azurelinux-security · azurelinux-security · Jan 5, 2026
diff --git a/SPECS/edk2/CVE-2025-2295.patch b/SPECS/edk2/CVE-2025-2295.patch
@@ -0,0 +1,54 @@
+From 7fe53cd8c73a4f62a51be20d33790f8307e83eeb Mon Sep 17 00:00:00 2001
+From: Madhavan <[email protected]>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+
+Signed-off-by: Madhavan <[email protected]>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda.patch
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef58764..fb48e63 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
++  UINT32                   TransferLength;
+
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
++  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
++  if (EFI_ERROR (Status)) {
++    return EFI_PROTOCOL_ERROR;
++  }
++
++  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    11%{?dist}
+Release:    12%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -141,6 +141,7 @@ Patch1004: CVE-2024-2511.patch
 Patch1005: CVE-2024-4603.patch
 Patch1006: CVE-2025-3770.patch
 Patch1007: CVE-2025-9230.patch
+Patch1008: CVE-2025-2295.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -802,6 +803,9 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Jan 05 2026 Azure Linux Security Servicing Account <[email protected]> - 20240524git3e722403cd16-12
+- Patch for CVE-2025-2295
+
 * Tue Nov 19 2025 Jyoti kanase <[email protected]> - 20240524git3e722403cd16-11
 - Patch for CVE-2025-2296