From nobody Mon Feb  9 12:25:04 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+54420+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+54420+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1581665270911194.51649335629634;
 Thu, 13 Feb 2020 23:27:50 -0800 (PST)
Return-Path: <bounce+27952+54420+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id Sx58YY1788612xvpPYStF4b4;
 Thu, 13 Feb 2020 23:27:50 -0800
X-Received: from mga04.intel.com (mga04.intel.com [])
 by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367
 for <devel@edk2.groups.io>;
 Thu, 13 Feb 2020 23:27:49 -0800
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
X-Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 13 Feb 2020 23:27:49 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,439,1574150400";
   d="scan'208";a="347904212"
X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78])
  by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:48 -0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: [edk2-devel] [PATCH v2 04/10] SecurityPkg/DxeImageVerificationLib:
 avoid bypass in fetching dbx(CVE-2019-14575)
Date: Fri, 14 Feb 2020 15:27:39 +0800
Message-Id: <20200214072745.1570-5-jian.j.wang@intel.com>
In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com>
References: <20200214072745.1570-1-jian.j.wang@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com
X-Gm-Message-State: 3J3u4xj4XgGpD8LSjdJMpIOwx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1581665270;
 bh=tTjSz+y4Kx5YoH2oL/p3kU7IUtuy7FKhWHZXSuDFFz0=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=VrHWD5wNcYJw9/R3SOO8OvQL7/rZ7CkIuEcMQg2cmjEojJIyckbgMIlWZuqqvWRFFS1
 OueawMYGbz6qugZ9pvIIkyf0CkqYa2dTM+iFbTLudqj7vdYZrK0aQN+zFFGQ2jyQlMV4D
 NxcHJtQgUWa7VejpikymY2A3S0jgjtEx29o=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608

In timestamp check after the cert is found in db, the original code jumps
to 'Done' if any error happens in fetching dbx variable. At any of the
jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should
not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
because it could be used to bypass timestamp check.

This patch add code to change VerifyStatus to FALSE in the case of memory
allocation failure and dbx fetching failure to avoid potential bypass
issue.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 1efb2f96cd..ed5dbf26b0 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1459,15 +1459,26 @@ IsAllowedByDb (
             DbxDataSize =3D 0;
             Status   =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &=
gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
             if (Status !=3D EFI_BUFFER_TOO_SMALL) {
+              if (Status !=3D EFI_NOT_FOUND) {
+                VerifyStatus =3D FALSE;
+              }
               goto Done;
             }
             DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize);
             if (DbxData =3D=3D NULL) {
+              //
+              // Force not-allowed-by-db to avoid bypass
+              //
+              VerifyStatus =3D FALSE;
               goto Done;
             }
=20
             Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gE=
fiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
             if (EFI_ERROR (Status)) {
+              //
+              // Force not-allowed-by-db to avoid bypass
+              //
+              VerifyStatus =3D FALSE;
               goto Done;
             }
=20
--=20
2.24.0.windows.2


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54420): https://edk2.groups.io/g/devel/message/54420
Mute This Topic: https://groups.io/mt/71264902/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-