From nobody Thu May  2 19:20:20 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+96881+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96881+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1669950356; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fDM3jq1PSJqFHSvD2IIkxznvgoDFPpmo3aokgw0rxo2yhIqMUIb11zXMXgZSHy6PjjfSr6lU80olj2Wv9C7iPYMUZtfUE1IUX4K1ZJJIU/ScIf4gKycnqzYfiROqZA3Lq+fiM4v/HjwqaXNCYivaJXqSoe3tA9Kt9Iz5lhJF/aw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1669950356;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=UvuseYUSoFLawDYA7/7EmRAK80/SBsOihkhf2meBADg=;
	b=QamxKVz9LdhVn0quQecSw8YBHIcE6kbQ4dvFRt8UmONY/shqUPNwiEo3DDWXamUUAzdQnJLxjwSqabCX0vsbJt6bCBAW5aO6xJ/++z+U9lmEzOrUzVX6UkGWL38fmxjkZs4dD5R5EmiOvi5KCiIZtGVafqoPUg2xlijDfsmpHkU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96881+1787277+3901457@groups.io;
	dmarc=fail header.from=<jmaloy@redhat.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1669950356213809.0410912877602;
 Thu, 1 Dec 2022 19:05:56 -0800 (PST)
Return-Path: <bounce+27952+96881+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id JWdTYY1788612xgY8TDmsRN9;
 Thu, 01 Dec 2022 19:05:55 -0800
X-Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web11.65887.1669950354789739341
 for <devel@edk2.groups.io>;
 Thu, 01 Dec 2022 19:05:55 -0800
X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-614-8rut0jpbNvykHhhRWWOTig-1; Thu, 01 Dec 2022 22:05:50 -0500
X-MC-Unique: 8rut0jpbNvykHhhRWWOTig-1
X-Received: from smtp.corp.redhat.com
 (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BAA1E85A588;
	Fri,  2 Dec 2022 03:05:49 +0000 (UTC)
X-Received: from fenrir.redhat.com (unknown [10.22.10.171])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 195AB2166BB6;
	Fri,  2 Dec 2022 03:05:48 +0000 (UTC)
From: "Jon Maloy" <jmaloy@redhat.com>
To: devel@edk2.groups.io
Cc: kraxel@redhat.com,
	lersek@redhat.com,
	jmaloy@redhat.com,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>
Subject: [edk2-devel] [PATCH] SecurityPkg: check return value of
 GetEfiGlobalVariable2() in DxeImageVerificationHandler()
Date: Thu,  1 Dec 2022 22:05:26 -0500
Message-Id: <20221202030526.71113-1-jmaloy@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jmaloy@redhat.com
X-Gm-Message-State: IZWHgAX4MeaLZVMk2VG47en6x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1669950355;
 bh=ZXVPwcPGvnzlc5IWFi7W4wcsgWCpKpa/onU3HUazEcU=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=L9dBYE5524cemm0AkDejknN6VBPeHYfCT741YcTeSPP6Qx2RQEb+9rT8B5YbtsDLb49
 qIhiG0SWyjbb7B+16+dn8liKYRGxF0sJ7kzZ5Y7I9k1aR72ErEcYAM8fPtuANZSdwzrfD
 sWMOYjrIVNTF3dXXSAPRVVe9zCtjZ+obEyY=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1669950357389100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Fixes: CVE-2019-14560

GetEfiGlobalVariable2() is used in some instances when looking up the
SecureBoot UEFI variable. The API can fail in certain circumstances,
for example, if AllocatePool() fails or if gRT->GetVariable() fails.
In the case of secure boot checks, it is critical that this return value
is checked. if an attacker can cause the API to fail, it would currently
constitute a secure boot bypass.

This return value check is missing in the function DxeImageVerificationHand=
ler(),
so we add it here.

This commit is almost identical to one suggested by Jian J Wang <jian.j.wan=
g@intel.com>
on 2019-09-09, but that one was for some reason never posted to the edk2-de=
vel
list. We now make a new attempt to get it reviewed and applied.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: devel@edk2.groups.io

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 .../DxeImageVerificationLib.c                 | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 66e2f5eaa3c0..4ae0bd8b20db 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1686,6 +1686,7 @@ DxeImageVerificationHandler (
   RETURN_STATUS                 PeCoffStatus;
   EFI_STATUS                    HashStatus;
   EFI_STATUS                    DbStatus;
+  EFI_STATUS                    SecBootStatus;
   BOOLEAN                       IsFound;
=20
   SignatureList     =3D NULL;
@@ -1742,23 +1743,29 @@ DxeImageVerificationHandler (
     CpuDeadLoop ();
   }
=20
-  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, =
NULL);
-  //
-  // Skip verification if SecureBoot variable doesn't exist.
-  //
-  if (SecureBoot =3D=3D NULL) {
-    return EFI_SUCCESS;
-  }
+  SecBootStatus =3D GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOI=
D **)&SecureBoot, NULL);
+  if (!EFI_ERROR (SecBootStatus)) {
+    if (SecureBoot =3D=3D NULL) {
+      //
+      // Skip verification if SecureBoot variable doesn't exist.
+      //
+      return EFI_SUCCESS;
+    } else {
+      //
+      // Skip verification if SecureBoot is disabled but not AuditMode
+      //
+      if (*SecureBoot =3D=3D SECURE_BOOT_MODE_DISABLE) {
+        FreePool (SecureBoot);
+        return EFI_SUCCESS;
+      }
+      FreePool (SecureBoot);
+    }
+  } else {
+    //
+    // Assume SecureBoot enabled in the case of error.
+    //
+   }
=20
-  //
-  // Skip verification if SecureBoot is disabled but not AuditMode
-  //
-  if (*SecureBoot =3D=3D SECURE_BOOT_MODE_DISABLE) {
-    FreePool (SecureBoot);
-    return EFI_SUCCESS;
-  }
-
-  FreePool (SecureBoot);
=20
   //
   // Read the Dos header.
--=20
2.35.3



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96881): https://edk2.groups.io/g/devel/message/96881
Mute This Topic: https://groups.io/mt/95399277/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-