From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web10.4200.1581586776903677377
 for <devel@edk2.groups.io>;
 Thu, 13 Feb 2020 01:39:36 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jiewen.yao@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 01:39:36 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; 
   d="scan'208";a="432617614"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
  by fmsmga005.fm.intel.com with ESMTP; 13 Feb 2020 01:39:36 -0800
Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Thu, 13 Feb 2020 01:39:36 -0800
Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by
 FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Thu, 13 Feb 2020 01:39:35 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.126]) by
 SHSMSX153.ccr.corp.intel.com ([169.254.12.97]) with mapi id 14.03.0439.000;
 Thu, 13 Feb 2020 17:39:34 +0800
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Zhang, Chao B" <chao.b.zhang@intel.com>
Subject: Re: [PATCH 4/9] SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx in IsAllowedByDb(CVE-2019-14575)
Thread-Topic: [PATCH 4/9] SecurityPkg/DxeImageVerificationLib: avoid bypass
 in fetching dbx in IsAllowedByDb(CVE-2019-14575)
Thread-Index: AQHV3Ph6ShrzOOb6Sk6M1EvFFBvhfagY6QiQ
Date: Thu, 13 Feb 2020 09:39:33 +0000
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F92CBA5@shsmsx102.ccr.corp.intel.com>
References: <20200206141933.356-1-jian.j.wang@intel.com>
 <20200206141933.356-5-jian.j.wang@intel.com>
In-Reply-To: <20200206141933.356-5-jian.j.wang@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jiewen.yao@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>
> Subject: [PATCH 4/9] SecurityPkg/DxeImageVerificationLib: avoid bypass in
> fetching dbx in IsAllowedByDb(CVE-2019-14575)
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608
>=20
> In timestamp check after the cert is found in db, the original code jumps
> to 'Done' if any error happens in fetching dbx variable. At any of the ju=
mp,
> VerifyStatus equals to TRUE, which means allowed-by-db. This should not
> be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
> because
> it could be used to bypass timestamp check.
>=20
> This patch add code to change VerifyStatus to FALSE in the case of memory
> allocation failure and dbx fetching failure to avoid potential bypass iss=
ue.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>  .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>=20
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 1efb2f96cd..ed5dbf26b0 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib=
.c
> @@ -1459,15 +1459,26 @@ IsAllowedByDb (
>              DbxDataSize =3D 0;
>=20
>              Status   =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
>=20
>              if (Status !=3D EFI_BUFFER_TOO_SMALL) {
>=20
> +              if (Status !=3D EFI_NOT_FOUND) {
>=20
> +                VerifyStatus =3D FALSE;
>=20
> +              }
>=20
>                goto Done;
>=20
>              }
>=20
>              DbxData =3D (UINT8 *) AllocateZeroPool (DbxDataSize);
>=20
>              if (DbxData =3D=3D NULL) {
>=20
> +              //
>=20
> +              // Force not-allowed-by-db to avoid bypass
>=20
> +              //
>=20
> +              VerifyStatus =3D FALSE;
>=20
>                goto Done;
>=20
>              }
>=20
>=20
>=20
>              Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
>=20
>              if (EFI_ERROR (Status)) {
>=20
> +              //
>=20
> +              // Force not-allowed-by-db to avoid bypass
>=20
> +              //
>=20
> +              VerifyStatus =3D FALSE;
>=20
>                goto Done;
>=20
>              }
>=20
>=20
>=20
> --
> 2.24.0.windows.2