From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga02.intel.com (mga02.intel.com [])
 by mx.groups.io with SMTP id smtpd.web11.12696.1580998775768725774
 for <devel@edk2.groups.io>;
 Thu, 06 Feb 2020 06:19:42 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=fail (domain: intel.com, ip: <nil>, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Feb 2020 06:19:42 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,409,1574150400"; 
   d="scan'208";a="226160701"
Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78])
  by fmsmga008.fm.intel.com with ESMTP; 06 Feb 2020 06:19:41 -0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: devel@edk2.groups.io
Cc: Laszlo Ersek <lersek@redhat.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
Date: Thu,  6 Feb 2020 22:19:32 +0800
Message-Id: <20200206141933.356-9-jian.j.wang@intel.com>
X-Mailer: git-send-email 2.24.0.windows.2
In-Reply-To: <20200206141933.356-1-jian.j.wang@intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Laszlo Ersek <lersek@redhat.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608

If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
we have to free Data. Jump to "Done" for that.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 2236ce98ce..5b7a67f811 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
 =0D
   Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSec=
urityDatabaseGuid, NULL, &DataSize, (VOID *) Data);=0D
   if (EFI_ERROR (Status)) {=0D
-    return IsForbidden;=0D
+    goto Done;=0D
   }=0D
 =0D
   //=0D
--=20
2.24.0.windows.2