From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65])
 by mx.groups.io with SMTP id smtpd.web10.20761.1628502713877567224
 for <devel@edk2.groups.io>;
 Mon, 09 Aug 2021 02:51:54 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@posteo.de header.s=2017 header.b=pASXTm7G;
 spf=pass (domain: posteo.de, ip: 185.67.36.65, mailfrom: mhaeuser@posteo.de)
Received: from submission (posteo.de [89.146.220.130]) 
	by mout01.posteo.de (Postfix) with ESMTPS id 5C1A824002A
	for <devel@edk2.groups.io>; Mon,  9 Aug 2021 11:51:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017;
	t=1628502712; bh=nufvHFrNYVLdnleI2GsFHAwTEdXxrBPEOFwRX5lrn8o=;
	h=From:To:Cc:Subject:Date:From;
	b=pASXTm7GLcHHl/OTqvDJw1qUHSag3Ug2EDNhgJkSOgFyc9F5l64hnF/yywGikTwXc
	 plSE55hFD8Z0jSrGF21Vy7QHo5TzpcWt9tbqCjBMDwWQb5zOEzZI66/gvzIA72Oa/9
	 lnwGeQiWbCa/26snFyz4UqCBplZRVowgCibYpAgBOMYTuo2dsu4Vgb1hAQZVwPTREa
	 1tf495g8IDPYdUBhjU15l/NXpbhdCRs598EC1/lGkQJSFDryMpEoVCyMgsxBHoiuJ+
	 WHpeH8//bUBgNRdeSgSdX5t0dAqsqwxrbwfIqEsqH5BjXUwj8I5lXFMOoxMIsXUoNb
	 BnFiQm5ZOjhCw==
Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4Gjrvq6PWsz6tmG;
	Mon,  9 Aug 2021 11:51:51 +0200 (CEST)
From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= <mhaeuser@posteo.de>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Min Xu <min.m.xu@intel.com>,
	Vitaly Cheptsov <vit9696@protonmail.com>
Subject: [PATCH v2 2/2] SecurityPkg/SecureBootConfigDxe: Fix certificate lookup algorithm
Date: Mon,  9 Aug 2021 09:51:26 +0000
Message-Id: <7cedc9b336ec5410d833b4ecac53f5b366a636a5.1628501623.git.mhaeuser@posteo.de>
In-Reply-To: <c004d6524b591d813d0f33d78a2a94263c4471ba.1628501623.git.mhaeuser@posteo.de>
References: <c004d6524b591d813d0f33d78a2a94263c4471ba.1628501623.git.mhaeuser@posteo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The current certificate lookup code does not check the bounds of the
authentication data before accessing it. Abort if the header cannot
fit, and proceed to the next hashing algortihm if the OID of the
current one exceeds the authentication data bounds.

Additionally move the two-byte encoding check out of the loop as the
data is invariant.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Vitaly Cheptsov <vit9696@protonmail.com>
Signed-off-by: Marvin H=C3=A4user <mhaeuser@posteo.de>
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl=
.c | 45 ++++++++++++--------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.c
index 65a8188d6d03..fd7629f61862 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
@@ -1969,30 +1969,41 @@ HashPeImageByType (
 {=0D
   UINT8                     Index;=0D
   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;=0D
+  UINT32                    AuthDataSize;=0D
 =0D
   PkcsCertData =3D (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir-=
>Offset);=0D
+  if (PkcsCertData->Hdr.dwLength <=3D sizeof (PkcsCertData->Hdr)) {=0D
+    return EFI_UNSUPPORTED;=0D
+  }=0D
+=0D
+  AuthDataSize =3D PkcsCertData->Hdr.dwLength - sizeof (PkcsCertData->Hdr)=
;=0D
+  if (AuthDataSize < 32) {=0D
+    return EFI_UNSUPPORTED;=0D
+  }=0D
+  //=0D
+  // Check the Hash algorithm in PE/COFF Authenticode.=0D
+  //    According to PKCS#7 Definition:=0D
+  //        SignedData ::=3D SEQUENCE {=0D
+  //            version Version,=0D
+  //            digestAlgorithms DigestAlgorithmIdentifiers,=0D
+  //            contentInfo ContentInfo,=0D
+  //            .... }=0D
+  //    The DigestAlgorithmIdentifiers can be used to determine the hash a=
lgorithm in PE/COFF hashing=0D
+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 =
data.=0D
+  //    Fixed offset (+32) is calculated based on two bytes of length enco=
ding.=0D
+  //=0D
+  if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCO=
DE) {=0D
+    //=0D
+    // Only support two bytes of Long Form of Length Encoding.=0D
+    //=0D
+    return EFI_UNSUPPORTED;=0D
+  }=0D
 =0D
   for (Index =3D 0; Index < HASHALG_MAX; Index++) {=0D
-    //=0D
-    // Check the Hash algorithm in PE/COFF Authenticode.=0D
-    //    According to PKCS#7 Definition:=0D
-    //        SignedData ::=3D SEQUENCE {=0D
-    //            version Version,=0D
-    //            digestAlgorithms DigestAlgorithmIdentifiers,=0D
-    //            contentInfo ContentInfo,=0D
-    //            .... }=0D
-    //    The DigestAlgorithmIdentifiers can be used to determine the hash=
 algorithm in PE/COFF hashing=0D
-    //    This field has the fixed offset (+32) in final Authenticode ASN.=
1 data.=0D
-    //    Fixed offset (+32) is calculated based on two bytes of length en=
coding.=0D
-     //=0D
-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_EN=
CODE) {=0D
-      //=0D
-      // Only support two bytes of Long Form of Length Encoding.=0D
-      //=0D
+    if (AuthDataSize - 32 < mHash[Index].OidLength) {=0D
       continue;=0D
     }=0D
 =0D
-    //=0D
     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mH=
ash[Index].OidLength) =3D=3D 0) {=0D
       break;=0D
     }=0D
--=20
2.31.1