Re: [edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, kun.q@outlook.com
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>
Subject: Re: [edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
Date: Wed, 21 Oct 2020 15:41:53 +0200	[thread overview]
Message-ID: <97e0030d-eca4-c398-9ba7-b8168d0eebab@redhat.com> (raw)
In-Reply-To: <MWHPR06MB31028BF719295103D1C4C73BF31C0@MWHPR06MB3102.namprd06.prod.outlook.com>

On 10/21/20 04:32, Kun Qin wrote:
> The issue is in VerifyEKUsInPkcs7Signature routine of
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c:
> 
> 
> At the "Exit" portion of this routine, this function uses X509_free to free
> SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert
> is part of Pkcs7 instance, thus PKCS7_free will release the memory of
> SignerCert for a second time with existed routine, which will cause page
> fault if use-after-free guard is enabled.
> 
> 
> The patch fix is to free Pkcs7 instance only using PKCS7_free.
> 
> Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> 
> Signed-off-by: Kun Qin <kun.q@outlook.com>
> 
> Kun Qin (1):
>   CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ----
>  1 file changed, 4 deletions(-)
> 

Please run "BaseTools/Scripts/SetupGit.py" in your edk2 repository, for
setting some git configuration options that you are currently missing
(such as, handling of CRLF line terminators, shallow threading, ...)

Thanks
Laszlo

     prev parent reply	other threads:[~2020-10-21 13:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-21  2:32 [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku Kun Qin
2020-10-21 13:41 ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=97e0030d-eca4-c398-9ba7-b8168d0eebab@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox