From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61])
 by mx.groups.io with SMTP id smtpd.web12.8902.1581612244598164674
 for <devel@edk2.groups.io>;
 Thu, 13 Feb 2020 08:44:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GGfnUU6p;
 spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: philmd@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1581612243;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=1R1+jSz0ALpGKBqVttMQ7nMDxaBGcTIYXYuxPqOp+zw=;
	b=GGfnUU6puyqa2Z1IVVnVAQAwOteVCtK3B785OXKCSU2T+vMDv99qDUseO8MhVDTyD56v1A
	E4CHLC9LSzkPk2Kt34znEjxxQfXdDGV8lfS3FZYpK1odOXb8/UIs8TDQp2U6MMM+p5SdZt
	34zP2xh/yLOfLjrAz0oxpDNWUNjEn20=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-368-SNTGh7I8NXud9qcF3oXK9w-1; Thu, 13 Feb 2020 11:43:53 -0500
Received: by mail-wr1-f71.google.com with SMTP id w6so2583347wrm.16
        for <devel@edk2.groups.io>; Thu, 13 Feb 2020 08:43:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=FWZtH+Fh0If4wpfywMGMk6FWaWhmrT08krLddexXr+c=;
        b=ZbSypijxCj5YUBLzd8xqZOkbvw/uHpBKcNVcJVkQamXY9AdvRBN+9GHaW4sZoHgrzM
         NBZu9GRnh71pDe8i8DChfR/SmBQfx4NKw7buQeQgFw6DidaF36lLSkbRkrhtLRJf7CE1
         Br25XF2LhmmP+hr0SCihChhb/G6dvotfBxR8IfMq/heASRdjmt79OySZZT1GgHOTGMD+
         1DII74nXa+i33yHFQ6qrZG5zdMbGCWsbXWWoxpilqvfcfsizr1i+2U1F/LK+5vnB+B+4
         q3UiEJgG+AtOgnCmRreQIcrpCdY6fSGGpUuGaUkNKTC/mxMevyRe9U8YSLl+k+JPo4yb
         396g==
X-Gm-Message-State: APjAAAVMVRd2K08oEN461mPOa94bNHX0bS4Zia6o+bQiBWGKH6ms1v9p
	RY//t+3UAeIB3DvEB0LwQhioRczCes+eC1ltECZZiDzS3XTTGe1o0F2SUamznKCG21BRMD93Ate
	OdpMu0yzyovl66Q==
X-Received: by 2002:adf:d84c:: with SMTP id k12mr22897416wrl.96.1581612232137;
        Thu, 13 Feb 2020 08:43:52 -0800 (PST)
X-Google-Smtp-Source: APXvYqzFluqH5WEv20D7S9SAoTZVjMxPoOOYmP6bID7aRqnYuvguYv5NvYntga3VlLzwr4u+5g+Bcw==
X-Received: by 2002:adf:d84c:: with SMTP id k12mr22897395wrl.96.1581612231945;
        Thu, 13 Feb 2020 08:43:51 -0800 (PST)
Return-Path: <philmd@redhat.com>
Received: from [192.168.1.35] (78.red-88-21-202.staticip.rima-tde.net. [88.21.202.78])
        by smtp.gmail.com with ESMTPSA id l131sm3754885wmf.31.2020.02.13.08.43.51
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 13 Feb 2020 08:43:51 -0800 (PST)
Subject: Re: [edk2-devel] [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
To: devel@edk2.groups.io, jian.j.wang@intel.com
Cc: Jiewen Yao <jiewen.yao@intel.com>, Chao Zhang <chao.b.zhang@intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
 <20200206141933.356-2-jian.j.wang@intel.com>
From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= <philmd@redhat.com>
Message-ID: <540cc8dd-13ef-ed56-c513-88e8766100a3@redhat.com>
Date: Thu, 13 Feb 2020 17:43:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <20200206141933.356-2-jian.j.wang@intel.com>
X-MC-Unique: SNTGh7I8NXud9qcF3oXK9w-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2/6/20 3:19 PM, Wang, Jian J wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608
>=20
> Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside
> the while-loop, if it will run more than once.

By extracting part of the code from the big while() statement into a new=20
function, IsCertHashFoundInDatabase() would be easier to review (and=20
this mistake could have been avoided).

>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>   .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 3 +++
>   1 file changed, 3 insertions(+)
>=20
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerifica=
tionLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio=
nLib.c
> index dbfbfcb4fb..74dbffa122 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase (
>         goto Done;
>       }
>  =20
> +    FreePool (HashCtx);
> +    HashCtx =3D NULL;
> +
>       SiglistHeaderSize =3D sizeof (EFI_SIGNATURE_LIST) + DbxList->Signat=
ureHeaderSize;
>       CertHash          =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + S=
iglistHeaderSize);
>       CertHashCount     =3D (DbxList->SignatureListSize - SiglistHeaderSi=
ze) / DbxList->SignatureSize;
>=20

Reviewed-by: Philippe Mathieu-Daud=E9 <philmd@redhat.com>