CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ---- 1 file changed, 4 deletions(-)
The issue is in VerifyEKUsInPkcs7Signature routine of CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c: At the "Exit" portion of this routine, this function uses X509_free to free SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert is part of Pkcs7 instance, thus PKCS7_free will release the memory of SignerCert for a second time with existed routine, which will cause page fault if use-after-free guard is enabled. The patch fix is to free Pkcs7 instance only using PKCS7_free. Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1 Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Kun Qin (1): CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ---- 1 file changed, 4 deletions(-) -- 2.28.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#66468): https://edk2.groups.io/g/devel/message/66468 Mute This Topic: https://groups.io/mt/77702129/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 10/21/20 04:32, Kun Qin wrote: > The issue is in VerifyEKUsInPkcs7Signature routine of > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c: > > > At the "Exit" portion of this routine, this function uses X509_free to free > SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert > is part of Pkcs7 instance, thus PKCS7_free will release the memory of > SignerCert for a second time with existed routine, which will cause page > fault if use-after-free guard is enabled. > > > The patch fix is to free Pkcs7 instance only using PKCS7_free. > > Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1 > > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com> > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > > Signed-off-by: Kun Qin <kun.q@outlook.com> > > Kun Qin (1): > CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ---- > 1 file changed, 4 deletions(-) > Please run "BaseTools/Scripts/SetupGit.py" in your edk2 repository, for setting some git configuration options that you are currently missing (such as, handling of CRLF line terminators, shallow threading, ...) Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#66490): https://edk2.groups.io/g/devel/message/66490 Mute This Topic: https://groups.io/mt/77702129/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.