1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku

Kun Qin posted 1 patch 3 years, 6 months ago
Only 0 patches received!
There is a newer version of this series
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ----
1 file changed, 4 deletions(-)
[edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
Posted by Kun Qin 3 years, 6 months ago 
The issue is in VerifyEKUsInPkcs7Signature routine of
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c:



At the "Exit" portion of this routine, this function uses X509_free to free
SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert
is part of Pkcs7 instance, thus PKCS7_free will release the memory of
SignerCert for a second time with existed routine, which will cause page
fault if use-after-free guard is enabled.



The patch fix is to free Pkcs7 instance only using PKCS7_free.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Kun Qin <kun.q@outlook.com>

Kun Qin (1):
  CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku

 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ----
 1 file changed, 4 deletions(-)

-- 
2.28.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66468): https://edk2.groups.io/g/devel/message/66468
Mute This Topic: https://groups.io/mt/77702129/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
Posted by Laszlo Ersek 3 years, 6 months ago 
On 10/21/20 04:32, Kun Qin wrote:
> The issue is in VerifyEKUsInPkcs7Signature routine of
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c:
> 
> 
> At the "Exit" portion of this routine, this function uses X509_free to free
> SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert
> is part of Pkcs7 instance, thus PKCS7_free will release the memory of
> SignerCert for a second time with existed routine, which will cause page
> fault if use-after-free guard is enabled.
> 
> 
> The patch fix is to free Pkcs7 instance only using PKCS7_free.
> 
> Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> 
> Signed-off-by: Kun Qin <kun.q@outlook.com>
> 
> Kun Qin (1):
>   CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ----
>  1 file changed, 4 deletions(-)
> 

Please run "BaseTools/Scripts/SetupGit.py" in your edk2 repository, for
setting some git configuration options that you are currently missing
(such as, handling of CRLF line terminators, shallow threading, ...)

Thanks
Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66490): https://edk2.groups.io/g/devel/message/66490
Mute This Topic: https://groups.io/mt/77702129/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.