From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web11.4018.1581586462780227055 for ; Thu, 13 Feb 2020 01:34:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:34:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="227178709" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga008.jf.intel.com with ESMTP; 13 Feb 2020 01:34:22 -0800 Received: from fmsmsx117.amr.corp.intel.com (10.18.116.17) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 13 Feb 2020 01:34:21 -0800 Received: from shsmsx105.ccr.corp.intel.com (10.239.4.158) by fmsmsx117.amr.corp.intel.com (10.18.116.17) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 13 Feb 2020 01:34:21 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.126]) by SHSMSX105.ccr.corp.intel.com ([169.254.11.138]) with mapi id 14.03.0439.000; Thu, 13 Feb 2020 17:34:19 +0800 From: "Yao, Jiewen" To: "Wang, Jian J" , "devel@edk2.groups.io" CC: "Zhang, Chao B" Subject: Re: [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) Thread-Topic: [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) Thread-Index: AQHV3Ph35iy7NRz6F0OzL/mrqy2hvagY53IQ Date: Thu, 13 Feb 2020 09:34:18 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F92CB40@shsmsx102.ccr.corp.intel.com> References: <20200206141933.356-1-jian.j.wang@intel.com> <20200206141933.356-2-jian.j.wang@intel.com> In-Reply-To: <20200206141933.356-2-jian.j.wang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Wang, Jian J > Sent: Thursday, February 6, 2020 10:19 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Zhang, Chao B > > Subject: [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory > leaks(CVE-2019-14575) >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 >=20 > Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside > the while-loop, if it will run more than once. >=20 > Cc: Jiewen Yao > Cc: Chao Zhang > Signed-off-by: Jian J Wang > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ > 1 file changed, 3 insertions(+) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index dbfbfcb4fb..74dbffa122 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( > goto Done; >=20 > } >=20 >=20 >=20 > + FreePool (HashCtx); >=20 > + HashCtx =3D NULL; >=20 > + >=20 > SiglistHeaderSize =3D sizeof (EFI_SIGNATURE_LIST) + DbxList- > >SignatureHeaderSize; >=20 > CertHash =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + > SiglistHeaderSize); >=20 > CertHashCount =3D (DbxList->SignatureListSize - SiglistHeaderSiz= e) / DbxList- > >SignatureSize; >=20 > -- > 2.24.0.windows.2