public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Marvin Häuser" <mhaeuser@posteo.de>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [PATCH] SecurityPkg/SecureBootConfigDxe: Fix certificate lookup algorithm
Date: Sun,  8 Aug 2021 19:39:56 +0000	[thread overview]
Message-ID: <7cedc9b336ec5410d833b4ecac53f5b366a636a5.1628448920.git.mhaeuser@posteo.de> (raw)
In-Reply-To: <c004d6524b591d813d0f33d78a2a94263c4471ba.1628448920.git.mhaeuser@posteo.de>

The current certificate lookup code does not check the bounds of the
authentication data before accessing it. Abort if the header cannot
fit, and proceed to the next hashing algortihm if the OID of the
current one exceeds the authentication data bounds.

Additionally move the two-byte encoding check out of the loop as the
data is invariant.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin Häuser <mhaeuser@posteo.de>
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 45 ++++++++++++--------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 65a8188d6d03..fd7629f61862 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -1969,30 +1969,41 @@ HashPeImageByType (
 {
   UINT8                     Index;
   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;
+  UINT32                    AuthDataSize;
 
   PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir->Offset);
+  if (PkcsCertData->Hdr.dwLength <= sizeof (PkcsCertData->Hdr)) {
+    return EFI_UNSUPPORTED;
+  }
+
+  AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof (PkcsCertData->Hdr);
+  if (AuthDataSize < 32) {
+    return EFI_UNSUPPORTED;
+  }
+  //
+  // Check the Hash algorithm in PE/COFF Authenticode.
+  //    According to PKCS#7 Definition:
+  //        SignedData ::= SEQUENCE {
+  //            version Version,
+  //            digestAlgorithms DigestAlgorithmIdentifiers,
+  //            contentInfo ContentInfo,
+  //            .... }
+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+  //
+  if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+    //
+    // Only support two bytes of Long Form of Length Encoding.
+    //
+    return EFI_UNSUPPORTED;
+  }
 
   for (Index = 0; Index < HASHALG_MAX; Index++) {
-    //
-    // Check the Hash algorithm in PE/COFF Authenticode.
-    //    According to PKCS#7 Definition:
-    //        SignedData ::= SEQUENCE {
-    //            version Version,
-    //            digestAlgorithms DigestAlgorithmIdentifiers,
-    //            contentInfo ContentInfo,
-    //            .... }
-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
-     //
-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
-      //
-      // Only support two bytes of Long Form of Length Encoding.
-      //
+    if (AuthDataSize - 32 < mHash[Index].OidLength) {
       continue;
     }
 
-    //
     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
       break;
     }
-- 
2.31.1


  reply	other threads:[~2021-08-08 19:40 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-08 19:39 [PATCH] ArmPkg/DefaultExceptionHandlerLib: Fix DebugImageInfoTable lookup Marvin Häuser
2021-08-08 19:39 ` [PATCH] BaseTools: Define the read-only data section name per toolchain Marvin Häuser
2021-08-08 19:39   ` [PATCH] UefiCpuPkg/BaseUefiCpuLib: Use toolchain-specific rodata section name Marvin Häuser
2021-08-08 19:39 ` [PATCH] BaseTools/tools_def: Fix CLANGPDB X64 RCPATH Marvin Häuser
2021-08-08 19:39 ` [PATCH] EmulatorPkg/Host/Unix: Drop dlopen() usage Marvin Häuser
2021-08-08 19:39 ` [PATCH] EmulatorPkg/Host/Unix: Remove unused declarations Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/CoreDxe: Drop caller-allocated image buffers Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Consistent DebugImageInfoTable updates Marvin Häuser
2021-08-08 19:39   ` [PATCH] MdeModulePkg/DxeCore: Fix DebugImageInfoTable size report Marvin Häuser
2021-08-08 19:39   ` [PATCH] EmbeddedPkg/GdbStub: Check DebugImageInfoTable type safely Marvin Häuser
2021-08-08 19:39   ` [PATCH] ArmPkg/DefaultExceptionHandlerLib: " Marvin Häuser
2021-08-08 19:40   ` [PATCH] MdeModulePkg/CoreDxe: Mandatory LoadedImage for DebugImageInfoTable Marvin Häuser
2021-08-08 19:40   ` [PATCH] EmbeddedPkg/GdbStub: " Marvin Häuser
2021-08-08 19:40   ` [PATCH] ArmPkg/DefaultExceptionHandlerLib: " Marvin Häuser
2021-08-09  6:10   ` [PATCH] MdeModulePkg/DxeCore: Consistent DebugImageInfoTable updates Wu, Hao A
2021-08-09  6:15     ` Marvin Häuser
2021-08-09  6:52       ` [edk2-devel] " Wu, Hao A
2021-08-09  6:55         ` Wu, Hao A
2021-08-09  7:21         ` Marvin Häuser
2021-08-09  7:26           ` Wu, Hao A
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Drop unnecessary pointer indirection Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Use the correct source for fixed load address Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/PiSmmCore: Drop deprecated image profiling commands Marvin Häuser
2021-08-09  4:23   ` Ni, Ray
2021-08-09  5:33     ` Yao, Jiewen
2021-08-09  5:43       ` [edk2-devel] " Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/PiSmmIpl: Correct fixed load address bounds check Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdePkg/Base.h: Introduce various alignment-related macros Marvin Häuser
2021-08-13  7:27   ` Wu, Hao A
2021-08-13  8:41     ` [edk2-devel] " Marvin Häuser
2021-08-13  8:45       ` Wu, Hao A
2021-08-08 19:39 ` [PATCH] MdePkg/BaseLib: Fix unaligned API prototypes Marvin Häuser
2021-08-08 19:39   ` [PATCH] BaseTools/CommonLib: " Marvin Häuser
2021-08-08 19:39 ` [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx Marvin Häuser
2021-08-09  0:02   ` Min Xu
2021-08-09  5:25     ` [edk2-devel] " Marvin Häuser
2021-08-09  2:48   ` Yao, Jiewen
2021-08-09  5:42     ` [edk2-devel] " Marvin Häuser
2021-08-08 19:39 ` [PATCH] SecurityPkg/DxeImageVerificationLib: Fix certificate lookup algorithm Marvin Häuser
2021-08-08 19:39   ` Marvin Häuser [this message]
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/FvLib: Correct FV section data size Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/StandaloneMmCore: Drop code for traditional drivers Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/StandaloneMmCore: Drop unused fixed address feature Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg: Support CLANGPDB X64 builds Marvin Häuser
2021-10-11  1:04   ` [edk2-devel] " Steven Shi
2021-08-08 19:39 ` [PATCH] UefiPayloadPkg/UefiPayloadEntry: Fix memory corruption Marvin Häuser
2021-08-09  4:20   ` Ni, Ray
2021-08-09  5:47     ` Marvin Häuser
2021-08-10 19:13   ` Guo Dong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7cedc9b336ec5410d833b4ecac53f5b366a636a5.1628448920.git.mhaeuser@posteo.de \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox