From nobody Mon Feb 9 15:11:19 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+64883+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64883+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1598951559; cv=none; d=zohomail.com; s=zohoarc; b=eeRSQOsbIXLGPqBq8LMVAYidZfMNUEr2hIx4u6IoFCChL12Z7bZxaieTg5Fs0O/qx8ukJXC5Sq6hRCyem5SFrkz6nGSuVgJIiiTrtQwPFWyESqfPfh9WRlMb8yHOQ3yFg4fvU1Uwvt1nth8hxJCNN5/5u4UeRCesSIc0saEiS5k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1598951559; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=EK79ppVxcJ6gjFChXrjWwVhovT/zRCzPg2UUG8NX0U0=; b=HBaw06m+vYzun1gAp+lDdlg3WcPkoWfQCWH74MrbiKUEN6MVd6riYoTDoTtBb0KQRNbp8Vf7LmWLcA1KFvgYF9hc/XUiSaf/zDcNgJhlt194dfHhnVl5lhYyUxRdY3VnCG9rhuwHEDY0ByuVikDhMqvDccq/xgclWyOgHhqz3ow= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64883+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1598951559913584.872249404148; Tue, 1 Sep 2020 02:12:39 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id t9SXYY1788612xJMdkdTeyBr; Tue, 01 Sep 2020 02:12:39 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web12.9210.1598951558020906894 for ; Tue, 01 Sep 2020 02:12:38 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-535-EQ99XnUdMcmZuVwSmcQnvA-1; Tue, 01 Sep 2020 05:12:29 -0400 X-MC-Unique: EQ99XnUdMcmZuVwSmcQnvA-1 X-Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DAF201084C91; Tue, 1 Sep 2020 09:12:27 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-251.ams2.redhat.com [10.36.112.251]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9BEEA10013C4; Tue, 1 Sep 2020 09:12:26 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jian J Wang , Jiewen Yao , Min Xu , Wenyi Xie Subject: [edk2-devel] [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check Date: Tue, 1 Sep 2020 11:12:20 +0200 Message-Id: <20200901091221.20948-3-lersek@redhat.com> In-Reply-To: <20200901091221.20948-1-lersek@redhat.com> References: <20200901091221.20948-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0.001 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: uKEMPaBNP9cZCFjko6dRoe3Kx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1598951559; bh=EK79ppVxcJ6gjFChXrjWwVhovT/zRCzPg2UUG8NX0U0=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=aH0ujS85csPmSuT70Wl9g0YNZw6OS5k7xNoQ8IStMpXWPHODjIKWuG0QO2RwcvEAK/x R0GOSesqe6amlZAfUZYTPiuxqQ9F8AlHy+N95eLtqLivxPKijsr4vWzDd99dQzkYj842N S0OQJ6jOo/VV/glWfD/xygYqUbiLTQImApA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Currently the (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) check only guards the de-referencing of the "WinCertificate" pointer. It does not guard the calculation of the pointer itself: WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); This is wrong; if we don't know for sure that we have enough room for a WIN_CERTIFICATE, then even creating such a pointer, not just de-referencing it, may invoke undefined behavior. Move the pointer calculation after the size check. Cc: Jian J Wang Cc: Jiewen Yao Cc: Min Xu Cc: Wenyi Xie Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215 Signed-off-by: Laszlo Ersek Reviewed-by: Min M Xu Reviewed-by: Philippe Mathieu-Daude Tested-by: Wenyi Xie --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 8 = +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 377feebb205a..100739eb3eb6 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler ( for (OffSet =3D SecDataDir->VirtualAddress; OffSet < SecDataDirEnd; OffSet +=3D (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-= >dwLength))) { - WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); SecDataDirLeft =3D SecDataDirEnd - OffSet; - if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE) || - SecDataDirLeft < WinCertificate->dwLength) { + if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) { + break; + } + WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); + if (SecDataDirLeft < WinCertificate->dwLength) { break; } =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64883): https://edk2.groups.io/g/devel/message/64883 Mute This Topic: https://groups.io/mt/76552539/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-