From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web12.8902.1581612244598164674 for ; Thu, 13 Feb 2020 08:44:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GGfnUU6p; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581612243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1R1+jSz0ALpGKBqVttMQ7nMDxaBGcTIYXYuxPqOp+zw=; b=GGfnUU6puyqa2Z1IVVnVAQAwOteVCtK3B785OXKCSU2T+vMDv99qDUseO8MhVDTyD56v1A E4CHLC9LSzkPk2Kt34znEjxxQfXdDGV8lfS3FZYpK1odOXb8/UIs8TDQp2U6MMM+p5SdZt 34zP2xh/yLOfLjrAz0oxpDNWUNjEn20= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-368-SNTGh7I8NXud9qcF3oXK9w-1; Thu, 13 Feb 2020 11:43:53 -0500 Received: by mail-wr1-f71.google.com with SMTP id w6so2583347wrm.16 for ; Thu, 13 Feb 2020 08:43:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FWZtH+Fh0If4wpfywMGMk6FWaWhmrT08krLddexXr+c=; b=ZbSypijxCj5YUBLzd8xqZOkbvw/uHpBKcNVcJVkQamXY9AdvRBN+9GHaW4sZoHgrzM NBZu9GRnh71pDe8i8DChfR/SmBQfx4NKw7buQeQgFw6DidaF36lLSkbRkrhtLRJf7CE1 Br25XF2LhmmP+hr0SCihChhb/G6dvotfBxR8IfMq/heASRdjmt79OySZZT1GgHOTGMD+ 1DII74nXa+i33yHFQ6qrZG5zdMbGCWsbXWWoxpilqvfcfsizr1i+2U1F/LK+5vnB+B+4 q3UiEJgG+AtOgnCmRreQIcrpCdY6fSGGpUuGaUkNKTC/mxMevyRe9U8YSLl+k+JPo4yb 396g== X-Gm-Message-State: APjAAAVMVRd2K08oEN461mPOa94bNHX0bS4Zia6o+bQiBWGKH6ms1v9p RY//t+3UAeIB3DvEB0LwQhioRczCes+eC1ltECZZiDzS3XTTGe1o0F2SUamznKCG21BRMD93Ate OdpMu0yzyovl66Q== X-Received: by 2002:adf:d84c:: with SMTP id k12mr22897416wrl.96.1581612232137; Thu, 13 Feb 2020 08:43:52 -0800 (PST) X-Google-Smtp-Source: APXvYqzFluqH5WEv20D7S9SAoTZVjMxPoOOYmP6bID7aRqnYuvguYv5NvYntga3VlLzwr4u+5g+Bcw== X-Received: by 2002:adf:d84c:: with SMTP id k12mr22897395wrl.96.1581612231945; Thu, 13 Feb 2020 08:43:51 -0800 (PST) Return-Path: Received: from [192.168.1.35] (78.red-88-21-202.staticip.rima-tde.net. [88.21.202.78]) by smtp.gmail.com with ESMTPSA id l131sm3754885wmf.31.2020.02.13.08.43.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Feb 2020 08:43:51 -0800 (PST) Subject: Re: [edk2-devel] [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) To: devel@edk2.groups.io, jian.j.wang@intel.com Cc: Jiewen Yao , Chao Zhang References: <20200206141933.356-1-jian.j.wang@intel.com> <20200206141933.356-2-jian.j.wang@intel.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Message-ID: <540cc8dd-13ef-ed56-c513-88e8766100a3@redhat.com> Date: Thu, 13 Feb 2020 17:43:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200206141933.356-2-jian.j.wang@intel.com> X-MC-Unique: SNTGh7I8NXud9qcF3oXK9w-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=WINDOWS-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 2/6/20 3:19 PM, Wang, Jian J wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 >=20 > Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside > the while-loop, if it will run more than once. By extracting part of the code from the big while() statement into a new=20 function, IsCertHashFoundInDatabase() would be easier to review (and=20 this mistake could have been avoided). >=20 > Cc: Jiewen Yao > Cc: Chao Zhang > Signed-off-by: Jian J Wang > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ > 1 file changed, 3 insertions(+) >=20 > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerifica= tionLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.c > index dbfbfcb4fb..74dbffa122 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( > goto Done; > } > =20 > + FreePool (HashCtx); > + HashCtx =3D NULL; > + > SiglistHeaderSize =3D sizeof (EFI_SIGNATURE_LIST) + DbxList->Signat= ureHeaderSize; > CertHash =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + S= iglistHeaderSize); > CertHashCount =3D (DbxList->SignatureListSize - SiglistHeaderSi= ze) / DbxList->SignatureSize; >=20 Reviewed-by: Philippe Mathieu-Daud=E9