From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web09.11998.1603287721430988420 for ; Wed, 21 Oct 2020 06:42:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Fv91Ci18; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1603287720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LknELKdKs73Yz04bDDx/XHXcrZbrQDlrY40gST/GkqM=; b=Fv91Ci18ofVvsc5CQkzVbFb106LcUPA3AKd0LyYiR6z3tRkv+90ML0FRNnM/LdHSuLTYzq ePuBvbGaKdxozzN3LHkEceXfsbzSeMersthmo/uqYetJ9U62Z/sEEhryhopqzxzsyk1Uqm T5Bekfwgex3N9z4Xqvxs2yt9cPQdcy0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-467-6ezo-rE6OgapFqqwMPE_Og-1; Wed, 21 Oct 2020 09:41:57 -0400 X-MC-Unique: 6ezo-rE6OgapFqqwMPE_Og-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 003FF1006CA3; Wed, 21 Oct 2020 13:41:56 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-111.ams2.redhat.com [10.36.113.111]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8EE1419C78; Wed, 21 Oct 2020 13:41:54 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku To: devel@edk2.groups.io, kun.q@outlook.com Cc: Jian J Wang , Xiaoyu Lu , Jiewen Yao , Guomin Jiang References: From: "Laszlo Ersek" Message-ID: <97e0030d-eca4-c398-9ba7-b8168d0eebab@redhat.com> Date: Wed, 21 Oct 2020 15:41:53 +0200 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/21/20 04:32, Kun Qin wrote: > The issue is in VerifyEKUsInPkcs7Signature routine of > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c: > > > At the "Exit" portion of this routine, this function uses X509_free to free > SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert > is part of Pkcs7 instance, thus PKCS7_free will release the memory of > SignerCert for a second time with existed routine, which will cause page > fault if use-after-free guard is enabled. > > > The patch fix is to free Pkcs7 instance only using PKCS7_free. > > Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1 > > Cc: Jian J Wang > Cc: Xiaoyu Lu > Cc: Jiewen Yao > Cc: Guomin Jiang > > Signed-off-by: Kun Qin > > Kun Qin (1): > CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ---- > 1 file changed, 4 deletions(-) > Please run "BaseTools/Scripts/SetupGit.py" in your edk2 repository, for setting some git configuration options that you are currently missing (such as, handling of CRLF line terminators, shallow threading, ...) Thanks Laszlo