From nobody Mon Nov 25 00:24:14 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78899+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78899+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=posteo.de
ARC-Seal: i=1; a=rsa-sha256; t=1628451644; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bvC5DSVsrRALTWfcTcaiu7g+9i2kGQYf2JiOPvbOiwAyLmYilEJIjcGNN8Z2xFJhBhHeGb4T2vIs5mCWph8QFGjdy/n3c02v3G8/u2cdfHl+KgVoGPjestnDWGdeFsy7W/pOFARdpc/BNMaWsOYgpA99ERKK32AfKNqB8RbU/Nw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1628451644;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=Pjn0ceklV0DiXqke4j9mC//wwQG8ZZPeCoRIWibXCzE=;
	b=iiGpy5/Eyh/8cuNsGf1gD4ylTPL9pAC45r+Tida/zamIMPlWq8Qqz3wkHzk4M75VPVn28PuVOy8HWxZ0nE9ze7zjpaBPFIOGYyJ6nbtdQuMK78yqUOrah4RS2eqKDKCNcAfZKXm/KiFUgQMl//J4Idh/FvY54z0GpVUp/iNcD0Y=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78899+1787277+3901457@groups.io;
	dmarc=fail header.from=<mhaeuser@posteo.de> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1628451644787540.6603852728431;
 Sun, 8 Aug 2021 12:40:44 -0700 (PDT)
Return-Path: <bounce+27952+78899+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id O0UCYY1788612xivapVagenJ;
 Sun, 08 Aug 2021 12:40:44 -0700
X-Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66])
 by mx.groups.io with SMTP id smtpd.web11.13768.1628451643147316567
 for <devel@edk2.groups.io>;
 Sun, 08 Aug 2021 12:40:43 -0700
X-Received: from submission (posteo.de [89.146.220.130])
	by mout02.posteo.de (Postfix) with ESMTPS id 407AC24010B
	for <devel@edk2.groups.io>; Sun,  8 Aug 2021 21:40:41 +0200 (CEST)
X-Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4GjV1h5gD6z6tm6;
	Sun,  8 Aug 2021 21:40:40 +0200 (CEST)
From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= <mhaeuser@posteo.de>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [edk2-devel] [PATCH] SecurityPkg/SecureBootConfigDxe: Fix certificate
 lookup algorithm
Date: Sun,  8 Aug 2021 19:39:56 +0000
Message-Id: 
 <7cedc9b336ec5410d833b4ecac53f5b366a636a5.1628448920.git.mhaeuser@posteo.de>
In-Reply-To: 
 <c004d6524b591d813d0f33d78a2a94263c4471ba.1628448920.git.mhaeuser@posteo.de>
References: 
 <c004d6524b591d813d0f33d78a2a94263c4471ba.1628448920.git.mhaeuser@posteo.de>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mhaeuser@posteo.de
X-Gm-Message-State: 45H2eVP2T3MQujqs4yExetLox1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1628451644;
 bh=rPzq7MgBwgkFbMIzDgURMNZDwz/G9j9FVQSdsp3t0lA=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=YDCd/kw7912FFPVKLvjxDeV2B4F/kbp4dr2iQ8R37tI2/eKRdwQ9X64T0mya5dQHp6h
 Jjvm9IRY9VT+Paw127W1jsj3McCxyyNT86xDQL5cdWGOI+sz48cu3gTz7w1n9Rbpzhx5V
 SC2YIU1D+WNahDM9Y4slF33Ky8uVpq4rHSQ=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1628451646079100090
Content-Type: text/plain; charset="utf-8"

The current certificate lookup code does not check the bounds of the
authentication data before accessing it. Abort if the header cannot
fit, and proceed to the next hashing algortihm if the OID of the
current one exceeds the authentication data bounds.

Additionally move the two-byte encoding check out of the loop as the
data is invariant.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin H=C3=A4user <mhaeuser@posteo.de>
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl=
.c | 45 ++++++++++++--------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.c
index 65a8188d6d03..fd7629f61862 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
@@ -1969,30 +1969,41 @@ HashPeImageByType (
 {

   UINT8                     Index;

   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;

+  UINT32                    AuthDataSize;

=20

   PkcsCertData =3D (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir-=
>Offset);

+  if (PkcsCertData->Hdr.dwLength <=3D sizeof (PkcsCertData->Hdr)) {

+    return EFI_UNSUPPORTED;

+  }

+

+  AuthDataSize =3D PkcsCertData->Hdr.dwLength - sizeof (PkcsCertData->Hdr);

+  if (AuthDataSize < 32) {

+    return EFI_UNSUPPORTED;

+  }

+  //

+  // Check the Hash algorithm in PE/COFF Authenticode.

+  //    According to PKCS#7 Definition:

+  //        SignedData ::=3D SEQUENCE {

+  //            version Version,

+  //            digestAlgorithms DigestAlgorithmIdentifiers,

+  //            contentInfo ContentInfo,

+  //            .... }

+  //    The DigestAlgorithmIdentifiers can be used to determine the hash a=
lgorithm in PE/COFF hashing

+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 =
data.

+  //    Fixed offset (+32) is calculated based on two bytes of length enco=
ding.

+  //

+  if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCO=
DE) {

+    //

+    // Only support two bytes of Long Form of Length Encoding.

+    //

+    return EFI_UNSUPPORTED;

+  }

=20

   for (Index =3D 0; Index < HASHALG_MAX; Index++) {

-    //

-    // Check the Hash algorithm in PE/COFF Authenticode.

-    //    According to PKCS#7 Definition:

-    //        SignedData ::=3D SEQUENCE {

-    //            version Version,

-    //            digestAlgorithms DigestAlgorithmIdentifiers,

-    //            contentInfo ContentInfo,

-    //            .... }

-    //    The DigestAlgorithmIdentifiers can be used to determine the hash=
 algorithm in PE/COFF hashing

-    //    This field has the fixed offset (+32) in final Authenticode ASN.=
1 data.

-    //    Fixed offset (+32) is calculated based on two bytes of length en=
coding.

-     //

-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_EN=
CODE) {

-      //

-      // Only support two bytes of Long Form of Length Encoding.

-      //

+    if (AuthDataSize - 32 < mHash[Index].OidLength) {

       continue;

     }

=20

-    //

     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mH=
ash[Index].OidLength) =3D=3D 0) {

       break;

     }

--=20
2.31.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78899): https://edk2.groups.io/g/devel/message/78899
Mute This Topic: https://groups.io/mt/84754074/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-