From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:49 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:49 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904212" Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:48 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang Subject: [PATCH v2 04/10] SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:39 +0800 Message-Id: <20200214072745.1570-5-jian.j.wang@intel.com> X-Mailer: git-send-email 2.24.0.windows.2 In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 In timestamp check after the cert is found in db, the original code jumps to 'Done' if any error happens in fetching dbx variable. At any of the jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist), because it could be used to bypass timestamp check. This patch add code to change VerifyStatus to FALSE in the case of memory allocation failure and dbx fetching failure to avoid potential bypass issue. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 1efb2f96cd..ed5dbf26b0 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1459,15 +1459,26 @@ IsAllowedByDb ( DbxDataSize =3D 0;=0D Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &= gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);=0D if (Status !=3D EFI_BUFFER_TOO_SMALL) {=0D + if (Status !=3D EFI_NOT_FOUND) {=0D + VerifyStatus =3D FALSE;=0D + }=0D goto Done;=0D }=0D DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize);=0D if (DbxData =3D=3D NULL) {=0D + //=0D + // Force not-allowed-by-db to avoid bypass=0D + //=0D + VerifyStatus =3D FALSE;=0D goto Done;=0D }=0D =0D Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gE= fiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);=0D if (EFI_ERROR (Status)) {=0D + //=0D + // Force not-allowed-by-db to avoid bypass=0D + //=0D + VerifyStatus =3D FALSE;=0D goto Done;=0D }=0D =0D --=20 2.24.0.windows.2