From nobody Tue Nov 26 14:26:19 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+53869+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+53869+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1580998778792818.1428696140101;
 Thu, 6 Feb 2020 06:19:38 -0800 (PST)
Return-Path: <bounce+27952+53869+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id c6POYY1788612xEyu2RmiJeS;
 Thu, 06 Feb 2020 06:19:38 -0800
X-Received: from mga02.intel.com (mga02.intel.com [])
 by mx.groups.io with SMTP id smtpd.web11.12696.1580998775768725774
 for <devel@edk2.groups.io>;
 Thu, 06 Feb 2020 06:19:38 -0800
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
X-Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 06 Feb 2020 06:19:37 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,409,1574150400";
   d="scan'208";a="226160672"
X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78])
  by fmsmga008.fm.intel.com with ESMTP; 06 Feb 2020 06:19:36 -0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: [edk2-devel] [PATCH 3/9] SecurityPkg/DxeImageVerificationLib: fix
 wrong fetching dbx in IsAllowedByDb(CVE-2019-14575)
Date: Thu,  6 Feb 2020 22:19:27 +0800
Message-Id: <20200206141933.356-4-jian.j.wang@intel.com>
In-Reply-To: <20200206141933.356-1-jian.j.wang@intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com
X-Gm-Message-State: 6xuHvlZ1z2ziHSWsJ7VkcuSkx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1580998778;
 bh=3Gye1IeWG8BBdVoS+4vs/st4HhLi3IfKm0MlrlrMRp0=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=SoVTxd5iQV4uyvP+Q/59pgC/Rpdc5JVAx65XrlX3Tr1oc5UUI2cHFZ6TX25U2qE9eMa
 6nQ3NnPcHIwn/afmbT/m8ITGDMBWdXqHs/1slTBrV1WDoOu9mFjJcaaPhi2uv4jg6DPSL
 ZoizQ9wYXOmuBJvzcXn7HjbzBBpfh0oH2P8=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608

Normally two times of calling gRT->GetVariable() are needed to get
the data of a variable: get the variable size by passing zero variable
size, and then allocate enough memory and pass the correct variable size
and buffer.

But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
initialized to zero before calling gRT->GetVariable(). It won't cause
problem if dbx does not exist. But it will give wrong result if dbx
exists and the DbxDataSize happens to be a small enough value. In this
situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
code followed will jump to 'Done', which is not correct because it's
actually the value expected.

            if (Status =3D=3D EFI_BUFFER_TOO_SMALL) {
              goto Done;
            }

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 5dcd6efed5..1efb2f96cd 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1456,8 +1456,9 @@ IsAllowedByDb (
             //
             // Here We still need to check if this RootCert's Hash is revo=
ked
             //
+            DbxDataSize =3D 0;
             Status   =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &=
gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
-            if (Status =3D=3D EFI_BUFFER_TOO_SMALL) {
+            if (Status !=3D EFI_BUFFER_TOO_SMALL) {
               goto Done;
             }
             DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize);
--=20
2.24.0.windows.2


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#53869): https://edk2.groups.io/g/devel/message/53869
Mute This Topic: https://groups.io/mt/71023420/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-