From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga02.intel.com (mga02.intel.com [])
 by mx.groups.io with SMTP id smtpd.web11.12696.1580998775768725774
 for <devel@edk2.groups.io>;
 Thu, 06 Feb 2020 06:19:36 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=fail (domain: intel.com, ip: <nil>, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 06:19:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,409,1574150400"; 
   d="scan'208";a="226160662"
Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78])
  by fmsmga008.fm.intel.com with ESMTP; 06 Feb 2020 06:19:35 -0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
Date: Thu,  6 Feb 2020 22:19:25 +0800
Message-Id: <20200206141933.356-2-jian.j.wang@intel.com>
X-Mailer: git-send-email 2.24.0.windows.2
In-Reply-To: <20200206141933.356-1-jian.j.wang@intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608

Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside
the while-loop, if it will run more than once.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index dbfbfcb4fb..74dbffa122 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -908,6 +908,9 @@ IsCertHashFoundInDatabase (
       goto Done;=0D
     }=0D
 =0D
+    FreePool (HashCtx);=0D
+    HashCtx =3D NULL;=0D
+=0D
     SiglistHeaderSize =3D sizeof (EFI_SIGNATURE_LIST) + DbxList->Signature=
HeaderSize;=0D
     CertHash          =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + Sigl=
istHeaderSize);=0D
     CertHashCount     =3D (DbxList->SignatureListSize - SiglistHeaderSize)=
 / DbxList->SignatureSize;=0D
--=20
2.24.0.windows.2