From nobody Sun Apr 28 05:51:57 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+96636+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96636+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1669584755; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gyXKRHcYjRGAKhjJ8I1THUO5vFRBOvEWxVstCzYlgHC4kOg4f1zCPbtI7WMGw4UO38cWFDeKUzIekVdqvoTyILerkxcjzrl9Usx4Sq7SnawjtuaCz9JY4/1Tpx21Nb4GNPJLXkd6wAiXabeQIxTxDI05HbW/bwtnGB2I+hgnSss=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1669584755;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=bQv2ypArNQ7NDjVhM6MzLNuXavoNsgSqLOKVYay6Jm0=;
	b=WW3LCr6tnoR/d5wllwsSIApPmNGjFALdznKQTthnU/U7Rg6SQ0iiPeWKHEIeurbrJZoZfeF3NMNcbfC+cWcNZzCuxEbLiqAeNui2UW58nwFGLS9VCL2GxtQIdfgt0AB+lnS5GkxlWns3uV+X8aEB7D4ALCgivRF5DatcCTrG5/Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96636+1787277+3901457@groups.io;
	dmarc=fail header.from=<jmaloy@redhat.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1669584755907418.362111987087;
 Sun, 27 Nov 2022 13:32:35 -0800 (PST)
Return-Path: <bounce+27952+96636+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id lpmPYY1788612xqUpbSmam4S;
 Sun, 27 Nov 2022 13:32:35 -0800
X-Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web11.58540.1669415066302010460
 for <devel@edk2.groups.io>;
 Fri, 25 Nov 2022 14:24:26 -0800
X-Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-9-sVtlokYDMjiOmfK-ydFn8g-1; Fri, 25 Nov 2022 17:24:16 -0500
X-MC-Unique: sVtlokYDMjiOmfK-ydFn8g-1
X-Received: from smtp.corp.redhat.com
 (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 02BDF29AB403
	for <devel@edk2.groups.io>; Fri, 25 Nov 2022 22:24:16 +0000 (UTC)
X-Received: from fenrir.redhat.com (unknown [10.22.16.40])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A15EE1415137;
	Fri, 25 Nov 2022 22:24:15 +0000 (UTC)
From: "Jon Maloy" <jmaloy@redhat.com>
To: devel@edk2.groups.io,
	lersek@redhat.com
Cc: kraxel@redhat.com,
	jmaloy@redhat.com
Subject: [edk2-devel] [PATCH] SecurityPkg: check return value of
 GetEfiGlobalVariable2() in DxeImageVerificationHandler()
Date: Fri, 25 Nov 2022 17:24:13 -0500
Message-Id: <20221125222413.1745225-1-jmaloy@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jmaloy@redhat.com
X-Gm-Message-State: zSictA48kWKdVNP8rfaPtBI8x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1669584755;
 bh=hvspNwdcp7TYiAkJ7jZBRNanGerwr9HhIuOaIJ9ynHk=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=kN/NDxV5mrhiNIuoRhHatxXDHeL9RIn1kDeU1PVA8Vs0XUClZY8HgJZ4wN2g4dQEUzx
 LcGPpaSYB5lKJk5gjfYSacx22b91IjfY0HJV435bLbpLr0WkFC207qNVYb7R8cur6/sqR
 3ZjJS4frCpcXz74BxnuuPSJY+XcVngkDWtY=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1669584757770100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Fixes: CVE-2019-14560

GetEfiGlobalVariable2() is used in some instances when looking up the
SecureBoot UEFI variable. The API can fail in certain circumstances,
for example, if AllocatePool() fails or if gRT->GetVariable() fails.
In the case of secure boot checks, it is critical that this return value
is checked. if an attacker can cause the API to fail, it would currently
constitute a secure boot bypass.

This return value check is missing in the function DxeImageVerificationHand=
ler(),
so we add it here.

This commit is almost identical to one suggested by Jian J Wang <jian.j.wan=
g@intel.com>
on 2019-09-09, but that one was for some reason never posted to the edk2-de=
vel
list. We now make a new attempt to get it reviewed and applied.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: devel@edk2.groups.io

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 .../DxeImageVerificationLib.c                 | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 66e2f5eaa3c0..4ae0bd8b20db 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1686,6 +1686,7 @@ DxeImageVerificationHandler (
   RETURN_STATUS                 PeCoffStatus;
   EFI_STATUS                    HashStatus;
   EFI_STATUS                    DbStatus;
+  EFI_STATUS                    SecBootStatus;
   BOOLEAN                       IsFound;
=20
   SignatureList     =3D NULL;
@@ -1742,23 +1743,29 @@ DxeImageVerificationHandler (
     CpuDeadLoop ();
   }
=20
-  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, =
NULL);
-  //
-  // Skip verification if SecureBoot variable doesn't exist.
-  //
-  if (SecureBoot =3D=3D NULL) {
-    return EFI_SUCCESS;
-  }
+  SecBootStatus =3D GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOI=
D **)&SecureBoot, NULL);
+  if (!EFI_ERROR (SecBootStatus)) {
+    if (SecureBoot =3D=3D NULL) {
+      //
+      // Skip verification if SecureBoot variable doesn't exist.
+      //
+      return EFI_SUCCESS;
+    } else {
+      //
+      // Skip verification if SecureBoot is disabled but not AuditMode
+      //
+      if (*SecureBoot =3D=3D SECURE_BOOT_MODE_DISABLE) {
+        FreePool (SecureBoot);
+        return EFI_SUCCESS;
+      }
+      FreePool (SecureBoot);
+    }
+  } else {
+    //
+    // Assume SecureBoot enabled in the case of error.
+    //
+   }
=20
-  //
-  // Skip verification if SecureBoot is disabled but not AuditMode
-  //
-  if (*SecureBoot =3D=3D SECURE_BOOT_MODE_DISABLE) {
-    FreePool (SecureBoot);
-    return EFI_SUCCESS;
-  }
-
-  FreePool (SecureBoot);
=20
   //
   // Read the Dos header.
--=20
2.35.3



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96636): https://edk2.groups.io/g/devel/message/96636
Mute This Topic: https://groups.io/mt/95297708/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-