From nobody Sun May 19 03:12:47 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+64060+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)  smtp.mailfrom=bounce+27952+64060+1787277+3901457@groups.io
ARC-Seal: i=1; a=rsa-sha256; t=1597225097; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HqKO2u+VXi3VH6Qk/XTdb2FsF8ltABHQlX+Xe0j8uuTXRdKmPJ1Z+Tq3ybcu8t1xls3AIaQ+i+07wnQerqup8wJ30IVnxTpGpywU66od4HbcMiFSXjUeFn5odbKY2c3tTReErKBLOxQcH9/3D5/XZyvpeaQo1BrIGIFP0u0yUaA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1597225097;
 h=Content-Type:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=mg7aIO/7hS2eOLQiY4IVjdiCmpehusUzESmYTGTo6D0=;
	b=brlzQ9BeAWdarUNSraUxqxb4CvlISiXpqJi9knU1fq0G1rEqY9BvWX+elgYqcfn4c5e78vL2B1Bec029L/I3bTEdrTOXYM7gpJPo/VtIuv2sCf9+Pz2COltUa7LI0K1aBagOumcDA/ACUHhX1UceYSAog2sd0yAohJeKvF1uwec=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)  smtp.mailfrom=bounce+27952+64060+1787277+3901457@groups.io
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1597225097431940.3748480306209;
 Wed, 12 Aug 2020 02:38:17 -0700 (PDT)
Return-Path: <bounce+27952+64060+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 2FaKYY1788612x9FKoWRIv93;
 Wed, 12 Aug 2020 02:38:16 -0700
X-Received: from huawei.com (huawei.com [45.249.212.35])
 by mx.groups.io with SMTP id smtpd.web10.9866.1597216151477171945
 for <devel@edk2.groups.io>;
 Wed, 12 Aug 2020 00:09:12 -0700
X-Received: from DGGEMS406-HUB.china.huawei.com (unknown [172.30.72.58])
	by Forcepoint Email with ESMTP id F2B8A3DBFB5AF171021E
	for <devel@edk2.groups.io>; Wed, 12 Aug 2020 15:09:05 +0800 (CST)
X-Received: from HGH1000039998.huawei.com (10.184.68.188) by
 DGGEMS406-HUB.china.huawei.com (10.3.19.206) with Microsoft SMTP Server id
 14.3.487.0; Wed, 12 Aug 2020 15:08:56 +0800
From: "wenyi,xie via groups.io" <xiewenyi2=huawei.com@groups.io>
To: <devel@edk2.groups.io>, <jiewen.yao@intel.com>, <jian.j.wang@intel.com>,
	<chao.b.zhang@intel.com>
CC: <huangming23@huawei.com>, <songdongkuang@huawei.com>
Subject: [edk2-devel] [PATCH EDK2 v1 1/1]
 SecurityPkg/DxeImageVerificationLib:Enhanced verification of
 Offset(CVE-2019-14562)
Date: Wed, 12 Aug 2020 15:04:46 +0800
Message-ID: <1597215886-48713-2-git-send-email-xiewenyi2@huawei.com>
In-Reply-To: <1597215886-48713-1-git-send-email-xiewenyi2@huawei.com>
References: <1597215886-48713-1-git-send-email-xiewenyi2@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.184.68.188]
X-CFilter-Loop: Reflected
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,xiewenyi2@huawei.com
X-Gm-Message-State: obhPaX2sMqSPdnzsmtGJLpZQx1787277AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1597225096;
 bh=p2+30rK4QggvsTof3P6Z6L7fX8vhVXKD0xwnJWXEIJo=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=t64Gj3a8Ce0DHuWMLGtgrrEgnkznc47VBXXnxFvqoWo6EDsucdiTd/g1Lev3vd5nJeD
 ACzA1eHH0SzYmIZENSMGeoVUJZqhntGNoyv0vovUC+z3SLnduSrg4v9nFp89oNN2UM/AD
 qCdjoItJM2sR1JdVipNWAT8iRv7REt38YCU=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215

There is an integer overflow vulnerability in DxeImageVerificationHandler
function when parsing the PE files attribute certificate table. In cases
where WinCertificate->dwLength is sufficiently large, it's possible to
overflow Offset back to 0 causing an endless loop.

Check offset inbetween VirtualAddress and VirtualAddress + Size.
Using SafeintLib to do offset addition with result check.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf | =
 1 +
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h   | =
 1 +
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | =
21 +++++++++++++++-----
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.inf b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.inf
index 1e1a639857e0..a7ac4830b3d4 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i=
nf
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i=
nf
@@ -53,6 +53,7 @@ [LibraryClasses]
   SecurityManagementLib
   PeCoffLib
   TpmMeasurementLib
+  SafeIntLib
=20
 [Protocols]
   gEfiFirmwareVolume2ProtocolGuid       ## SOMETIMES_CONSUMES
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.h b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.h
index 17955ff9774c..060273917d5d 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
@@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/DevicePathLib.h>
 #include <Library/SecurityManagementLib.h>
 #include <Library/PeCoffLib.h>
+#include <Library/SafeIntLib.h>
 #include <Protocol/FirmwareVolume2.h>
 #include <Protocol/DevicePath.h>
 #include <Protocol/BlockIo.h>
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 36b87e16d53d..2b42d4595f2c 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1658,6 +1658,9 @@ DxeImageVerificationHandler (
   EFI_STATUS                           HashStatus;
   EFI_STATUS                           DbStatus;
   BOOLEAN                              IsFound;
+  UINT32                               AlignedLength;
+  UINT32                               Result;
+  EFI_STATUS                           AddStatus;
=20
   SignatureList     =3D NULL;
   SignatureListSize =3D 0;
@@ -1667,6 +1670,7 @@ DxeImageVerificationHandler (
   Action            =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
   IsVerified        =3D FALSE;
   IsFound           =3D FALSE;
+  Result            =3D 0;
=20
   //
   // Check the image type and get policy setting.
@@ -1850,9 +1854,9 @@ DxeImageVerificationHandler (
   // The first certificate starts at offset (SecDataDir->VirtualAddress) f=
rom the start of the file.
   //
   for (OffSet =3D SecDataDir->VirtualAddress;
-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
-       OffSet +=3D (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-=
>dwLength))) {
+       (OffSet >=3D SecDataDir->VirtualAddress) && (OffSet < (SecDataDir->=
VirtualAddress + SecDataDir->Size));) {
     WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);
+    AlignedLength =3D WinCertificate->dwLength + ALIGN_SIZE (WinCertificat=
e->dwLength);
     if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <=3D size=
of (WIN_CERTIFICATE) ||
         (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCert=
ificate->dwLength) {
       break;
@@ -1881,7 +1885,7 @@ DxeImageVerificationHandler (
         break;
       }
       if (!CompareGuid (&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid)) {
-        continue;
+        goto NEXT_LOOP;
       }
       AuthData =3D WinCertUefiGuid->CertData;
       AuthDataSize =3D WinCertUefiGuid->Hdr.dwLength - OFFSET_OF(WIN_CERTI=
FICATE_UEFI_GUID, CertData);
@@ -1889,12 +1893,12 @@ DxeImageVerificationHandler (
       if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {
         break;
       }
-      continue;
+      goto NEXT_LOOP;
     }
=20
     HashStatus =3D HashPeImageByType (AuthData, AuthDataSize);
     if (EFI_ERROR (HashStatus)) {
-      continue;
+      goto NEXT_LOOP;
     }
=20
     //
@@ -1946,6 +1950,13 @@ DxeImageVerificationHandler (
         DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but =
signature is not allowed by DB and %s hash of image is not found in DB/DBX.=
\n", mHashTypeStr));
       }
     }
+
+NEXT_LOOP:
+    AddStatus =3D SafeUint32Add (OffSet, AlignedLength, &Result);
+    if (EFI_ERROR (AddStatus)) {
+      break;
+    }
+    OffSet =3D Result;
   }
=20
   if (OffSet !=3D (SecDataDir->VirtualAddress + SecDataDir->Size)) {
--=20
2.20.1.windows.1


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#64060): https://edk2.groups.io/g/devel/message/64060
Mute This Topic: https://groups.io/mt/76143922/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-