From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.12696.1580998775768725774 for ; Thu, 06 Feb 2020 06:19:37 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 06:19:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,409,1574150400"; d="scan'208";a="226160666" Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga008.fm.intel.com with ESMTP; 06 Feb 2020 06:19:35 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [PATCH 2/9] SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575) Date: Thu, 6 Feb 2020 22:19:26 +0800 Message-Id: <20200206141933.356-3-jian.j.wang@intel.com> X-Mailer: git-send-email 2.24.0.windows.2 In-Reply-To: <20200206141933.356-1-jian.j.wang@intel.com> References: <20200206141933.356-1-jian.j.wang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable In case the signers' certificate stack, retrieved from the PE/COFF image's Authenticode blob, has zero elements (=3D there are zero signer certificate= s), then we should consider the image forbidden by DBX, not accepted by DBX. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Laszlo Ersek --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 74dbffa122..5dcd6efed5 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1326,7 +1326,7 @@ IsForbiddenByDbx ( // UINT8 Certn[];=0D //=0D Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &Tr= ustedCert, &TrustedCertLength);=0D - if ((BufferLength =3D=3D 0) || (CertBuffer =3D=3D NULL)) {=0D + if ((BufferLength =3D=3D 0) || (CertBuffer =3D=3D NULL) || (*CertBuffer)= =3D=3D 0) {=0D IsForbidden =3D TRUE;=0D goto Done;=0D }=0D --=20 2.24.0.windows.2