1. Patchew
  2. EDK2
  3. [edk2-devel] [PATCH 0/9] Fix false negative issue in DxeImageVerificationHandler
  4. View patch

[edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)

Wang, Jian J posted 9 patches 4 years, 9 months ago
There is a newer version of this series
[edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
Posted by Wang, Jian J 4 years, 9 months ago 
From: Laszlo Ersek <lersek@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608

If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
we have to free Data. Jump to "Done" for that.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 2236ce98ce..5b7a67f811 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
 
   Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
   if (EFI_ERROR (Status)) {
-    return IsForbidden;
+    goto Done;
   }
 
   //
-- 
2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#53874): https://edk2.groups.io/g/devel/message/53874
Mute This Topic: https://groups.io/mt/71023426/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
Posted by Yao, Jiewen 4 years, 9 months ago 
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Thursday, February 6, 2020 10:20 PM
> To: devel@edk2.groups.io
> Cc: Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in
> IsForbiddenByDbx()(CVE-2019-14575)
> 
> From: Laszlo Ersek <lersek@redhat.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> 
> If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
> we have to free Data. Jump to "Done" for that.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 2236ce98ce..5b7a67f811 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
> 
> 
>    Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
> 
>    if (EFI_ERROR (Status)) {
> 
> -    return IsForbidden;
> 
> +    goto Done;
> 
>    }
> 
> 
> 
>    //
> 
> --
> 2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54353): https://edk2.groups.io/g/devel/message/54353
Mute This Topic: https://groups.io/mt/71023426/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
Posted by Philippe Mathieu-Daudé 4 years, 9 months ago 
On 2/6/20 3:19 PM, Wang, Jian J wrote:
> From: Laszlo Ersek <lersek@redhat.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608

What a painful review...

> If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
> we have to free Data. Jump to "Done" for that.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>   .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 2236ce98ce..5b7a67f811 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
>   
>     Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
>     if (EFI_ERROR (Status)) {
> -    return IsForbidden;
> +    goto Done;
>     }
>   
>     //
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54369): https://edk2.groups.io/g/devel/message/54369
Mute This Topic: https://groups.io/mt/71023426/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.