From nobody Thu Apr 18 15:10:10 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+64884+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64884+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1598951559; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dVgQnmVFWS5GYm2j5wB6lM6CvdmIDuc3zKn5c+JqkGrt0Offp6m8j5aw6QAdSC2b+Wr13KsSULWCKABlC5rCw2Px7QgpxDXApgu0kVnU6ZHXj/3HLt40VqXwkiVgDvgO6wOT+KSOdnjsog71XicEnN0s48N/Am5s63NF4W518Js=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1598951559;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=0zExBbDYjw8TAsWideAOC30offU8KZTvn1kUVoJqGuY=;
	b=U78Iv6rxy4mmuzFTTw+gm07PfWDvTiKbdEbxZHcCGNUrWDeHtjOxfOlPpoBQcC+tNRukNCfUPcvJjquJYNZKJq1/WVC28HMK8sdrsYICENVAOJLHLzEVsZaOLMfNQ3+IDwq2ewo/t7N+0AMtkxHr6NjgejZxX7mj88vRT/JJ+T4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64884+1787277+3901457@groups.io;
	dmarc=fail header.from=<lersek@redhat.com> (p=none dis=none)
 header.from=<lersek@redhat.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1598951559950489.93294797901126;
 Tue, 1 Sep 2020 02:12:39 -0700 (PDT)
Return-Path: <bounce+27952+64884+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id ac9uYY1788612xyYTPeil9Va;
 Tue, 01 Sep 2020 02:12:39 -0700
X-Received: from us-smtp-delivery-1.mimecast.com
 (us-smtp-delivery-1.mimecast.com [207.211.31.81])
 by mx.groups.io with SMTP id smtpd.web11.9013.1598951558633024687
 for <devel@edk2.groups.io>;
 Tue, 01 Sep 2020 02:12:38 -0700
X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-213-T1GdSW4-PsisGPREBXOXbg-1; Tue, 01 Sep 2020 05:12:27 -0400
X-MC-Unique: T1GdSW4-PsisGPREBXOXbg-1
X-Received: from smtp.corp.redhat.com
 (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2F73918A2249;
	Tue,  1 Sep 2020 09:12:26 +0000 (UTC)
X-Received: from lacos-laptop-7.usersys.redhat.com
 (ovpn-112-251.ams2.redhat.com [10.36.112.251])
	by smtp.corp.redhat.com (Postfix) with ESMTP id DD9731002D46;
	Tue,  1 Sep 2020 09:12:24 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Wenyi Xie <xiewenyi2@huawei.com>
Subject: [edk2-devel] [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
 SecDataDirEnd, SecDataDirLeft
Date: Tue,  1 Sep 2020 11:12:19 +0200
Message-Id: <20200901091221.20948-2-lersek@redhat.com>
In-Reply-To: <20200901091221.20948-1-lersek@redhat.com>
References: <20200901091221.20948-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
X-Gm-Message-State: d9OXEnmXqZ4MreSlZAzI6Vpqx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1598951559;
 bh=0zExBbDYjw8TAsWideAOC30offU8KZTvn1kUVoJqGuY=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=dYVVq0I+YqUsEliOFGzFylTDpnvte/Isbin0xRQw+1RUYNgI17cXRd8gAlRdTftos92
 GHJo1r/LJ+Efo/CENxY3UahC6UMyZDb8KQx60WhzL+a/y5G/en7/dy/F7BJHY1eD+wuDE
 UpBGKdlnpuh05X1/MxK2LCHe5ZEqw2yuWJ4=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

The following two quantities:

  SecDataDir->VirtualAddress + SecDataDir->Size
  SecDataDir->VirtualAddress + SecDataDir->Size - OffSet

are used multiple times in DxeImageVerificationHandler(). Introduce helper
variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
This saves us multiple calculations and significantly simplifies the code.

Note that all three summands above have type UINT32, therefore the new
variables are also of type UINT32.

This patch does not change behavior.

(Note that the code already handles the case when the

  SecDataDir->VirtualAddress + SecDataDir->Size

UINT32 addition overflows -- namely, in that case, the certificate loop is
never entered, and the corruption check right after the loop fires.)

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 12=
 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index b08fe24e85aa..377feebb205a 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
   UINT8                                *AuthData;
   UINTN                                AuthDataSize;
   EFI_IMAGE_DATA_DIRECTORY             *SecDataDir;
+  UINT32                               SecDataDirEnd;
+  UINT32                               SecDataDirLeft;
   UINT32                               OffSet;
   CHAR16                               *NameStr;
   RETURN_STATUS                        PeCoffStatus;
@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
   // "Attribute Certificate Table".
   // The first certificate starts at offset (SecDataDir->VirtualAddress) f=
rom the start of the file.
   //
+  SecDataDirEnd =3D SecDataDir->VirtualAddress + SecDataDir->Size;
   for (OffSet =3D SecDataDir->VirtualAddress;
-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
+       OffSet < SecDataDirEnd;
        OffSet +=3D (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-=
>dwLength))) {
     WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);
-    if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <=3D size=
of (WIN_CERTIFICATE) ||
-        (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCert=
ificate->dwLength) {
+    SecDataDirLeft =3D SecDataDirEnd - OffSet;
+    if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE) ||
+        SecDataDirLeft < WinCertificate->dwLength) {
       break;
     }
=20
@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
     }
   }
=20
-  if (OffSet !=3D (SecDataDir->VirtualAddress + SecDataDir->Size)) {
+  if (OffSet !=3D SecDataDirEnd) {
     //
     // The Size in Certificate Table or the attribute certificate table is=
 corrupted.
     //
--=20
2.19.1.3.g30247aa5d201



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#64884): https://edk2.groups.io/g/devel/message/64884
Mute This Topic: https://groups.io/mt/76552540/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

From nobody Thu Apr 18 15:10:10 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+64883+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64883+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1598951559; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eeRSQOsbIXLGPqBq8LMVAYidZfMNUEr2hIx4u6IoFCChL12Z7bZxaieTg5Fs0O/qx8ukJXC5Sq6hRCyem5SFrkz6nGSuVgJIiiTrtQwPFWyESqfPfh9WRlMb8yHOQ3yFg4fvU1Uwvt1nth8hxJCNN5/5u4UeRCesSIc0saEiS5k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1598951559;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=EK79ppVxcJ6gjFChXrjWwVhovT/zRCzPg2UUG8NX0U0=;
	b=HBaw06m+vYzun1gAp+lDdlg3WcPkoWfQCWH74MrbiKUEN6MVd6riYoTDoTtBb0KQRNbp8Vf7LmWLcA1KFvgYF9hc/XUiSaf/zDcNgJhlt194dfHhnVl5lhYyUxRdY3VnCG9rhuwHEDY0ByuVikDhMqvDccq/xgclWyOgHhqz3ow=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64883+1787277+3901457@groups.io;
	dmarc=fail header.from=<lersek@redhat.com> (p=none dis=none)
 header.from=<lersek@redhat.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1598951559913584.872249404148;
 Tue, 1 Sep 2020 02:12:39 -0700 (PDT)
Return-Path: <bounce+27952+64883+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id t9SXYY1788612xJMdkdTeyBr;
 Tue, 01 Sep 2020 02:12:39 -0700
X-Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by mx.groups.io with SMTP id smtpd.web12.9210.1598951558020906894
 for <devel@edk2.groups.io>;
 Tue, 01 Sep 2020 02:12:38 -0700
X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-535-EQ99XnUdMcmZuVwSmcQnvA-1; Tue, 01 Sep 2020 05:12:29 -0400
X-MC-Unique: EQ99XnUdMcmZuVwSmcQnvA-1
X-Received: from smtp.corp.redhat.com
 (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DAF201084C91;
	Tue,  1 Sep 2020 09:12:27 +0000 (UTC)
X-Received: from lacos-laptop-7.usersys.redhat.com
 (ovpn-112-251.ams2.redhat.com [10.36.112.251])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9BEEA10013C4;
	Tue,  1 Sep 2020 09:12:26 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Wenyi Xie <xiewenyi2@huawei.com>
Subject: [edk2-devel] [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
 WinCertificate after size check
Date: Tue,  1 Sep 2020 11:12:20 +0200
Message-Id: <20200901091221.20948-3-lersek@redhat.com>
In-Reply-To: <20200901091221.20948-1-lersek@redhat.com>
References: <20200901091221.20948-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
X-Gm-Message-State: uKEMPaBNP9cZCFjko6dRoe3Kx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1598951559;
 bh=EK79ppVxcJ6gjFChXrjWwVhovT/zRCzPg2UUG8NX0U0=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=aH0ujS85csPmSuT70Wl9g0YNZw6OS5k7xNoQ8IStMpXWPHODjIKWuG0QO2RwcvEAK/x
 R0GOSesqe6amlZAfUZYTPiuxqQ9F8AlHy+N95eLtqLivxPKijsr4vWzDd99dQzkYj842N
 S0OQJ6jOo/VV/glWfD/xygYqUbiLTQImApA=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

Currently the (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) check only
guards the de-referencing of the "WinCertificate" pointer. It does not
guard the calculation of the pointer itself:

  WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);

This is wrong; if we don't know for sure that we have enough room for a
WIN_CERTIFICATE, then even creating such a pointer, not just
de-referencing it, may invoke undefined behavior.

Move the pointer calculation after the size check.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 8 =
+++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 377feebb205a..100739eb3eb6 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
   for (OffSet =3D SecDataDir->VirtualAddress;
        OffSet < SecDataDirEnd;
        OffSet +=3D (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-=
>dwLength))) {
-    WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);
     SecDataDirLeft =3D SecDataDirEnd - OffSet;
-    if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE) ||
-        SecDataDirLeft < WinCertificate->dwLength) {
+    if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) {
+      break;
+    }
+    WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);
+    if (SecDataDirLeft < WinCertificate->dwLength) {
       break;
     }
=20
--=20
2.19.1.3.g30247aa5d201



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#64883): https://edk2.groups.io/g/devel/message/64883
Mute This Topic: https://groups.io/mt/76552539/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

From nobody Thu Apr 18 15:10:10 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+64885+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64885+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1598951560; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ae9kYR4HjS3FaEVW7xwNLfAPD0Wow+0c5O7RYQCEC6wZpvjSAWQqtYMpfi64A2yQB7Tz1DAqJabO+QSHrySMYFY8FYLo6sZ/ff2iuEOrmFiih5TMEsj7xO6EFe7XTsKIuvjYTo8RBoTHIxcx9Yl/khFzLOPYuncpCQihELcYm1s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1598951560;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=yIxCDJnyRQzHUgOAye9aj4jDN2kKibE0U4v/aZ6lYAI=;
	b=Mlwo6QI+9u2JqpDvMNKHYZZD/tqURQkIt7a/thSKeRNoP2kZbCGil6VTQwyOf449Rvv/vNtPD69a0rHUxrxLbicEZYq/wjkI5MTpz7U9r7vrw/9Kzb6EMTz9MhokDieZqZj2bdDTSL/jVk4j1N6qhgSfqYxJHyn9RLVp+5Jc9YA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+64885+1787277+3901457@groups.io;
	dmarc=fail header.from=<lersek@redhat.com> (p=none dis=none)
 header.from=<lersek@redhat.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1598951560602916.8955615928323;
 Tue, 1 Sep 2020 02:12:40 -0700 (PDT)
Return-Path: <bounce+27952+64885+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id XkphYY1788612xWpnAeWPUrF;
 Tue, 01 Sep 2020 02:12:40 -0700
X-Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by mx.groups.io with SMTP id smtpd.web10.9054.1598951559103597976
 for <devel@edk2.groups.io>;
 Tue, 01 Sep 2020 02:12:39 -0700
X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-15-3sAqj50vMi2wRN3BQRAt2A-1; Tue, 01 Sep 2020 05:12:30 -0400
X-MC-Unique: 3sAqj50vMi2wRN3BQRAt2A-1
X-Received: from smtp.corp.redhat.com
 (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7E929425D3;
	Tue,  1 Sep 2020 09:12:29 +0000 (UTC)
X-Received: from lacos-laptop-7.usersys.redhat.com
 (ovpn-112-251.ams2.redhat.com [10.36.112.251])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3C96410013C4;
	Tue,  1 Sep 2020 09:12:28 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Wenyi Xie <xiewenyi2@huawei.com>
Subject: [edk2-devel] [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch
 alignment overflow (CVE-2019-14562)
Date: Tue,  1 Sep 2020 11:12:21 +0200
Message-Id: <20200901091221.20948-4-lersek@redhat.com>
In-Reply-To: <20200901091221.20948-1-lersek@redhat.com>
References: <20200901091221.20948-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
X-Gm-Message-State: OhSesT3ToH78bN0XQqlAkCsnx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1598951560;
 bh=yIxCDJnyRQzHUgOAye9aj4jDN2kKibE0U4v/aZ6lYAI=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=Q0LFaI5q0fBRkVQVPWZpRkHlUnsm4FfNN3CmOYBjXB+NAtlf9BERFlunbobuE5JsJ7W
 VNPPxmLjUn49cOTRxSQIz2dS18AGcp5IjBc3a8vEZQzqNF7xxvHoFprT8ZK0ZtjHzVssQ
 O2PAUt+Sqem+/RkX0OsrOrP+lMsU5RD2MDY=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

The DxeImageVerificationHandler() function currently checks whether
"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
multiple of 8. If "WinCertificate->dwLength" is large enough, the
alignment will return 0, and "OffSet" will be stuck at the same value.

Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 =
+++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 100739eb3eb6..11154b6cc58a 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
       break;
     }
     WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet);
-    if (SecDataDirLeft < WinCertificate->dwLength) {
+    if (SecDataDirLeft < WinCertificate->dwLength ||
+        (SecDataDirLeft - WinCertificate->dwLength <
+         ALIGN_SIZE (WinCertificate->dwLength))) {
       break;
     }
=20
--=20
2.19.1.3.g30247aa5d201


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#64885): https://edk2.groups.io/g/devel/message/64885
Mute This Topic: https://groups.io/mt/76552541/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-