From nobody Thu Apr 25 01:31:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+66309+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+66309+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1602825294; cv=none; d=zohomail.com; s=zohoarc; b=f/NZcRRPlphv2nu1cHmeVKumgOjJwosCOa8LHf7wITql2cNGn3OJ+18Ct2Jd5sdgBvhKaqDCNYaOCCxMbSg/Q1a/XlaW4Kn6sFL8suXWGpwR+rqbbYL+Oz2AjNJWu2j4IDtKjKzFlEEEkd0mf8DOWWsvLMgSkXAStSGLfdsF0XE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1602825294; h=Content-Transfer-Encoding:Cc:Date:From:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=DVaPO6M007M6X3mCX5EnriIIeo1aK0XPEX0aLf2kJq4=; b=XgcAsVgkiQEltfT8LwuAdb4If7YzirzuyH0mCqu/mV4BYWKvuVcRrZc88jxQyaQAh+PiZBARiws41rinRKotlP2kPkW+DPbei2GzMOjG+kps3S5RCxWTZCnEU0SF7HAOQCyTaTJ3oDgNqsmzNJJ6Fm2yvm1jilpootr5X78Guu8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+66309+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1602825294565849.0140733436874; Thu, 15 Oct 2020 22:14:54 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 2N6lYY1788612xMnoVttuaHd; Thu, 15 Oct 2020 22:14:54 -0700 X-Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.8340.1602825293092511514 for ; Thu, 15 Oct 2020 22:14:53 -0700 IronPort-SDR: ssiq7qnAHhpDcCWYXHPA/sMaWyrXocIi3oUfzAu9SuPD5ltk3ow6/I0TeZxydNQGlK6YIkcCfv BzcnQdVp3tvg== X-IronPort-AV: E=McAfee;i="6000,8403,9775"; a="228179293" X-IronPort-AV: E=Sophos;i="5.77,381,1596524400"; d="scan'208";a="228179293" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Oct 2020 22:14:52 -0700 IronPort-SDR: hwdTV7QKvocPPrS89gLTMgK91zOU+fcwwJVNS7FDD031mVEh6hsAn58a34HjcCLZFTARSM2AKV dvVW5BuE8zKQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,381,1596524400"; d="scan'208";a="391199374" X-Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by orsmga001.jf.intel.com with ESMTP; 15 Oct 2020 22:14:50 -0700 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Xiaoyu Lu , Guomin Jiang , Jiewen Yao , Laszlo Ersek Subject: [edk2-devel] [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) Date: Fri, 16 Oct 2020 13:14:50 +0800 Message-Id: <20201016051450.708-1-jian.j.wang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com X-Gm-Message-State: vEW1JcjWp1DYs5DhNbEy5HVXx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1602825294; bh=WWykV+qi1VNGxPTmlGtcjHIfBT3IZ6lxk3Tl6VP7ASA=; h=Cc:Date:From:Reply-To:Subject:To; b=RueTJv/0siFZd7E86ai8ukB1qXcCzyWEK8FlCq/W+ywai63peLMgk47iOhVsbcdPmqg PYz8ulO/DV6vHLG+KTFspusYZzagXBWDxQE7bRnjm+YljLlh95j4U4Dxq1bdyoXVfBEvQ tWZCTzwHJEXrgxHzA322t+nL2bSdWNDlXJU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1914 AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded signed authenticode pkcs#7 data. when this successfully returns, a type check is done by calling PKCS7_type_is_signed() and then Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1 blob that successfully decodes and have d2i_PKCS7() return a valid pointer and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign be a NULL pointer. Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for pkcs7 structs it does the following: - call PKCS7_type_is_signed() - call PKCS7_get_detached() Looking into how PKCS7_get_detatched() is implemented, it checks to see if p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL. As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7(). - Add call to PKS7_get_detached() to existing error handling Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Jiewen Yao Cc: Laszlo Ersek Signed-off-by: Jian J Wang Reviewed-by: Laszlo Ersek Reviewed-by: Jiewen Yao --- CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/Crypto= Pkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c index 2772b1e2be..ae0ee61fb6 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c @@ -9,7 +9,7 @@ AuthenticodeVerify() will get PE/COFF Authenticode and will do basic che= ck for data structure. =20 -Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -100,7 +100,7 @@ AuthenticodeVerify ( // // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) // - if (!PKCS7_type_is_signed (Pkcs7)) { + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { goto _Exit; } =20 --=20 2.19.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#66309): https://edk2.groups.io/g/devel/message/66309 Mute This Topic: https://groups.io/mt/77544856/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-