch
Patch18: CVE-2023-45236.patch
Patch19: CVE-2024-38796.patch
Patch20: CVE-2025-3770.patch

BuildRequires: bc
BuildRequires: gcc
Expand Down Expand Up @@ -79,6 +80,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
/boot/efi/HvLoader.efi

%changelog
* Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.1-14
- Patch for CVE-2025-3770

* Tue May 13 2025 Archana Shettigar <[email protected]> - 1.0.1-13
- Fix CVE-2024-38796 with an upstream patch

Expand Down
Loading