From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web12.4521.1581588856450112914 for ; Thu, 13 Feb 2020 02:14:16 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 02:14:15 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="222601263" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga007.jf.intel.com with ESMTP; 13 Feb 2020 02:14:15 -0800 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 13 Feb 2020 02:14:15 -0800 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 13 Feb 2020 02:14:14 -0800 Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Thu, 13 Feb 2020 02:14:14 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.126]) by SHSMSX153.ccr.corp.intel.com ([169.254.12.97]) with mapi id 14.03.0439.000; Thu, 13 Feb 2020 18:14:12 +0800 From: "Yao, Jiewen" To: "Wang, Jian J" , "devel@edk2.groups.io" CC: Laszlo Ersek , "Zhang, Chao B" Subject: Re: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575) Thread-Topic: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575) Thread-Index: AQHV3Ph+siaFz7wZYkqynS4lua24J6gY8qcw Date: Thu, 13 Feb 2020 10:14:12 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F92CC7A@shsmsx102.ccr.corp.intel.com> References: <20200206141933.356-1-jian.j.wang@intel.com> <20200206141933.356-9-jian.j.wang@intel.com> In-Reply-To: <20200206141933.356-9-jian.j.wang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Wang, Jian J > Sent: Thursday, February 6, 2020 10:20 PM > To: devel@edk2.groups.io > Cc: Laszlo Ersek ; Yao, Jiewen ; > Zhang, Chao B > Subject: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak = in > IsForbiddenByDbx()(CVE-2019-14575) >=20 > From: Laszlo Ersek >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 >=20 > If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(), > we have to free Data. Jump to "Done" for that. >=20 > Cc: Jiewen Yao > Cc: Chao Zhang > Signed-off-by: Laszlo Ersek > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 2236ce98ce..5b7a67f811 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -1274,7 +1274,7 @@ IsForbiddenByDbx ( >=20 >=20 > Status =3D gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, > &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data); >=20 > if (EFI_ERROR (Status)) { >=20 > - return IsForbidden; >=20 > + goto Done; >=20 > } >=20 >=20 >=20 > // >=20 > -- > 2.24.0.windows.2