From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from huawei.com (huawei.com [45.249.212.32])
 by mx.groups.io with SMTP id smtpd.web10.11549.1599010368657405327
 for <devel@edk2.groups.io>;
 Tue, 01 Sep 2020 18:32:49 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: huawei.com, ip: 45.249.212.32, mailfrom: xiewenyi2@huawei.com)
Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.59])
	by Forcepoint Email with ESMTP id 8A81233BCAEE1C83C24C;
	Wed,  2 Sep 2020 09:32:44 +0800 (CST)
Received: from [127.0.0.1] (10.174.153.72) by DGGEMS408-HUB.china.huawei.com
 (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 2 Sep 2020
 09:32:41 +0800
Subject: Re: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562)
To: Laszlo Ersek <lersek@redhat.com>, edk2-devel-groups-io
	<devel@edk2.groups.io>
CC: Jian J Wang <jian.j.wang@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
	Min Xu <min.m.xu@intel.com>
References: <20200901091221.20948-1-lersek@redhat.com>
 <20200901091221.20948-4-lersek@redhat.com>
From: "wenyi,xie" <xiewenyi2@huawei.com>
Message-ID: <5b111cf0-4a6a-59cf-df93-f4bd84855842@huawei.com>
Date: Wed, 2 Sep 2020 09:32:40 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.0.1
MIME-Version: 1.0
In-Reply-To: <20200901091221.20948-4-lersek@redhat.com>
X-Originating-IP: [10.174.153.72]
X-CFilter-Loop: Reflected
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit



On 2020/9/1 17:12, Laszlo Ersek wrote:
> The DxeImageVerificationHandler() function currently checks whether
> "SecDataDir" has enough room for "WinCertificate->dwLength". However, for
> advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
> multiple of 8. If "WinCertificate->dwLength" is large enough, the
> alignment will return 0, and "OffSet" will be stuck at the same value.
> 
> Check whether "SecDataDir" has room left for both
> "WinCertificate->dwLength" and the alignment.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Wenyi Xie <xiewenyi2@huawei.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Tested-by: Wenyi Xie <xiewenyi2@huawei.com>

> ---
>  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 100739eb3eb6..11154b6cc58a 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
>        break;
>      }
>      WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> -    if (SecDataDirLeft < WinCertificate->dwLength) {
> +    if (SecDataDirLeft < WinCertificate->dwLength ||
> +        (SecDataDirLeft - WinCertificate->dwLength <
> +         ALIGN_SIZE (WinCertificate->dwLength))) {
>        break;
>      }
>  
>