From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from huawei.com (huawei.com [45.249.212.32]) by mx.groups.io with SMTP id smtpd.web10.11549.1599010368657405327 for ; Tue, 01 Sep 2020 18:32:49 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.32, mailfrom: xiewenyi2@huawei.com) Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 8A81233BCAEE1C83C24C; Wed, 2 Sep 2020 09:32:44 +0800 (CST) Received: from [127.0.0.1] (10.174.153.72) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 2 Sep 2020 09:32:41 +0800 Subject: Re: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) To: Laszlo Ersek , edk2-devel-groups-io CC: Jian J Wang , Jiewen Yao , Min Xu References: <20200901091221.20948-1-lersek@redhat.com> <20200901091221.20948-4-lersek@redhat.com> From: "wenyi,xie" Message-ID: <5b111cf0-4a6a-59cf-df93-f4bd84855842@huawei.com> Date: Wed, 2 Sep 2020 09:32:40 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.0.1 MIME-Version: 1.0 In-Reply-To: <20200901091221.20948-4-lersek@redhat.com> X-Originating-IP: [10.174.153.72] X-CFilter-Loop: Reflected Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit On 2020/9/1 17:12, Laszlo Ersek wrote: > The DxeImageVerificationHandler() function currently checks whether > "SecDataDir" has enough room for "WinCertificate->dwLength". However, for > advancing "OffSet", "WinCertificate->dwLength" is aligned to the next > multiple of 8. If "WinCertificate->dwLength" is large enough, the > alignment will return 0, and "OffSet" will be stuck at the same value. > > Check whether "SecDataDir" has room left for both > "WinCertificate->dwLength" and the alignment. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Min Xu > Cc: Wenyi Xie > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 > Signed-off-by: Laszlo Ersek Tested-by: Wenyi Xie > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 100739eb3eb6..11154b6cc58a 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( > break; > } > WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); > - if (SecDataDirLeft < WinCertificate->dwLength) { > + if (SecDataDirLeft < WinCertificate->dwLength || > + (SecDataDirLeft - WinCertificate->dwLength < > + ALIGN_SIZE (WinCertificate->dwLength))) { > break; > } > >