boot/edk2: add security fix for CVE-2024-38805

This commit adds a security fix from the upstream commit:
https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536

It fixes CVE-2024-38805:
https://www.cve.org/CVERecord?id=CVE-2024-38805
Note: at the time of this commit, this CVE is "reserved" by a CNA.
Details will come later.

See also the associated pull request:
https://github.com/tianocore/edk2/pull/11042

This commit also adds the corresponding _IGNORE_CVES entry.

Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 14d07d1914766314afb5d7f9fbdeae10bb459bde)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>

boot/edk2/0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch

@@ -0,0 +1,75 @@
+From 0a3b2a29b96b11fb858974044359c806c6b0a111 Mon Sep 17 00:00:00 2001
+From: Santhosh Kumar V <santhoshkumarv@ami.com>
+Date: Wed, 7 May 2025 18:53:30 +0530
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for
+ bz4207 (CVE-2024-38805)
+
+In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len.
+Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len .
+
+Upstream: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536
+Signed-off-by: santhosh kumar V <santhoshkumarv@ami.com>
+Signed-off-by: Julien Olivain <ju.o@free.fr>
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef587649a0..53a0ff801d 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
+ {
+   LIST_ENTRY            *ListHead;
+   ISCSI_KEY_VALUE_PAIR  *KeyValuePair;
++  EFI_STATUS            Status;
++  UINT32                Result;
+ 
+   ListHead = AllocatePool (sizeof (LIST_ENTRY));
+   if (ListHead == NULL) {
+@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
+       Data++;
+     }
+ 
+-    if (*Data == '=') {
++    // Here Len must not be zero.
++    // The value of Len is size of data buffer. Actually, Data is make up of strings.
++    // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
++    // (1) Len == 0, *Data != '=' goto ON_ERROR
++    // (2) *Data == '=', Len != 0 normal case.
++    // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
++    if ((Len > 0) && (*Data == '=')) {
+       *Data = '\0';
+-
+       Data++;
+       Len--;
+     } else {
+@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
+ 
+     KeyValuePair->Value = Data;
+ 
+-    InsertTailList (ListHead, &KeyValuePair->List);
++    Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
++    if (EFI_ERROR (Status)) {
++      DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
++      FreePool (KeyValuePair);
++      goto ON_ERROR;
++    }
+ 
+-    Data += AsciiStrLen (KeyValuePair->Value) + 1;
+-    Len  -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
++    Status = SafeUint32Sub (Len, Result, &Len);
++    if (EFI_ERROR (Status)) {
++      DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
++      FreePool (KeyValuePair);
++      goto ON_ERROR;
++    }
++
++    InsertTailList (ListHead, &KeyValuePair->List);
++    Data += Result;
+   }
+ 
+   return ListHead;
+-- 
+2.49.0
+

boot/edk2/edk2.mk

@@ -14,6 +14,9 @@ EDK2_DEPENDENCIES = edk2-platforms host-python3 host-acpica host-util-linux
 EDK2_INSTALL_TARGET = NO
 EDK2_INSTALL_IMAGES = YES
 
+# 0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch
+EDK2_IGNORE_CVES += CVE-2024-38805
+
 ifeq ($(BR2_ENABLE_DEBUG),y)
 EDK2_BUILD_TYPE = DEBUG
 ifeq ($(BR2_TARGET_EDK2_OVMF_DEBUG_ON_SERIAL),y)