From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54417+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54417+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665268631686.305461732652; Thu, 13 Feb 2020 23:27:48 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id MkIlYY1788612xeT2Uh2pcVt; Thu, 13 Feb 2020 23:27:47 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:47 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904203" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:46 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 01/10] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:36 +0800 Message-Id: <20200214072745.1570-2-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: gTiUzTgu4U1VLEzk4fbWAUCYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665267; bh=DHj+eDQxXUHHYulLoxnegS8LrmeKwh84GUovtkFtCns=; h=Cc:Date:From:Reply-To:Subject:To; b=iOUXp9c2SWFCSh/mD3ko9pC194jpPQU8d39sYfIP2xwqAoAsnbzgwK1N3ZbyqNYRUWc jeBesm7z9hON3/zJ8rA/yObzl0yoJjg1MPsfmi7aNlvPEhY9g2+GEL0INfcvNlfz1iiGJ H2hgUEzhxbL9CIbB1JXXtZph7MjJHJaZWpc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside the while-loop, if it will run more than once. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index dbfbfcb4fb..74dbffa122 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( goto Done; } =20 + FreePool (HashCtx); + HashCtx =3D NULL; + SiglistHeaderSize =3D sizeof (EFI_SIGNATURE_LIST) + DbxList->Signature= HeaderSize; CertHash =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + Sigl= istHeaderSize); CertHashCount =3D (DbxList->SignatureListSize - SiglistHeaderSize)= / DbxList->SignatureSize; --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54417): https://edk2.groups.io/g/devel/message/54417 Mute This Topic: https://groups.io/mt/71264898/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54418+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54418+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665269236222.76826003910617; Thu, 13 Feb 2020 23:27:49 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id qKQYYY1788612x0Gt0qFtVHW; Thu, 13 Feb 2020 23:27:48 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904206" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:47 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [edk2-devel] [PATCH v2 02/10] SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:37 +0800 Message-Id: <20200214072745.1570-3-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: jpK9IQ2glcSfY66pR2v70YlUx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665268; bh=1s26ZscftnB4CSKBfE9LS4IDJTxJOttW/hxLfFfNKCw=; h=Cc:Date:From:Reply-To:Subject:To; b=pC3GPW7JQIXoXAQ6yAJYmStYTIXtGImB9kPVcprTq+rA6VPtt48aARju40j+No8xmTh Mr3iAGEjO4wDr/Set6dcFgHdXkkldfIBFSoIZSvnC2M/rsk26SYiq2mUMhSwW75wuXSO0 e02GZpHWI5KLDy2/HXMvDW/u3xNd/FBEDyU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" In case the signers' certificate stack, retrieved from the PE/COFF image's Authenticode blob, has zero elements (=3Dthere are zero signer certificates= ), then we should consider the image forbidden by DBX, not accepted by DBX. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 74dbffa122..5dcd6efed5 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1326,7 +1326,7 @@ IsForbiddenByDbx ( // UINT8 Certn[]; // Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &Tr= ustedCert, &TrustedCertLength); - if ((BufferLength =3D=3D 0) || (CertBuffer =3D=3D NULL)) { + if ((BufferLength =3D=3D 0) || (CertBuffer =3D=3D NULL) || (*CertBuffer)= =3D=3D 0) { IsForbidden =3D TRUE; goto Done; } --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54418): https://edk2.groups.io/g/devel/message/54418 Mute This Topic: https://groups.io/mt/71264900/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54419+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54419+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665270056819.4288744437098; Thu, 13 Feb 2020 23:27:50 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id mmxFYY1788612xhM5LNqBP0T; Thu, 13 Feb 2020 23:27:49 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:48 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904209" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:48 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 03/10] SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:38 +0800 Message-Id: <20200214072745.1570-4-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: Z16HMfyr3EXNFtXSGl9bHuOox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665269; bh=vxrmdjAZcp6n6gdvDxTtz9wCibt2ssp8JchMLCJcfTs=; h=Cc:Date:From:Reply-To:Subject:To; b=eGnsvbxiSeSI2gX4UAQxBhqnZhuc0WE91xDgVek4YTg7yA5H4HdVN3Odv7koSj/TMmf YpAJYu6wNW5amotYioYUfrsxQtB2yC9qqSmGs1fn3iDN/8PFcqIFxPOg6l3Y3VC/Yd3a9 G9uusj4Bd8+3qBLTAT4tkk09PGN9EBRWxEg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 Normally two times of calling gRT->GetVariable() are needed to get the data of a variable: get the variable size by passing zero variable size, and then allocate enough memory and pass the correct variable size and buffer. But in the inner loop in IsAllowedByDb(), the DbxDataSize was not initialized to zero before calling gRT->GetVariable(). It won't cause problem if dbx does not exist. But it will give wrong result if dbx exists and the DbxDataSize happens to be a small enough value. In this situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check code followed will jump to 'Done', which is not correct because it's actually the value expected. if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { goto Done; } Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 5dcd6efed5..1efb2f96cd 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1456,8 +1456,9 @@ IsAllowedByDb ( // // Here We still need to check if this RootCert's Hash is revo= ked // + DbxDataSize =3D 0; Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &= gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + if (Status !=3D EFI_BUFFER_TOO_SMALL) { goto Done; } DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize); --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54419): https://edk2.groups.io/g/devel/message/54419 Mute This Topic: https://groups.io/mt/71264901/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54420+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54420+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665270911194.51649335629634; Thu, 13 Feb 2020 23:27:50 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Sx58YY1788612xvpPYStF4b4; Thu, 13 Feb 2020 23:27:50 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:49 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:49 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904212" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:48 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 04/10] SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:39 +0800 Message-Id: <20200214072745.1570-5-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: 3J3u4xj4XgGpD8LSjdJMpIOwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665270; bh=tTjSz+y4Kx5YoH2oL/p3kU7IUtuy7FKhWHZXSuDFFz0=; h=Cc:Date:From:Reply-To:Subject:To; b=VrHWD5wNcYJw9/R3SOO8OvQL7/rZ7CkIuEcMQg2cmjEojJIyckbgMIlWZuqqvWRFFS1 OueawMYGbz6qugZ9pvIIkyf0CkqYa2dTM+iFbTLudqj7vdYZrK0aQN+zFFGQ2jyQlMV4D NxcHJtQgUWa7VejpikymY2A3S0jgjtEx29o= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 In timestamp check after the cert is found in db, the original code jumps to 'Done' if any error happens in fetching dbx variable. At any of the jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist), because it could be used to bypass timestamp check. This patch add code to change VerifyStatus to FALSE in the case of memory allocation failure and dbx fetching failure to avoid potential bypass issue. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 1efb2f96cd..ed5dbf26b0 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1459,15 +1459,26 @@ IsAllowedByDb ( DbxDataSize =3D 0; Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &= gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); if (Status !=3D EFI_BUFFER_TOO_SMALL) { + if (Status !=3D EFI_NOT_FOUND) { + VerifyStatus =3D FALSE; + } goto Done; } DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize); if (DbxData =3D=3D NULL) { + // + // Force not-allowed-by-db to avoid bypass + // + VerifyStatus =3D FALSE; goto Done; } =20 Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gE= fiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); if (EFI_ERROR (Status)) { + // + // Force not-allowed-by-db to avoid bypass + // + VerifyStatus =3D FALSE; goto Done; } =20 --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54420): https://edk2.groups.io/g/devel/message/54420 Mute This Topic: https://groups.io/mt/71264902/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54421+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54421+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665273083622.2576468848389; Thu, 13 Feb 2020 23:27:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id z77aYY1788612x8kj8hQMil2; Thu, 13 Feb 2020 23:27:52 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:51 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904221" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:49 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 05/10] SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:40 +0800 Message-Id: <20200214072745.1570-6-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: vuEDbBtxR25M0Ocdk6eAZ04Vx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665272; bh=WsTBWH8El36+qO8TGxoxBsTsvfNz7XAKIzYhJWrpMAQ=; h=Cc:Date:From:Reply-To:Subject:To; b=qbScwep/n7Bb8iZPJ4Vfr9eL1o2eCVuZvU0+7KZ0y8rUUhr67bD6Z5So1VRdlEwUZ0r hZzchFo4+QV85zJzCN6+OaIvXmf0dMMkJE4hm3b+pf+Q7vCL1fTgRpgsfQIQvw54svNZ8 2r0v283pK3pFNkzUHWitIYaTCV3ZYbRRYfg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 The dbx fetching code inside the while/for-loop causes code hard to understand. Since there's no need to get dbx more than once, this patch simplify the code logic by moving related code to be outside the while- loop. db fetching code is also refined accordingly to reduce the indent level of code. More comments are also added or refined to explain more details. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib.c | 144 ++++++++++-------- 1 file changed, 83 insertions(+), 61 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index ed5dbf26b0..8739d1fa29 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1412,76 +1412,92 @@ IsAllowedByDb ( RootCertSize =3D 0; VerifyStatus =3D FALSE; =20 + // + // Fetch 'db' content. If 'db' doesn't exist or encounters problem to ge= t the + // data, return not-allowed-by-db (FALSE). + // DataSize =3D 0; Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSe= curityDatabaseGuid, NULL, &DataSize, NULL); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - Data =3D (UINT8 *) AllocateZeroPool (DataSize); - if (Data =3D=3D NULL) { - return VerifyStatus; + ASSERT (EFI_ERROR (Status)); + if (Status !=3D EFI_BUFFER_TOO_SMALL) { + return VerifyStatus; + } + + Data =3D (UINT8 *) AllocateZeroPool (DataSize); + if (Data =3D=3D NULL) { + return VerifyStatus; + } + + Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecu= rityDatabaseGuid, NULL, &DataSize, (VOID *) Data); + if (EFI_ERROR (Status)) { + goto Done; + } + + // + // Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'. + // If any other errors occured, no need to check 'db' but just return + // not-allowed-by-db (FALSE) to avoid bypass. + // + DbxDataSize =3D 0; + Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiIma= geSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); + ASSERT (EFI_ERROR (Status)); + if (Status !=3D EFI_BUFFER_TOO_SMALL) { + if (Status !=3D EFI_NOT_FOUND) { + goto Done; + } + // + // 'dbx' does not exist. Continue to check 'db'. + // + } else { + // + // 'dbx' exists. Get its content. + // + DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize); + if (DbxData =3D=3D NULL) { + goto Done; } =20 - Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSe= curityDatabaseGuid, NULL, &DataSize, (VOID *) Data); + Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageS= ecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); if (EFI_ERROR (Status)) { goto Done; } + } =20 - // - // Find X509 certificate in Signature List to verify the signature in = pkcs7 signed data. - // - CertList =3D (EFI_SIGNATURE_LIST *) Data; - while ((DataSize > 0) && (DataSize >=3D CertList->SignatureListSize)) { - if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { - CertData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof = (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE= _LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; + // + // Find X509 certificate in Signature List to verify the signature in pk= cs7 signed data. + // + CertList =3D (EFI_SIGNATURE_LIST *) Data; + while ((DataSize > 0) && (DataSize >=3D CertList->SignatureListSize)) { + if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { + CertData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (E= FI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); + CertCount =3D (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_L= IST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; =20 - for (Index =3D 0; Index < CertCount; Index++) { - // - // Iterate each Signature Data Node within this CertList for ver= ify. - // - RootCert =3D CertData->SignatureData; - RootCertSize =3D CertList->SignatureSize - sizeof (EFI_GUID); + for (Index =3D 0; Index < CertCount; Index++) { + // + // Iterate each Signature Data Node within this CertList for verif= y. + // + RootCert =3D CertData->SignatureData; + RootCertSize =3D CertList->SignatureSize - sizeof (EFI_GUID); =20 + // + // Call AuthenticodeVerify library to Verify Authenticode struct. + // + VerifyStatus =3D AuthenticodeVerify ( + AuthData, + AuthDataSize, + RootCert, + RootCertSize, + mImageDigest, + mImageDigestSize + ); + if (VerifyStatus) { // - // Call AuthenticodeVerify library to Verify Authenticode struct. + // The image is signed and its signature is found in 'db'. // - VerifyStatus =3D AuthenticodeVerify ( - AuthData, - AuthDataSize, - RootCert, - RootCertSize, - mImageDigest, - mImageDigestSize - ); - if (VerifyStatus) { + if (DbxData !=3D NULL) { // // Here We still need to check if this RootCert's Hash is revo= ked // - DbxDataSize =3D 0; - Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &= gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); - if (Status !=3D EFI_BUFFER_TOO_SMALL) { - if (Status !=3D EFI_NOT_FOUND) { - VerifyStatus =3D FALSE; - } - goto Done; - } - DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize); - if (DbxData =3D=3D NULL) { - // - // Force not-allowed-by-db to avoid bypass - // - VerifyStatus =3D FALSE; - goto Done; - } - - Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gE= fiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); - if (EFI_ERROR (Status)) { - // - // Force not-allowed-by-db to avoid bypass - // - VerifyStatus =3D FALSE; - goto Done; - } - if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SI= GNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) { // // Check the timestamp signature and signing time to determi= ne if the RootCert can be trusted. @@ -1491,17 +1507,23 @@ IsAllowedByDb ( DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is sig= ned and signature is accepted by DB, but its root cert failed the timestamp= check.\n")); } } - - goto Done; } =20 - CertData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertLi= st->SignatureSize); + // + // There's no 'dbx' to check revocation time against (must-be pa= ss), + // or, there's revocation time found in 'dbx' and checked againt= 'dbt' + // (maybe pass or fail, depending on timestamp compare result). = Either + // way the verification job has been completed at this point. + // + goto Done; } - } =20 - DataSize -=3D CertList->SignatureListSize; - CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->= SignatureListSize); + CertData =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList= ->SignatureSize); + } } + + DataSize -=3D CertList->SignatureListSize; + CertList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->Si= gnatureListSize); } =20 Done: --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54421): https://edk2.groups.io/g/devel/message/54421 Mute This Topic: https://groups.io/mt/71264903/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54422+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54422+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665273740535.128913447457; Thu, 13 Feb 2020 23:27:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id OqHPYY1788612xxgV3NN44cd; Thu, 13 Feb 2020 23:27:53 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:52 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904227" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:51 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [edk2-devel] [PATCH v2 06/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1)(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:41 +0800 Message-Id: <20200214072745.1570-7-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: DmZCFHt4YbnZt4YiDZPhnExDx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665273; bh=57R9jGuU4esDhxy9NUUA0mBkArRDXPYTC1uKc5lrhdE=; h=Cc:Date:From:Reply-To:Subject:To; b=V7WJmQ66/tb6N7iV1oiCE++jeR4izLDPGRAzXzxO86XoOWXl+1y8izKYsbGbJkkyU3Q 7S225XfCUD4LOoLEw17o2PLlTeQvRKyd6v14Z4+ytgHqU/CE2QwW9gSmLnZvO8AG7/9bX eC0TK7UV9lBemVcsnh36QFJ4GvIQ+raVccs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 To avoid false-negative issue in check hash against dbx, both error condition (as return value) and check result (as out parameter) of IsCertHashFoundInDatabase() are added. So the caller of this function will know exactly if a failure is caused by a black list hit or other error happening, and enforce a more secure operation to prevent secure boot from being bypassed. For a white list check (db), there's no such necessity. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Signed-off-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib.c | 64 ++++++++++++------- 1 file changed, 42 insertions(+), 22 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 8739d1fa29..85261ba7f2 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -822,22 +822,23 @@ AddImageExeInfo ( @param[in] SignatureList Pointer to the Signature List in forbidden= database. @param[in] SignatureListSize Size of Signature List. @param[out] RevocationTime Return the time that the certificate was r= evoked. + @param[out] IsFound Search result. Only valid if EFI_SUCCESS r= eturned. =20 - @return TRUE The certificate hash is found in the forbidden database. - @return FALSE The certificate hash is not found in the forbidden databa= se. + @retval EFI_SUCCESS Finished the search without any error. + @retval Others Error occurred in the search of database. =20 **/ -BOOLEAN +EFI_STATUS IsCertHashFoundInDatabase ( IN UINT8 *Certificate, IN UINTN CertSize, IN EFI_SIGNATURE_LIST *SignatureList, IN UINTN SignatureListSize, - OUT EFI_TIME *RevocationTime + OUT EFI_TIME *RevocationTime, + OUT BOOLEAN *IsFound ) { - BOOLEAN IsFound; - BOOLEAN Status; + EFI_STATUS Status; EFI_SIGNATURE_LIST *DbxList; UINTN DbxSize; EFI_SIGNATURE_DATA *CertHash; @@ -851,21 +852,22 @@ IsCertHashFoundInDatabase ( UINT8 *TBSCert; UINTN TBSCertSize; =20 - IsFound =3D FALSE; + Status =3D EFI_ABORTED; + *IsFound =3D FALSE; DbxList =3D SignatureList; DbxSize =3D SignatureListSize; HashCtx =3D NULL; HashAlg =3D HASHALG_MAX; =20 if ((RevocationTime =3D=3D NULL) || (DbxList =3D=3D NULL)) { - return FALSE; + return EFI_INVALID_PARAMETER; } =20 // // Retrieve the TBSCertificate from the X.509 Certificate. // if (!X509GetTBSCert (Certificate, CertSize, &TBSCert, &TBSCertSize)) { - return FALSE; + return Status; } =20 while ((DbxSize > 0) && (SignatureListSize >=3D DbxList->SignatureListSi= ze)) { @@ -895,16 +897,13 @@ IsCertHashFoundInDatabase ( if (HashCtx =3D=3D NULL) { goto Done; } - Status =3D mHash[HashAlg].HashInit (HashCtx); - if (!Status) { + if (!mHash[HashAlg].HashInit (HashCtx)) { goto Done; } - Status =3D mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize); - if (!Status) { + if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) { goto Done; } - Status =3D mHash[HashAlg].HashFinal (HashCtx, CertDigest); - if (!Status) { + if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) { goto Done; } =20 @@ -923,7 +922,8 @@ IsCertHashFoundInDatabase ( // // Hash of Certificate is found in forbidden database. // - IsFound =3D TRUE; + Status =3D EFI_SUCCESS; + *IsFound =3D TRUE; =20 // // Return the revocation time. @@ -938,12 +938,14 @@ IsCertHashFoundInDatabase ( DbxList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->Sign= atureListSize); } =20 + Status =3D EFI_SUCCESS; + Done: if (HashCtx !=3D NULL) { FreePool (HashCtx); } =20 - return IsFound; + return Status; } =20 /** @@ -1216,6 +1218,7 @@ IsForbiddenByDbx ( { EFI_STATUS Status; BOOLEAN IsForbidden; + BOOLEAN IsFound; UINT8 *Data; UINTN DataSize; EFI_SIGNATURE_LIST *CertList; @@ -1344,20 +1347,29 @@ IsForbiddenByDbx ( // CertPtr =3D CertPtr + sizeof (UINT32) + CertSize; =20 - if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)D= ata, DataSize, &RevocationTime)) { + Status =3D IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_L= IST *)Data, DataSize, &RevocationTime, &IsFound); + if (EFI_ERROR (Status)) { // - // Check the timestamp signature and signing time to determine if th= e image can be trusted. + // Error in searching dbx. Consider it as 'found'. RevocationTime mi= ght + // not be valid in such situation. // IsForbidden =3D TRUE; + } else if (IsFound) { + // + // Found Cert in dbx successfully. Check the timestamp signature and + // signing time to determine if the image can be trusted. + // if (PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime)) { IsForbidden =3D FALSE; // // Pass DBT check. Continue to check other certs in image signer's= cert list against DBX, DBT // continue; + } else { + IsForbidden =3D TRUE; + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but = signature failed the timestamp check.\n")); + goto Done; } - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but si= gnature failed the timestamp check.\n")); - goto Done; } =20 } @@ -1392,6 +1404,7 @@ IsAllowedByDb ( { EFI_STATUS Status; BOOLEAN VerifyStatus; + BOOLEAN IsFound; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *CertData; UINTN DataSize; @@ -1498,7 +1511,14 @@ IsAllowedByDb ( // // Here We still need to check if this RootCert's Hash is revo= ked // - if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SI= GNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) { + Status =3D IsCertHashFoundInDatabase (RootCert, RootCertSize, = (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); + if (EFI_ERROR (Status)) { + // + // Error in searching dbx. Consider it as 'found'. Revocatio= nTime might + // not be valid in such situation. + // + VerifyStatus =3D FALSE; + } else if (IsFound) { // // Check the timestamp signature and signing time to determi= ne if the RootCert can be trusted. // --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54422): https://edk2.groups.io/g/devel/message/54422 Mute This Topic: https://groups.io/mt/71264904/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54423+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54423+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665275000252.00118622650018; Thu, 13 Feb 2020 23:27:55 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Bd2eYY1788612xkHRYoszi8a; Thu, 13 Feb 2020 23:27:54 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:53 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904231" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:52 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [edk2-devel] [PATCH v2 07/10] SecurityPkg/DxeImageVerificationLib: tighten default result(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:42 +0800 Message-Id: <20200214072745.1570-8-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: UcyXSPQI0FAYJCizUKtaBdvIx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665274; bh=LYuvkFIROC35QbTHrH/xgCAwZKBx3gm8D1MBH6JAbDA=; h=Cc:Date:From:Reply-To:Subject:To; b=Et38tUSs+kFXAnMdgF48ytqA4oxnafAjWifzc9ubkODvzRzJBV99RJ8YBqQhVVQ3Bai eV4JJ2FFrhJLx1Q9eMFjBnyGfzzbqzwFTxKQ5OSBqYSJc5hHcUCLogeRZOnKKU2++fOoI uz/VjC2/N18Zd5UW5sh7kXPF7ktTd2JKx4o= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 All intermediate results inside this function will be checked and returned immediately upon any failure or error, like out-of-resource, hash calculation error or certificate retrieval failure. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Signed-off-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 85261ba7f2..470a0d20ef 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1240,7 +1240,7 @@ IsForbiddenByDbx ( // // Variable Initialization // - IsForbidden =3D FALSE; + IsForbidden =3D TRUE; Data =3D NULL; CertList =3D NULL; CertData =3D NULL; @@ -1257,7 +1257,14 @@ IsForbiddenByDbx ( // DataSize =3D 0; Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageS= ecurityDatabaseGuid, NULL, &DataSize, NULL); + ASSERT (EFI_ERROR (Status)); if (Status !=3D EFI_BUFFER_TOO_SMALL) { + if (Status =3D=3D EFI_NOT_FOUND) { + // + // Evidently not in dbx if the database doesn't exist. + // + IsForbidden =3D FALSE; + } return IsForbidden; } Data =3D (UINT8 *) AllocateZeroPool (DataSize); @@ -1374,6 +1381,8 @@ IsForbiddenByDbx ( =20 } =20 + IsForbidden =3D FALSE; + Done: if (Data !=3D NULL) { FreePool (Data); --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54423): https://edk2.groups.io/g/devel/message/54423 Mute This Topic: https://groups.io/mt/71264905/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54424+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54424+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665275806389.1402609155109; Thu, 13 Feb 2020 23:27:55 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id cqBpYY1788612xBzPzRkby8r; Thu, 13 Feb 2020 23:27:55 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:54 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904235" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:53 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Laszlo Ersek , Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 08/10] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:43 +0800 Message-Id: <20200214072745.1570-9-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: scgucE2AGx273eTbJUPjWQKPx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665275; bh=aIhqrBurqENyw/YqUYA4TF29V22Trsy2bRxrFHIWDHg=; h=Cc:Date:From:Reply-To:Subject:To; b=IbvQz8SCf5d63CDJX6LG2fqsO/QT8zwDuNJzWewJwqgOvS/0+rNV/7TQFUXV8Y6aMPu 89jbqWdCEJXXeBkq12SNZISadeAO9zFnwoEW5w7Zcn/Hl8a01Fr4D6h4XCEkkqoiZZLEl ph3xTpZCJtUKG2Lv7KTM3gFd+jHqOUD5ojs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: Laszlo Ersek REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(), we have to free Data. Jump to "Done" for that. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 470a0d20ef..f20640af68 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1274,7 +1274,7 @@ IsForbiddenByDbx ( =20 Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSec= urityDatabaseGuid, NULL, &DataSize, (VOID *) Data); if (EFI_ERROR (Status)) { - return IsForbidden; + goto Done; } =20 // --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54424): https://edk2.groups.io/g/devel/message/54424 Mute This Topic: https://groups.io/mt/71264906/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54425+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54425+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665277510237.9551007608925; Thu, 13 Feb 2020 23:27:57 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id McWBYY1788612xQ8RNiH5qJC; Thu, 13 Feb 2020 23:27:56 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:56 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:55 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904238" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:54 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [edk2-devel] [PATCH v2 09/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2)(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:44 +0800 Message-Id: <20200214072745.1570-10-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: FzJlxYEglvMcMoXRYyGS5GHTx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665276; bh=r/uzWllC150vnSGc5TZpPzG5Ao7lo4hUo+fTVHl7JSc=; h=Cc:Date:From:Reply-To:Subject:To; b=w9TO/dCD6JwlKAXvmK/WLYM3XcO40Zj0K3/Q161e6k3LuZs2LR28eZ/MxHQ3imXKpgK veVtDTdYmO9Ik9ObV9TioyLolFykK5f1n1rkm247N3VsPz870FPBrYa8F/aHXkBZJ+7J0 ba60bLDj67QVYxQGoIbsSlLSWh54zYzWc4Y= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 To avoid false-negative issue in check hash against dbx, both error condition (as return value) and check result (as out parameter) of IsSignatureFoundInDatabase() are added. So the caller of this function will know exactly if a failure is caused by a black list hit or other error happening, and enforce a more secure operation to prevent secure boot from being bypassed. For a white list check (db), there's no such necessity. All intermediate results inside this function will be checked and returned immediately upon any failure or error, like out-of-resource, hash calculation error or certificate retrieval failure. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib.c | 77 ++++++++++++++----- 1 file changed, 58 insertions(+), 19 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index f20640af68..0e1587bc3c 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -955,17 +955,19 @@ Done: @param[in] Signature Pointer to signature that is searched fo= r. @param[in] CertType Pointer to hash algorithm. @param[in] SignatureSize Size of Signature. + @param[out] IsFound Search result. Only valid if EFI_SUCCESS= returned =20 - @return TRUE Found the signature in the variable data= base. - @return FALSE Not found the signature in the variable = database. + @retval EFI_SUCCESS Finished the search without any error. + @retval Others Error occurred in the search of database. =20 **/ -BOOLEAN +EFI_STATUS IsSignatureFoundInDatabase ( - IN CHAR16 *VariableName, - IN UINT8 *Signature, - IN EFI_GUID *CertType, - IN UINTN SignatureSize + IN CHAR16 *VariableName, + IN UINT8 *Signature, + IN EFI_GUID *CertType, + IN UINTN SignatureSize, + OUT BOOLEAN *IsFound ) { EFI_STATUS Status; @@ -975,22 +977,28 @@ IsSignatureFoundInDatabase ( UINT8 *Data; UINTN Index; UINTN CertCount; - BOOLEAN IsFound; =20 // // Read signature database variable. // - IsFound =3D FALSE; + *IsFound =3D FALSE; Data =3D NULL; DataSize =3D 0; Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabase= Guid, NULL, &DataSize, NULL); if (Status !=3D EFI_BUFFER_TOO_SMALL) { - return FALSE; + if (Status =3D=3D EFI_NOT_FOUND) { + // + // No database, no need to search. + // + Status =3D EFI_SUCCESS; + } + + return Status; } =20 Data =3D (UINT8 *) AllocateZeroPool (DataSize); if (Data =3D=3D NULL) { - return FALSE; + return EFI_OUT_OF_RESOURCES; } =20 Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGui= d, NULL, &DataSize, Data); @@ -1010,7 +1018,7 @@ IsSignatureFoundInDatabase ( // // Find the signature in database. // - IsFound =3D TRUE; + *IsFound =3D TRUE; // // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to vali= date image should be measured // @@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase ( Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Signat= ureSize); } =20 - if (IsFound) { + if (*IsFound) { break; } } @@ -1037,7 +1045,7 @@ Done: FreePool (Data); } =20 - return IsFound; + return Status; } =20 /** @@ -1648,6 +1656,8 @@ DxeImageVerificationHandler ( CHAR16 *NameStr; RETURN_STATUS PeCoffStatus; EFI_STATUS HashStatus; + EFI_STATUS DbStatus; + BOOLEAN IsFound; =20 SignatureList =3D NULL; SignatureListSize =3D 0; @@ -1656,7 +1666,7 @@ DxeImageVerificationHandler ( PkcsCertData =3D NULL; Action =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED; IsVerified =3D FALSE; - + IsFound =3D FALSE; =20 // // Check the image type and get policy setting. @@ -1798,7 +1808,14 @@ DxeImageVerificationHandler ( goto Failed; } =20 - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDi= gest, &mCertType, mImageDigestSize)) { + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE1, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (EFI_ERROR (DbStatus) || IsFound) { // // Image Hash is in forbidden database (DBX). // @@ -1806,7 +1823,14 @@ DxeImageVerificationHandler ( goto Failed; } =20 - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDig= est, &mCertType, mImageDigestSize)) { + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (!EFI_ERROR (DbStatus) && IsFound) { // // Image Hash is in allowed database (DB). // @@ -1894,14 +1918,29 @@ DxeImageVerificationHandler ( // // Check the image's hash value. // - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDi= gest, &mCertType, mImageDigestSize)) { + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE1, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (EFI_ERROR (DbStatus) || IsFound) { Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s= hash of image is found in DBX.\n", mHashTypeStr)); IsVerified =3D FALSE; break; } + if (!IsVerified) { - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageD= igest, &mCertType, mImageDigestSize)) { + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (!EFI_ERROR (DbStatus) && IsFound) { IsVerified =3D TRUE; } else { DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but = signature is not allowed by DB and %s hash of image is not found in DB/DBX.= \n", mHashTypeStr)); --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54425): https://edk2.groups.io/g/devel/message/54425 Mute This Topic: https://groups.io/mt/71264907/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 21:21:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54426+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54426+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581665278673940.7225112095947; Thu, 13 Feb 2020 23:27:58 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Y9QdYY1788612x9jvUjHImAJ; Thu, 13 Feb 2020 23:27:57 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:57 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:56 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904243" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:56 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [edk2-devel] [PATCH v2 10/10] SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:45 +0800 Message-Id: <20200214072745.1570-11-jian.j.wang@intel.com> In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: Nuz6NoEC7W7wCZHFEv6ZrvvKx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581665277; bh=KNRQ9g/UZcplNkE7XmKAsTiOTRDs+Rjex++1o7T9maA=; h=Cc:Date:From:Reply-To:Subject:To; b=OsrHLD2iZj7KU7qEF2m1gwQEY1NeJATn1pdt3XMeMo/2mDSJYtIiJAM2vdBvs44uiQb kBg0v8H9sMLmM/43sHO8+D/dQuoL4A4EuqawY/dVmq8oc6b7N7gtFraEdOmHWf/nj19Gw aWL/7rzZDH758l0XeLx2AQS+4tBK49ZnhP4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" IsCertHashFoundInDatabase() is actually used only for searching dbx, according to the function logic, its comments and its use cases. Changing it to IsCertHashFoundInDbx to avoid confusion. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 0e1587bc3c..b7fa8ea8c5 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -829,7 +829,7 @@ AddImageExeInfo ( =20 **/ EFI_STATUS -IsCertHashFoundInDatabase ( +IsCertHashFoundInDbx ( IN UINT8 *Certificate, IN UINTN CertSize, IN EFI_SIGNATURE_LIST *SignatureList, @@ -1362,7 +1362,7 @@ IsForbiddenByDbx ( // CertPtr =3D CertPtr + sizeof (UINT32) + CertSize; =20 - Status =3D IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_L= IST *)Data, DataSize, &RevocationTime, &IsFound); + Status =3D IsCertHashFoundInDbx (Cert, CertSize, (EFI_SIGNATURE_LIST *= )Data, DataSize, &RevocationTime, &IsFound); if (EFI_ERROR (Status)) { // // Error in searching dbx. Consider it as 'found'. RevocationTime mi= ght @@ -1528,7 +1528,7 @@ IsAllowedByDb ( // // Here We still need to check if this RootCert's Hash is revo= ked // - Status =3D IsCertHashFoundInDatabase (RootCert, RootCertSize, = (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); + Status =3D IsCertHashFoundInDbx (RootCert, RootCertSize, (EFI_= SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); if (EFI_ERROR (Status)) { // // Error in searching dbx. Consider it as 'found'. Revocatio= nTime might --=20 2.24.0.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54426): https://edk2.groups.io/g/devel/message/54426 Mute This Topic: https://groups.io/mt/71264909/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-