[AutoPR- Security] Patch hvloader for CVE-2025-3770 [MEDIUM] (#14489)

Co-authored-by: jykanase <[email protected]>

Author: azurelinux-security

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +69,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.1-14
+- Bump release for consistency with hvloader spec.
+
 * Tue May 13 2025 Archana Shettigar <[email protected]> - 1.0.1-13
 - Bump release for consistency with hvloader spec.
 

SPECS/hvloader/CVE-2025-3770.patch

@@ -0,0 +1,46 @@
+From 6171f6700357bc265b083628451e4a1b72d7f5e0 Mon Sep 17 00:00:00 2001
+From: John Mathews <[email protected]>
+Date: Fri, 30 May 2025 11:06:49 -0700
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on
+ SMM entry
+
+Mitigates CVE-2025-3770
+
+Do not assume that IDT.limit is loaded with a zero value upon SMM entry.
+Delay enabling Machine Check Exceptions in SMM until after the SMM IDT
+has been reloaded.
+
+Signed-off-by: John Mathews <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch
+---
+ UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+index d302ca8d..017576ff 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm
+@@ -126,7 +126,7 @@ ProtFlatMode:
+     mov eax, strict dword 0               ; source operand will be patched
+ ASM_PFX(gPatchSmiCr3):
+     mov     cr3, rax
+-    mov     eax, 0x668                   ; as cr4.PGE is not set here, refresh cr3
++    mov     eax, 0x628                   ; as cr4.PGE is not set here, refresh cr3
+ 
+     mov     cl, strict byte 0            ; source operand will be patched
+ ASM_PFX(gPatch5LevelPagingNeeded):
+@@ -217,6 +217,10 @@ SmiHandlerIdtrAbsAddr:
+     mov     ax, [rbx + DSC_SS]
+     mov     ss, eax
+ 
++    mov     rax, cr4                    ; enable MCE
++    bts     rax, 6
++    mov     cr4, rax
++
+     mov     rbx, [rsp + 0x8]             ; rbx <- CpuIndex
+ 
+ ; enable CET if supported
+-- 
+2.45.4
+

SPECS/hvloader/hvloader.spec

@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,6 +34,7 @@ Patch16: 	CVE-2022-36765.patch
 Patch17: 	CVE-2023-45237.patch
 Patch18: 	CVE-2023-45236.patch
 Patch19: 	CVE-2024-38796.patch
+Patch20:  	CVE-2025-3770.patch
 
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -79,6 +80,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Tue Aug 12 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.1-14
+- Patch for CVE-2025-3770
+
 * Tue May 13 2025 Archana Shettigar <[email protected]> - 1.0.1-13
 - Fix CVE-2024-38796 with an upstream patch