From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61])
 by mx.groups.io with SMTP id smtpd.web12.9092.1581612982312133688
 for <devel@edk2.groups.io>;
 Thu, 13 Feb 2020 08:56:22 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fMb4zp9a;
 spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: philmd@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1581612981;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2owb3F2OlAX64LnCCD4JFUEo+4P+y6Nke82GYhf26P4=;
	b=fMb4zp9aTJCkEgSJEpPpgBCWFCp5s7ePS4iU3MqSoEGbT0dKhZCE3uQUeJ87aOR1CyuQu4
	ApwwRfZmhanWVL6Tz+VKDpdSJxcqwnJVFghLi4WYLAmbhlQcs+pN0gy82dXMLyShrS5tp1
	PJ6dP/okqghwBoSKw7SWJpraw3z9yTQ=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-102-THfVeuOjPIusnMcj3cC8NA-1; Thu, 13 Feb 2020 11:56:19 -0500
Received: by mail-wr1-f70.google.com with SMTP id p8so2602031wrw.5
        for <devel@edk2.groups.io>; Thu, 13 Feb 2020 08:56:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=bRuIqi+53Ljo9sehSKdK0pGs1IHjViTyaeXaPNyoFwA=;
        b=ug/N4pidtAYEmtJRDBJW7/SBitxt8RkGjF08A9e42NITXS9yjgPkKbcE1/MLCTEBgC
         ++1sx8+e57U0ODzh0+BtHsfZfZWutjgqPp/bxzJpa5/KR0Mf6wobVQUdNRDG23hUs48Y
         XSWpvmRKBkkUt9i0PbIi0lObM/UWaDoHQ1BtK+DFAU+OiHMOLJxD0yMB135WOCwFcQwN
         wEmql80wXmE/n1ncFrUZoerHKO/vsByvKknscweKjBF89Rk9Ny5X/JPgYHeqfe2U0/Mq
         QC6BitXq3NbwGK4AJnPEOsA59g0lkrPtNFyeHOOGuzhmXBUGDlKxw/k2ZWixTwMySA8V
         /jsA==
X-Gm-Message-State: APjAAAUa7boQXchFly7a8ZNcGzcVmTFd6ZhPYAiDhrbIRxlGGEZUwqZ7
	tPV9LFnlg4g+xrZKSIXwBQ4rDSUi7hPy/it1ITrkSJC81KQCmewIa2obrXVg0wV2y0QSrJDXS0e
	29QF9iFZGE4Io2w==
X-Received: by 2002:a1c:a382:: with SMTP id m124mr6734496wme.90.1581612978296;
        Thu, 13 Feb 2020 08:56:18 -0800 (PST)
X-Google-Smtp-Source: APXvYqwRzUtcUDdQMlJwvEFloZyB40hlg64I0g0ZuU8T+vjk3Bx+bBdbY07bvt3fXuLaIR+G81g3Aw==
X-Received: by 2002:a1c:a382:: with SMTP id m124mr6734479wme.90.1581612978024;
        Thu, 13 Feb 2020 08:56:18 -0800 (PST)
Return-Path: <philmd@redhat.com>
Received: from [192.168.1.35] (78.red-88-21-202.staticip.rima-tde.net. [88.21.202.78])
        by smtp.gmail.com with ESMTPSA id r6sm3328984wrp.95.2020.02.13.08.56.17
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 13 Feb 2020 08:56:17 -0800 (PST)
Subject: Re: [edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
To: devel@edk2.groups.io, jian.j.wang@intel.com
Cc: Laszlo Ersek <lersek@redhat.com>, Jiewen Yao <jiewen.yao@intel.com>,
 Chao Zhang <chao.b.zhang@intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
 <20200206141933.356-9-jian.j.wang@intel.com>
From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= <philmd@redhat.com>
Message-ID: <06c93902-d144-568f-25b6-527ff4bd55eb@redhat.com>
Date: Thu, 13 Feb 2020 17:56:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <20200206141933.356-9-jian.j.wang@intel.com>
X-MC-Unique: THfVeuOjPIusnMcj3cC8NA-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2/6/20 3:19 PM, Wang, Jian J wrote:
> From: Laszlo Ersek <lersek@redhat.com>
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608

What a painful review...

> If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
> we have to free Data. Jump to "Done" for that.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>   .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerifica=
tionLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.c
> index 2236ce98ce..5b7a67f811 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> @@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
>  =20
>     Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImage=
SecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
>     if (EFI_ERROR (Status)) {
> -    return IsForbidden;
> +    goto Done;
>     }
>  =20
>     //
>=20

Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>