From: "Xu, Min M" <min.m.xu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
edk2-devel-groups-io <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Wenyi Xie <xiewenyi2@huawei.com>
Subject: Re: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, SecDataDirLeft
Date: Wed, 2 Sep 2020 01:55:35 +0000 [thread overview]
Message-ID: <DM5PR1101MB23474FB25F560A46A144D74FC52F0@DM5PR1101MB2347.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20200901091221.20948-2-lersek@redhat.com>
> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Tuesday, September 01, 2020 5:12 PM
> To: edk2-devel-groups-io <devel@edk2.groups.io>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>; Wenyi Xie
> <xiewenyi2@huawei.com>
> Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
> SecDataDirEnd, SecDataDirLeft
>
> The following two quantities:
>
> SecDataDir->VirtualAddress + SecDataDir->Size
> SecDataDir->VirtualAddress + SecDataDir->Size - OffSet
>
> are used multiple times in DxeImageVerificationHandler(). Introduce helper
> variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
> This saves us multiple calculations and significantly simplifies the code.
>
> Note that all three summands above have type UINT32, therefore the new
> variables are also of type UINT32.
>
> This patch does not change behavior.
>
> (Note that the code already handles the case when the
>
> SecDataDir->VirtualAddress + SecDataDir->Size
>
> UINT32 addition overflows -- namely, in that case, the certificate loop is
> never entered, and the corruption check right after the loop fires.)
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Wenyi Xie <xiewenyi2@huawei.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 12
> ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index b08fe24e85aa..377feebb205a 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
> +++ b.c
> @@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
> UINT8 *AuthData;
> UINTN AuthDataSize;
> EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
> + UINT32 SecDataDirEnd;
> + UINT32 SecDataDirLeft;
> UINT32 OffSet;
> CHAR16 *NameStr;
> RETURN_STATUS PeCoffStatus;
> @@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
> // "Attribute Certificate Table".
> // The first certificate starts at offset (SecDataDir->VirtualAddress) from the
> start of the file.
> //
> + SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
> for (OffSet = SecDataDir->VirtualAddress;
> - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> + OffSet < SecDataDirEnd;
> OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >dwLength))) {
> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> - if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
> (WIN_CERTIFICATE) ||
> - (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> WinCertificate->dwLength) {
> + SecDataDirLeft = SecDataDirEnd - OffSet;
> + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
> + SecDataDirLeft < WinCertificate->dwLength) {
> break;
> }
>
> @@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
> }
> }
>
> - if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
> + if (OffSet != SecDataDirEnd) {
> //
> // The Size in Certificate Table or the attribute certificate table is
> corrupted.
> //
> --
> 2.19.1.3.g30247aa5d201
>
next prev parent reply other threads:[~2020-09-02 1:55 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-01 9:12 [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) Laszlo Ersek
2020-09-01 9:12 ` [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, SecDataDirLeft Laszlo Ersek
2020-09-01 15:37 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-09-02 1:31 ` wenyi,xie
2020-09-02 1:55 ` Xu, Min M [this message]
2020-09-01 9:12 ` [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check Laszlo Ersek
2020-09-01 15:40 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-09-02 1:32 ` wenyi,xie
2020-09-02 2:19 ` Xu, Min M
2020-09-01 9:12 ` [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) Laszlo Ersek
2020-09-01 15:53 ` [edk2-devel] " Philippe Mathieu-Daudé
2020-09-01 16:52 ` Laszlo Ersek
2020-09-02 1:32 ` wenyi,xie
2020-09-02 2:34 ` Xu, Min M
2020-09-02 4:02 ` [edk2-devel] [PATCH 0/3] " Yao, Jiewen
2020-09-02 6:35 ` Laszlo Ersek
2020-09-02 6:41 ` Yao, Jiewen
2020-09-02 6:46 ` Laszlo Ersek
2020-09-02 8:58 ` 回复: " gaoliming
2020-09-02 10:33 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM5PR1101MB23474FB25F560A46A144D74FC52F0@DM5PR1101MB2347.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox