From nobody Thu May  2 00:55:58 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78890+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78890+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=posteo.de
ARC-Seal: i=1; a=rsa-sha256; t=1628451640; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gjkDZBtItPAxvBErfxNWD86Pf0DHbHgBx3bVpy4dCENtxYJKR/mDO9bWEA5UXhzIuMea8FE6x+UCUD3fSlHsHAA89eB1vgesg34vHO60gcrwhSYjIxR0/RcBW3PCTPVAZ4drBXeG02jnu5kOZyD1caqWHB8lBmL3vAjnHgGfvmA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1628451640;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=L/c0F/3g7Sdoalz6+ZW2Qc8utxtCW3N2zS+LTHLCtRE=;
	b=Lkb3glOAviE8fsyGvgjf1g0VmG43tLAggZCYt5al3EuYPFBy1/hHT8UJGW5yGpG5owmaxVPZQ7/lrs8qGqF56w13+adBcAq/+l+hOogJP2Pud8US5TJDT/jT5NIz8Nsgw6XVMT7GzTqGwjfg+6OaA/6l3atfNOHHyYfM7v7tsEg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78890+1787277+3901457@groups.io;
	dmarc=fail header.from=<mhaeuser@posteo.de> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 162845164046891.71582090277855;
 Sun, 8 Aug 2021 12:40:40 -0700 (PDT)
Return-Path: <bounce+27952+78890+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id SinOYY1788612x7VGaIM5j1G;
 Sun, 08 Aug 2021 12:40:40 -0700
X-Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65])
 by mx.groups.io with SMTP id smtpd.web11.13765.1628451639069317709
 for <devel@edk2.groups.io>;
 Sun, 08 Aug 2021 12:40:39 -0700
X-Received: from submission (posteo.de [89.146.220.130])
	by mout01.posteo.de (Postfix) with ESMTPS id 80A9924002A
	for <devel@edk2.groups.io>; Sun,  8 Aug 2021 21:40:37 +0200 (CEST)
X-Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4GjV1d0FLSz6tmD;
	Sun,  8 Aug 2021 21:40:37 +0200 (CEST)
From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= <mhaeuser@posteo.de>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Fix
 certificate lookup algorithm
Date: Sun,  8 Aug 2021 19:39:48 +0000
Message-Id: 
 <c004d6524b591d813d0f33d78a2a94263c4471ba.1628448920.git.mhaeuser@posteo.de>
In-Reply-To: 
 <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de>
References: 
 <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mhaeuser@posteo.de
X-Gm-Message-State: GrjVy1Tvu9gIzrHjssY891udx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1628451640;
 bh=e4zR64s9bTpY/Gx6tNoM0nhHdu/SW+8c/ox4o6nEytU=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=XWtVre+bMHuUiTLJO/W7ZOyX6HpLiOzP1diwna1S6r3oBpoOFSpuDg7ofojzH0y3L7z
 78E7r3GSeFrlNyJly3Xiuv4zn3OwsVxxarYfA3THw7zP/l474qPK193ul6r16yM1XKbMk
 uEhgbph7Xwcg4uzzG3tIPHzBPUuLO8Ai1zM=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1628451641749100052
Content-Type: text/plain; charset="utf-8"

The current certificate lookup code does not check the bounds of the
authentication data before accessing it. Abort if the header cannot
fit. Also, the lookup code aborts once the authetication data is
smaller than an algorithm's OID size. As OIDs are variably-sized,
this may cause unexpected authentication failure due to the early
error-exit.

Additionally move the two-byte encoding check out of the loop as the
data is invariant.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin H=C3=A4user <mhaeuser@posteo.de>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 43=
 +++++++++++---------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index c48861cd6496..6615099baafb 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -624,30 +624,33 @@ HashPeImageByType (
 {

   UINT8                     Index;

=20

+  if (AuthDataSize < 32) {

+    return EFI_UNSUPPORTED;

+  }

+  //

+  // Check the Hash algorithm in PE/COFF Authenticode.

+  //    According to PKCS#7 Definition:

+  //        SignedData ::=3D SEQUENCE {

+  //            version Version,

+  //            digestAlgorithms DigestAlgorithmIdentifiers,

+  //            contentInfo ContentInfo,

+  //            .... }

+  //    The DigestAlgorithmIdentifiers can be used to determine the hash a=
lgorithm in PE/COFF hashing

+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 =
data.

+  //    Fixed offset (+32) is calculated based on two bytes of length enco=
ding.

+  //

+  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) {

+    //

+    // Only support two bytes of Long Form of Length Encoding.

+    //

+    return EFI_UNSUPPORTED;

+  }

+

   for (Index =3D 0; Index < HASHALG_MAX; Index++) {

-    //

-    // Check the Hash algorithm in PE/COFF Authenticode.

-    //    According to PKCS#7 Definition:

-    //        SignedData ::=3D SEQUENCE {

-    //            version Version,

-    //            digestAlgorithms DigestAlgorithmIdentifiers,

-    //            contentInfo ContentInfo,

-    //            .... }

-    //    The DigestAlgorithmIdentifiers can be used to determine the hash=
 algorithm in PE/COFF hashing

-    //    This field has the fixed offset (+32) in final Authenticode ASN.=
1 data.

-    //    Fixed offset (+32) is calculated based on two bytes of length en=
coding.

-    //

-    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) {

-      //

-      // Only support two bytes of Long Form of Length Encoding.

-      //

+    if (AuthDataSize - 32 < mHash[Index].OidLength) {

       continue;

     }

=20

-    if (AuthDataSize < 32 + mHash[Index].OidLength) {

-      return EFI_UNSUPPORTED;

-    }

-

     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].Oid=
Length) =3D=3D 0) {

       break;

     }

--=20
2.31.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78890): https://edk2.groups.io/g/devel/message/78890
Mute This Topic: https://groups.io/mt/84754064/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-