From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 5182E740032 for ; Wed, 7 Feb 2024 22:57:51 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=xwOkxeITTEzchUHE9sxOTSnQWbmVzYFWlJk1gxHh0Q4=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1707346670; v=1; b=KqcQKhpKbIixKIfB69/nhbiUiy1g55KBy09Ym3pHq9PFLoeW5LwLAmDj0mwzi+WETwv5C3u+ 8F9dFUw6ljxrcXm8oXMpGFCgzd6nYSytHW6T9tJ/JqzIcW4viej6Sg16mvLB/wCv1dnZrL9bYjM a0AKm4ShFmdVY/D7yVbeagqw= X-Received: by 127.0.0.2 with SMTP id 5IUEYY7687511xgPzUub3E4X; Wed, 07 Feb 2024 14:57:50 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18]) by mx.groups.io with SMTP id smtpd.web10.4718.1707346668973666511 for ; Wed, 07 Feb 2024 14:57:49 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10977"; a="1245841" X-IronPort-AV: E=Sophos;i="6.05,252,1701158400"; d="scan'208";a="1245841" X-Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Feb 2024 14:57:48 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.05,252,1701158400"; d="scan'208";a="1697536" X-Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmviesa008.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 07 Feb 2024 14:57:47 -0800 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 7 Feb 2024 14:57:47 -0800 X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Wed, 7 Feb 2024 14:57:47 -0800 X-Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 7 Feb 2024 14:57:46 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JnCQyW7GtIxCfksWa0jm05fWiXPDsvxAk6dS8qVNxf50EYHJXB1Tn5WSdHNQptN+P4uRPvEYQIhGFMUOQR/KdxU2emfqUXF+LeESMixY66iMzh4e93o0rbWgzTYpn2tMh5NJMv0BrQVKlD8/OhF9Vvn0b8hThLJSy7JCX0+b5ZTIHngpuDAfWiyqZtJ1oCn3JtN4yjX3+ptyhGWmNH1ObZ1lNjsRZadfU6uJU3neyfwJtIJNjqj+1WN/rVPT5rnhqsuidw/+uxEfpgryRlNkF3BJJQBPHtheTw5i3NxSKqg6cbC33+IaLSbLzQdkCOvVjVc8rKtfhcD75qpJyG2SHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4iQvwe2hQzKy72tkbZRJ/v2k3OsULMpyP2JfpLj3nWk=; b=aLVdyGod3zHyWma+Kfya5/g59kuZV6dqTlnsExYBIgnahlnXY52RdJ3u+6oLbpmqmj82VvaHIAE0yuZnhKAtDDuR84mvV3OWxVwhRHh3eta4mfTRSGtRByWT4nmhXbhwKa8C8kmRUf6kAXatOQGYLLU9qm2H8C72xbT0vuEqkFupd/FPXYQyUSxwZVt5f96lCodvS6yg+q00/DC0uVrGkJfG8VKv2knGsAbl1SLGHMxjHpp1KFHKObs0vlVfsqe2v9FYoP3tn1OM0aHwAQfTohl+Fif9Vc6fzJNHqx1SRFN1TV0FCc21jAWuIQkf/jcaI7zId6T7fLkBMzpOBrQyiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by MW4PR11MB6617.namprd11.prod.outlook.com (2603:10b6:303:20d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.31; Wed, 7 Feb 2024 22:57:39 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.035; Wed, 7 Feb 2024 22:57:39 +0000 From: "Saloni Kasbekar" To: Santhosh Kumar V , "devel@edk2.groups.io" CC: Sivaraman Nainar , Raj V Akilan , "Kinney, Michael D" , "Mathews, John" , "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH] NetworkPkg Update Security Patch Thread-Topic: [PATCH] NetworkPkg Update Security Patch Thread-Index: AQHaVolWIo0Mt0+mc02F8U5R/d8I8LD/hOQg Date: Wed, 7 Feb 2024 22:57:39 +0000 Message-ID: References: <20240203101119.2167-1-santhoshkumarv@ami.com> In-Reply-To: <20240203101119.2167-1-santhoshkumarv@ami.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|MW4PR11MB6617:EE_ x-ms-office365-filtering-correlation-id: 0cd3a062-00d0-4e85-8ff2-08dc28302ef8 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: FFNfx+jsJC6ZNbjK7Xk+ybq2HSBb/U+CDrUxmzg6V8xd9e1yqtBQ+8GrYGIIcuHcUUZO4pAiMqs1mOMLFd4a4Yw9SbtGQr4XP+zillCZ9zy/que3eH6yKCOQYJb5eNT6CnbU4NQ7rsjr0OzvD9vg773rNAwwH1vwU4TBD4fH8U1SYIRiJ4zD75B82mHl5SWEK+iKSREf6H2r0PHxem3N5owWhgW8qd/wjboFXPjtsHkq7RqXPfmaOwmywoGIUz92e+KXEh4ds+EklSgmsQUnxP+UO1WMYPgYeSZkSsI//O9EefkaZs5dProBCO+GNIbRrXMdzSrlAi6FgxwCgy3PMdNebwEu8P8pyMsE2SsuD0enpCYVZ6a/hF3fsVCHqDSoOFS9XkFby5r9yfcpHmBdPVEmJ105GKy4JGgghe+E8YQFJ0P5pjSFSEfAl9ONznMs61twwdt0kWwU7mkJQzPfj1KslfgCncA0Yb6r6kuGJJOk2uPrCaErC+VgpK2m2KSODRUNYCTTimXt+FRUWqS/xR/4KhqLCIS5o83FgwT4K303guiCNJnNz8oO1vPr8nyeNQl5pkIL+W4XEDi+enyXhi2pzYfEMsPsOfiZRFuST0eXTQBHYm0annllLCnPR0gL x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?rg+Wga2zV8r0kMuyVQX8SoFzJId5eLHCStipRhcq5/L25OpE2WkxsGHxPKGG?= =?us-ascii?Q?dIhOOOHB7YjgyMI4uBQDoxtG5Jh1Z6pgogsUWN6eRKhySXMD8+YZbJ1JcIeC?= =?us-ascii?Q?xaDUVKxF3EKeeAOS+bXBFedUhwp45p+ZbK+IRpVGCO+tOC022+h7EN66XTV8?= =?us-ascii?Q?iaDgR3VCEpURalWQAxRjF2iA3K6T7R4pO5dioH2DGuetJwrvJbzP5jCIx3gd?= =?us-ascii?Q?QWxGd2r2gdPp10+kbcoFLLR+acWnAt+DH4eEXgdwICUyJnEZQZTlK0t9HaIH?= =?us-ascii?Q?bGKlFMki2KR+CBfte0FLZu3AmhHc/FRhTY1LaTG99MHeOSlizsh7mICv4LUe?= =?us-ascii?Q?WKiQA0PWdAFJgqtSeJ2YjQ6oEUtnaIgf5uZa1fHKKGq4OwKzThvnvlBTIwoN?= =?us-ascii?Q?yJG7pvazGuRNkbAvVsy3qemWCmjnTRUviIsZsShQyI731vS4y2Bvj2zLOHXP?= =?us-ascii?Q?AkA3ylX2ypDYJ1RUYCA2HQ8Zll+KnHa+tWsplEh4Udv2+w+TLbqCkIqNa6XP?= =?us-ascii?Q?bJ08vd6tX9NHQl5JaBZT5buTXC9KJRKNMF4QzbQsWz7zTG3RF/CsLC34l/rf?= =?us-ascii?Q?8cyPmMaIzkoeO7xjRe+40yBh0gPESRBYtHhgSpzM/fY2MGr0FMZZGwikS1El?= =?us-ascii?Q?GQiO07ZwHaEQKw4VvloO2oQ2bptH2p0Pj35tbsufWifWl7WOjDfi5Jium6ON?= =?us-ascii?Q?ZXPuxHV8ZOVt4MInljDj2YJknPw1Uc6dX/ZGnwg/Lniq9OfVh24INQEWGxnS?= =?us-ascii?Q?7Sgd2yX45KoY12q/JqmXEi2TocTTQQ3TZK0RoKJdEk5UusFJ/ls3EALazNtf?= =?us-ascii?Q?uND9sirVPSL9Ieqm0v/49R9IbGDzMZCqjdi4jxG7QWldrEagEI8eoryd5eIP?= =?us-ascii?Q?8mpG58Wg6HHBBZ1VxslG5AWkhxdRLK9XqqvGBSoPzUzR548s3HG3iHAaQQYM?= =?us-ascii?Q?3OvURCcDXLnVPwL3uA0e3u/deJfyMruQtsXr1fCBFrkL8Oe3oAgntmh1Igje?= =?us-ascii?Q?iOkjpvX7gkeMMEdJapBQsJjuuZkfasuh5+yMXKwu0O7UJhxyQn2Bdqn0Gdc9?= =?us-ascii?Q?isI7krsAvwjt0YwgSiCPeaAGSHo+oJF5OZ5r8KxQUsDBw+ytqJBwRqeRqeuJ?= =?us-ascii?Q?4vxaqxPDlH+jOa0tEySKn2M9bhRXaiJEYA2l0rVPoGtsEJli7va5MscIL+hO?= =?us-ascii?Q?TYUntPv+Fxp7nPKlBJs9H9Rza+4gm44jgYKOk/+IlxBIds8JyR1oxMHUoUTL?= =?us-ascii?Q?xES2f3jW/et7FK5Qk0yHCk50b76wM2SpYAeqRLiGtDqH14ACRY7XSYc104/S?= =?us-ascii?Q?Z2Ftqu161hapSb7aiyBLg+td5cgncRTP+PyhoPTXBbR/KTEvfheZ4JBYOond?= =?us-ascii?Q?kVCsTV2P+ERV9r7cblGLkbv36UeJLPgkKqM9H4KRvpL9/X+MlOHlNRxe7pEr?= =?us-ascii?Q?+L/JN/W0ZnljHFoKtboGuDA8UIdrkJ9Lkl1vWTynP9FNYDpZgxb9OSYTK7yM?= =?us-ascii?Q?8nuDw09WNiW1JR9cbyDwZTvywPj6gQ+psSxJt2uUe3gP8oXhIP4jWRk5lDVH?= =?us-ascii?Q?+VPDUtwP30mZHW7q7gDRE/xXGSz1v81ev1UPSNY8?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0cd3a062-00d0-4e85-8ff2-08dc28302ef8 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2024 22:57:39.1294 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: tyKBddWnVxuAgv1Xk/qguUsFx2Llfk2Hlt8s9SfXpFfM3z7UTmJ69AlV8vcsNz4HG61b9klSs5XTMmOn2HS3rne0HhuDqlWIvnfvhsz/1Ag= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB6617 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Zqa3iTHd7b4ElxC5dqetG6qQx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=KqcQKhpK; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") Reviewed-by: Saloni Kasbekar -----Original Message----- From: Santhosh Kumar V =20 Sent: Saturday, February 3, 2024 2:11 AM To: devel@edk2.groups.io; Santhosh Kumar V Cc: Sivaraman Nainar ; Raj V Akilan ; Ki= nney, Michael D ; Kasbekar, Saloni ; Mathews, John ; Clark-williams, Za= chary Subject: [PATCH] NetworkPkg Update Security Patch Update Security patch for Bug 4541 (Predictable TCP ISNs) Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: SanthoshKumar --- NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 21 ++++++++++++++------- NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 2 +- NetworkPkg/TcpDxe/TcpDxe.inf | 1 + NetworkPkg/TcpDxe/TcpMain.h | 1 + NetworkPkg/TcpDxe/TcpMisc.c | 7 ++++++- NetworkPkg/TcpDxe/TcpTimer.c | 8 +++++--- 6 files changed, 28 insertions(+), 12 deletions(-) diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/= DxeNetLib/DxeNetLib.c index fd4a9e15a8..d3cc8a59d4 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c @@ -31,6 +31,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_= IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) #define DEFAULT_ZERO_START ((UINTN) ~0) @@ -902,14 +903,20 @@ NetRandomInitSeed ( EFI_TIME Time; UINT32 Seed; UINT64 MonotonicCount; + UINT32 RandomVal; + + if ( TRUE =3D=3D GetRandomNumber32(&RandomVal)) + Seed =3D RandomVal; + else + { + gRT->GetTime (&Time, NULL); + Seed =3D (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 |=20 + Time.Second); + Seed ^=3D Time.Nanosecond; + Seed ^=3D Time.Year << 7; - gRT->GetTime (&Time, NULL); - Seed =3D (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Se= cond); - Seed ^=3D Time.Nanosecond; - Seed ^=3D Time.Year << 7; - - gBS->GetNextMonotonicCount (&MonotonicCount); - Seed +=3D (UINT32)MonotonicCount; + gBS->GetNextMonotonicCount (&MonotonicCount); + Seed +=3D (UINT32)MonotonicCount; + } return Seed; } diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Librar= y/DxeNetLib/DxeNetLib.inf index 8145d256ec..2c800b7c00 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf @@ -43,7 +43,7 @@ MemoryAllocationLib DevicePathLib PrintLib - + RngLib [Guids] gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## = SystemTable diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf in= dex c0acbdca57..99c093600f 100644 --- a/NetworkPkg/TcpDxe/TcpDxe.inf +++ b/NetworkPkg/TcpDxe/TcpDxe.inf @@ -67,6 +67,7 @@ DpcLib NetLib IpIoLib + RngLib [Protocols] diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h inde= x c0c9b7f46e..f94598b6ba 100644 --- a/NetworkPkg/TcpDxe/TcpMain.h +++ b/NetworkPkg/TcpDxe/TcpMain.h @@ -16,6 +16,7 @@ #include #include #include +#include #include "Socket.h" #include "TcpProto.h" diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c inde= x c93212d47d..4d33dd6ad6 100644 --- a/NetworkPkg/TcpDxe/TcpMisc.c +++ b/NetworkPkg/TcpDxe/TcpMisc.c @@ -516,7 +516,12 @@ TcpGetIss ( VOID ) { - mTcpGlobalIss +=3D TCP_ISS_INCREMENT_1; + UINT32 RandomVal; + if ( TRUE =3D=3D GetRandomNumber32(&RandomVal)) + mTcpGlobalIss +=3D RandomVal; + else + mTcpGlobalIss +=3D TCP_ISS_INCREMENT_1; + return mTcpGlobalIss; } diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c in= dex 5d2e124977..3370e6b264 100644 --- a/NetworkPkg/TcpDxe/TcpTimer.c +++ b/NetworkPkg/TcpDxe/TcpTimer.c @@ -481,10 +481,12 @@ TcpTickingDpc ( LIST_ENTRY *Next; TCP_CB *Tcb; INT16 Index; - + UINT32 RandomVal; mTcpTick++; - mTcpGlobalIss +=3D TCP_ISS_INCREMENT_2; - + if ( TRUE =3D=3D GetRandomNumber32(&RandomVal)) + mTcpGlobalIss +=3D RandomVal + else + mTcpGlobalIss +=3D TCP_ISS_INCREMENT_2; // // Don't use LIST_FOR_EACH, which isn't delete safe. // -- 2.42.0.windows.2 -The information contained in this message may be confidential and propriet= ary to American Megatrends (AMI). This communication is intended to be read= only by the individual or entity to whom it is addressed or by their desig= nee. If the reader of this message is not the intended recipient, you are o= n notice that any distribution of this message, in any form, is strictly pr= ohibited. Please promptly notify the sender by reply e-mail or by telephone= at 770-246-8600, and then delete or destroy all copies of the transmission= . -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115259): https://edk2.groups.io/g/devel/message/115259 Mute This Topic: https://groups.io/mt/104167647/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-