From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.12436.1599013190988033546 for ; Tue, 01 Sep 2020 19:19:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=yA/Sbv2h; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: min.m.xu@intel.com) IronPort-SDR: VKCG5MpIX/3eMSQ2q2mxeusI+krAJ5mnHBA+4Kt1C7qhs/VwbzQUhG3H7AO8RaZ3KtHrSOiSAl RXRV2zADqjmA== X-IronPort-AV: E=McAfee;i="6000,8403,9731"; a="242128034" X-IronPort-AV: E=Sophos;i="5.76,381,1592895600"; d="scan'208";a="242128034" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Sep 2020 19:19:49 -0700 IronPort-SDR: kdhG1DiiTC76iGTyLGEmRQZ/PPJvf2T1pXQ3bDoIxntF5APovg87IrHR28/Je4n8D4M9Mx4So9 NfdSBh/1cQrw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,381,1592895600"; d="scan'208";a="338760509" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by FMSMGA003.fm.intel.com with ESMTP; 01 Sep 2020 19:19:49 -0700 Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 1 Sep 2020 19:19:48 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Tue, 1 Sep 2020 19:19:48 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Tue, 1 Sep 2020 19:19:43 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JCTQl+sEr5lAfCbGFQ2RzAZfS06uj1HM8LtEx2Gd4MGRL1N9peRxY5X3Pf2sVMrvVdvVbdgXQnUeUTF1zqDaOEIKmztHMT0pqh05qpgV7WQSGeKieIaELe9RCl911EvRWXqFcPfxMNaw86FvA8hDBOmVEsvtAR+7TxjVCeN6OZV6yQdKwZlZLQupozOJznKlSwq+TSfsRpER2T18Cc7/K/Ncw3SM6iAYl+uu8D97fu2aj2kV8wU+B3ODt6aJpiANt9M2TDCHbjuKXa2a+Qw8eCz87zzoXti54Jlh8AfwTLYc4m708vCIK26x3rRzjNA/6K0i+KBhmzUIJTbDbPgCWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E/evneRVZASrPFTPBtAoRfksZtXmL0KN6XF4t76Kc9U=; b=l3LZ2x1X8VNNfS8qSZOBZ7dvAgi7arUd2aI9QnD93z/J/4HTos8yL4CCqZNTqAJxratdVwYh7fv9rbg9rCMwdnVEeZI2abcgbHDgvW3gkN6QRNhxhKa3cMROVvXisMXFbeUpXb2VCUahPaJjUBMeHHWfuAfcAM6kalZUXY+BosmR6S6nkG0KBGBYLwi33/UoioPAavoHfmbfzwdxvlXs5rsxMaOY8dvXyPj5HIeo8BklYNnxZGzPCy+cTsJDmyy+29cAC9pMgJzcB6v18HODeuF+Ds2/4yXPkRDGOX1OIhb2yArTgMYprYixVt85VTPGqeWTE+cLq/X8yIec2yokng== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E/evneRVZASrPFTPBtAoRfksZtXmL0KN6XF4t76Kc9U=; b=yA/Sbv2hzJSZFfL00UgD8ihfLUe4P8erZRU/yFdDvzVUoCEfwGKP7YY4Y/KTVY5b4q22C5syhYmogZ7NTx0sU2cCz/XamLYFVvEffx+nhdPpY0NTAXpUgPbh+SeEJau2ZcEtqqmBQapwovf51RBmqSAdoj53FUh5j5HpvR3ryng= Received: from DM5PR1101MB2347.namprd11.prod.outlook.com (2603:10b6:3:a2::7) by DM5PR11MB1833.namprd11.prod.outlook.com (2603:10b6:3:110::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.25; Wed, 2 Sep 2020 02:19:42 +0000 Received: from DM5PR1101MB2347.namprd11.prod.outlook.com ([fe80::d167:874f:daa9:9bc2]) by DM5PR1101MB2347.namprd11.prod.outlook.com ([fe80::d167:874f:daa9:9bc2%3]) with mapi id 15.20.3326.025; Wed, 2 Sep 2020 02:19:42 +0000 From: "Xu, Min M" To: Laszlo Ersek , edk2-devel-groups-io CC: "Wang, Jian J" , "Yao, Jiewen" , Wenyi Xie Subject: Re: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check Thread-Topic: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check Thread-Index: AQHWgEAPTMG53DWG5kid2J0KJKkAialUnWNw Date: Wed, 2 Sep 2020 02:19:42 +0000 Message-ID: References: <20200901091221.20948-1-lersek@redhat.com> <20200901091221.20948-3-lersek@redhat.com> In-Reply-To: <20200901091221.20948-3-lersek@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWY3YTJmMzktNTgzMi00ZTQwLTlhNDQtZWM2YmRkOTRiNjJlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSDR5cDNVRnVJQmVHUkh4cE9wQUw5bXJtcVZGbklrUmNOUXUzRFM4Mzg3V0ZDT3BmQVBOU0ZoTG1hcVhaUzM2eiJ9 dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 x-ctpclassification: CTP_NT authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.213] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 02d42b53-0a04-49c5-259c-08d84ee6a6e8 x-ms-traffictypediagnostic: DM5PR11MB1833: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5516; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8TFF4SbatBW6cUeoAs2bmyyc1EXvH6taIj2d9mofPGAI1w7xaD0FVONiCJlYweLYJw/f1Z5HEWkGxJ+exzlm+JszrFdK0dZrPVblY8PneFMSw0X6xWlTdhkp760HcuGFGjB0Nzaf4gZRow0wjix/vMXvjgTgSbyCgSxndyIk5BI+DyzKQ1gZB10cBIGRIWqn5+vGpJTNxPnVZMM1m5isyt1oLFbxbJOFfHGPhS4/VMhvAZYyI7dUCCcBqRqRzgtF6zcmWp7zVSsvO7NOLkAQ12Kr/A2PT9FZGMO4B1gFveAKDNpc2FvrTYf/w69v/QNcA8eFCx0YfAzXu3Sj/Np889T+Il8kGRGw7676hWXN+z8LRLRlFFWrMZdLkfsPI8l4EQ1TkTLgKFpTgAWW5NBKYg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR1101MB2347.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(136003)(39860400002)(366004)(376002)(396003)(15650500001)(8936002)(966005)(33656002)(6506007)(86362001)(66946007)(186003)(76116006)(55016002)(66556008)(4326008)(66476007)(9686003)(83380400001)(53546011)(26005)(7696005)(71200400001)(64756008)(8676002)(316002)(66446008)(52536014)(5660300002)(54906003)(2906002)(478600001)(110136005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: heybSPci0DDii0cy+XC3t9X+ibx/FgI+lgi/WmGZ3OP1HlE3AHObgXUYggsC/c8eGdVRjO1M14Zq6Ost2BnXX4vo0eaSzJXljwWd1bftYGJjuB/wa/BQ2E3wMTrYPXpUZjGLGL7SvMx2luKct3RjDjiLcxP/pEpV2pWraeh1fA/C2uFP1URywTzobQekFPucS5C8NTsMPvH1He1P9oQAYsCzWHrB5B7hkuxbzikrGo09NCKABX0vf96t2o+d0yttgrFRyUX9TP60Blvaz3X8UDK8+KJ+NpUsAbHI4hTcT8r9ZMizTVAIyrgfFJl9hidYY2hj/M+96qmxFbJYB4wh31xRIobDS2U2UE976DiwSwM4HnzddmhJWe3/MINd3RySCica/hgtc9bn0LR4geqTmu4tdfuQHzhy063n422vAr0v6ldlWNV5a1LnuqLmHlEGUaUqXlBYuSJDgKAZX6ENwImJwSWWOBtYOazWooivHvkmitN7EJkNTTRVxE1ENrmxZR3kbRacR2RHKbO0qL+ybhzMaj9PFrVv0R9cT1xg+1F3KPiVRbuF4GM+Ddq7aCC7gQ4QiYR40Y2nW0E5pp1ObPAXqdfwPsp83zP5Pwnw+3ZUB+SElaQTdS6uFhVgj2HLqfqQMPf3zwRANMBIRG7bAw== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM5PR1101MB2347.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 02d42b53-0a04-49c5-259c-08d84ee6a6e8 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 02:19:42.1352 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: JhM7Rq7vhCHVPGw62ogLItaSYtDClyklhCvzpVXsmqp89NIbXVtmwqujLPqe326qALg5gne5bA2e/ztq6XgdBA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1833 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > -----Original Message----- > From: Laszlo Ersek > Sent: Tuesday, September 01, 2020 5:12 PM > To: edk2-devel-groups-io > Cc: Wang, Jian J ; Yao, Jiewen > ; Xu, Min M ; Wenyi Xie > > Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign > WinCertificate after size check >=20 > Currently the (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) check only > guards the de-referencing of the "WinCertificate" pointer. It does not gu= ard > the calculation of the pointer itself: >=20 > WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); >=20 > This is wrong; if we don't know for sure that we have enough room for a > WIN_CERTIFICATE, then even creating such a pointer, not just de- > referencing it, may invoke undefined behavior. >=20 > Move the pointer calculation after the size check. >=20 > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Min Xu > Cc: Wenyi Xie > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215 > Signed-off-by: Laszlo Ersek Reviewed-by: Min M Xu > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | = 8 > +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 377feebb205a..100739eb3eb6 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi > +++ b.c > @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler ( > for (OffSet =3D SecDataDir->VirtualAddress; > OffSet < SecDataDirEnd; > OffSet +=3D (WinCertificate->dwLength + ALIGN_SIZE (WinCertificat= e- > >dwLength))) { > - WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); > SecDataDirLeft =3D SecDataDirEnd - OffSet; > - if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE) || > - SecDataDirLeft < WinCertificate->dwLength) { > + if (SecDataDirLeft <=3D sizeof (WIN_CERTIFICATE)) { > + break; > + } > + WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); > + if (SecDataDirLeft < WinCertificate->dwLength) { > break; > } >=20 > -- > 2.19.1.3.g30247aa5d201 >=20