From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web10.16291.1598975638259203312 for ; Tue, 01 Sep 2020 08:53:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=W2Y/0Z67; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598975637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=8Jv7FkoWcwApYP94trhOkjBBWe3vbHLDm2221HUp3MQ=; b=W2Y/0Z67cIgGL0+Me0VW/SysqWRqLnjGH1tCTSRn4wWYoqrxTiIlTIgQeGXsCtHM67D7Pi KzBZhuAcMCfQ/lqVwoBg8EJdrPrXECXKaF97xFshoTG7kHEQE2+52zrQyhxQt2QCXF8gCH n1dTXKaaF0h0oYghf9buMmYfbRY59ec= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-373-UR9ubhO4POWrdgVnZeN5Tg-1; Tue, 01 Sep 2020 11:53:52 -0400 X-MC-Unique: UR9ubhO4POWrdgVnZeN5Tg-1 Received: by mail-wr1-f72.google.com with SMTP id y3so742088wrl.21 for ; Tue, 01 Sep 2020 08:53:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=8Jv7FkoWcwApYP94trhOkjBBWe3vbHLDm2221HUp3MQ=; b=mf82eMKidN6k2XP7t1v68FSHFQtAA5u2i0ZCiTphb3FXs7cdRzNLaa9m2z+HAuV6H5 zelIepnVUKsTbT7k/kyAbdd8UDocSGrn6DVFVJMOREdSnB7NPqFbtEZ5VJhAgX9Hc5YO BYONfKMSdvi91sqvq3/6aKP8nWbUqAujrUFbrIbnPG8sh/edBw9Y5JDBPFKHTD+BKRkP QAl33kWMpvrIMPPWzzwiMKsgSCZkfO97ofoom7wZn0zVS/fQqEcF92WJbCma/y4m90ow kcgbeSjn5jdn6BnpADoi9a1/5wClNsEvKZ9IMv4APsPHNkILzVraSDgEtMYMSYuAC40i 9Pqg== X-Gm-Message-State: AOAM531/+nN/hGYq5I3yVtGphdqcb7uldH/EPFd2Wy/LRC6IrroVCc/0 laN2deBmszgk7uouXrIcBtzdJroZluBfHwmRic+kErAvlgdvtLB1R5FXzT9diaKKq7UCRD02gsb pfZUfee4xCek1vg== X-Received: by 2002:a05:600c:230f:: with SMTP id 15mr2410302wmo.186.1598975631453; Tue, 01 Sep 2020 08:53:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyD6cFK3ZIrUNY1wcjTdHd7iPYNGithIcw/bYEX0q5VIKdP3tWuw/o5OIP/W416M1yj33bAoA== X-Received: by 2002:a05:600c:230f:: with SMTP id 15mr2410275wmo.186.1598975631168; Tue, 01 Sep 2020 08:53:51 -0700 (PDT) Return-Path: Received: from [192.168.1.36] (50.red-83-52-54.dynamicip.rima-tde.net. [83.52.54.50]) by smtp.gmail.com with ESMTPSA id f19sm2307025wmh.44.2020.09.01.08.53.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Sep 2020 08:53:50 -0700 (PDT) Subject: Re: [edk2-devel] [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) To: devel@edk2.groups.io, lersek@redhat.com Cc: Jian J Wang , Jiewen Yao , Min Xu , Wenyi Xie References: <20200901091221.20948-1-lersek@redhat.com> <20200901091221.20948-4-lersek@redhat.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Autocrypt: addr=philmd@redhat.com; keydata= mQINBDXML8YBEADXCtUkDBKQvNsQA7sDpw6YLE/1tKHwm24A1au9Hfy/OFmkpzo+MD+dYc+7 bvnqWAeGweq2SDq8zbzFZ1gJBd6+e5v1a/UrTxvwBk51yEkadrpRbi+r2bDpTJwXc/uEtYAB GvsTZMtiQVA4kRID1KCdgLa3zztPLCj5H1VZhqZsiGvXa/nMIlhvacRXdbgllPPJ72cLUkXf z1Zu4AkEKpccZaJspmLWGSzGu6UTZ7UfVeR2Hcc2KI9oZB1qthmZ1+PZyGZ/Dy+z+zklC0xl XIpQPmnfy9+/1hj1LzJ+pe3HzEodtlVA+rdttSvA6nmHKIt8Ul6b/h1DFTmUT1lN1WbAGxmg CH1O26cz5nTrzdjoqC/b8PpZiT0kO5MKKgiu5S4PRIxW2+RA4H9nq7nztNZ1Y39bDpzwE5Sp bDHzd5owmLxMLZAINtCtQuRbSOcMjZlg4zohA9TQP9krGIk+qTR+H4CV22sWldSkVtsoTaA2 qNeSJhfHQY0TyQvFbqRsSNIe2gTDzzEQ8itsmdHHE/yzhcCVvlUzXhAT6pIN0OT+cdsTTfif MIcDboys92auTuJ7U+4jWF1+WUaJ8gDL69ThAsu7mGDBbm80P3vvUZ4fQM14NkxOnuGRrJxO qjWNJ2ZUxgyHAh5TCxMLKWZoL5hpnvx3dF3Ti9HW2dsUUWICSQARAQABtDJQaGlsaXBwZSBN YXRoaWV1LURhdWTDqSAoUGhpbCkgPHBoaWxtZEByZWRoYXQuY29tPokCVQQTAQgAPwIbDwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSJweePYB7obIZ0lcuio/1u3q3A3gUCXsfWwAUJ KtymWgAKCRCio/1u3q3A3ircD/9Vjh3aFNJ3uF3hddeoFg1H038wZr/xi8/rX27M1Vj2j9VH 0B8Olp4KUQw/hyO6kUxqkoojmzRpmzvlpZ0cUiZJo2bQIWnvScyHxFCv33kHe+YEIqoJlaQc JfKYlbCoubz+02E2A6bFD9+BvCY0LBbEj5POwyKGiDMjHKCGuzSuDRbCn0Mz4kCa7nFMF5Jv piC+JemRdiBd6102ThqgIsyGEBXuf1sy0QIVyXgaqr9O2b/0VoXpQId7yY7OJuYYxs7kQoXI 6WzSMpmuXGkmfxOgbc/L6YbzB0JOriX0iRClxu4dEUg8Bs2pNnr6huY2Ft+qb41RzCJvvMyu gS32LfN0bTZ6Qm2A8ayMtUQgnwZDSO23OKgQWZVglGliY3ezHZ6lVwC24Vjkmq/2yBSLakZE 6DZUjZzCW1nvtRK05ebyK6tofRsx8xB8pL/kcBb9nCuh70aLR+5cmE41X4O+MVJbwfP5s/RW 9BFSL3qgXuXso/3XuWTQjJJGgKhB6xXjMmb1J4q/h5IuVV4juv1Fem9sfmyrh+Wi5V1IzKI7 RPJ3KVb937eBgSENk53P0gUorwzUcO+ASEo3Z1cBKkJSPigDbeEjVfXQMzNt0oDRzpQqH2vp apo2jHnidWt8BsckuWZpxcZ9+/9obQ55DyVQHGiTN39hkETy3Emdnz1JVHTU0Q== Message-ID: <7fae1361-e773-bb0f-21c8-fd548b4bbdab@redhat.com> Date: Tue, 1 Sep 2020 17:53:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20200901091221.20948-4-lersek@redhat.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Hi Laszlo, On 9/1/20 11:12 AM, Laszlo Ersek wrote: > The DxeImageVerificationHandler() function currently checks whether > "SecDataDir" has enough room for "WinCertificate->dwLength". However, for > advancing "OffSet", "WinCertificate->dwLength" is aligned to the next > multiple of 8. If "WinCertificate->dwLength" is large enough, the > alignment will return 0, and "OffSet" will be stuck at the same value. > > Check whether "SecDataDir" has room left for both > "WinCertificate->dwLength" and the alignment. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Min Xu > Cc: Wenyi Xie > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 > Signed-off-by: Laszlo Ersek > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 100739eb3eb6..11154b6cc58a 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( > break; > } > WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); > - if (SecDataDirLeft < WinCertificate->dwLength) { > + if (SecDataDirLeft < WinCertificate->dwLength || > + (SecDataDirLeft - WinCertificate->dwLength < > + ALIGN_SIZE (WinCertificate->dwLength))) { I dare to ask (probably again, I remember some similar boundary check style question once), why not as (which is simpler for me to review): if (SecDataDirLeft < WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) { At any rate, for this patch: Reviewed-by: Philippe Mathieu-Daude > break; > } > >