From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.12649.1599014084317549908 for ; Tue, 01 Sep 2020 19:34:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=v2LUC/ch; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: min.m.xu@intel.com) IronPort-SDR: THlQoZtBAQIgpn+9wZXAaIUGDZMunXFfUETnZp0DmvvmSkKoBMk8W+hHeqvGlNqB2bkGFP/tHF o78JkP8qkk2A== X-IronPort-AV: E=McAfee;i="6000,8403,9731"; a="175355350" X-IronPort-AV: E=Sophos;i="5.76,381,1592895600"; d="scan'208";a="175355350" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Sep 2020 19:34:43 -0700 IronPort-SDR: ymylNg8iMXDc+ZdyCqJz2Sl7K7+piiR6vif25gRNoqZvPhCfz4IHOk4OF3LtWOLmbqb+pqMfs7 UVFdulW37ZZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,381,1592895600"; d="scan'208";a="477453094" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga005.jf.intel.com with ESMTP; 01 Sep 2020 19:34:42 -0700 Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 1 Sep 2020 19:34:42 -0700 Received: from orsmsx103.amr.corp.intel.com (10.22.225.130) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Tue, 1 Sep 2020 19:34:42 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 1 Sep 2020 19:34:42 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.170) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Tue, 1 Sep 2020 19:34:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZndpoIfMyRKETXNQ0y/MYk16LUMnH7QkTR+lErziF/M+RrMr9FuAwpWedFaIeH8SwGmYFpr4oK4Mzl0j/hsaXAI6nv0WhdyOVgTC61KW/GcrUR9AcAVRQql96c4brvxvzuisIcIMy1Cm30oFxyUPYXD6UNQpcCcIFXxTm7vOCbUNyWzI8OIugIEEMjfSiurZDKjEcPProxtSxhqlEcfCdvPd2Z+GQsvRpmfbkA+lgA8i1VeBVU6G1Gc5AQ5bp8NO7NRgRI2KizZ0KZmkJPjiCAdDM5KPLeEq6thqBnaSHNrsJfjL3B6vLXmz/ihguRpT/ebGTp4tCySoNvwt014AMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K8PB2G8s+ngshWVaTwJcsfz/T9KuUR9csfxJx5RMFdc=; b=MIDRQuKKYEhC8nytVjZsj5pLmpFLz7wSEVQGg0VLqy3Ajg4Dx8dqioVhO6G6J2m1caVAq6BnNn+ruXx5FhDW0rYO1KTN5nRK89dsH+MGXIktajJZCKILj7Q9kFgk0LfAKBQbq0vcPu1ALFvk36IpndlAPMOxtGREkbs0kPz+Xtmj2kAwX0qJIM5ziemSMeUD46gDzZhpOYjlz0fRabSc8bl6pKOYBDPQ4zzvJoZpTqjfd7i5WLZvUNP6CUbELo9iosrUa0zdVscId7405wxdyA8UgaN2F/zdvSzQh/i90pi9d+MoBlsyZnbkHDUIKglE9G9E5BbbbZX5Lsi0qqP9vA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K8PB2G8s+ngshWVaTwJcsfz/T9KuUR9csfxJx5RMFdc=; b=v2LUC/chVOk7G5VXGm+4dIbcbmmmnUmZgJqDeVo0W1nhqiZmUz55M2dune7ipV58O+K20fh+SLTslsxIvUCDznufMCHxJvw2JCUbchUQpOpG6XP8+QL0oXQ07BaGFySflCBKdX+LmL4A6M5zuu5tdV/1vHNRzrsEdpE0WTp3Czc= Received: from DM5PR1101MB2347.namprd11.prod.outlook.com (2603:10b6:3:a2::7) by DM5PR1101MB2283.namprd11.prod.outlook.com (2603:10b6:4:50::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.23; Wed, 2 Sep 2020 02:34:41 +0000 Received: from DM5PR1101MB2347.namprd11.prod.outlook.com ([fe80::d167:874f:daa9:9bc2]) by DM5PR1101MB2347.namprd11.prod.outlook.com ([fe80::d167:874f:daa9:9bc2%3]) with mapi id 15.20.3326.025; Wed, 2 Sep 2020 02:34:41 +0000 From: "Xu, Min M" To: Laszlo Ersek , edk2-devel-groups-io CC: "Wang, Jian J" , "Yao, Jiewen" , Wenyi Xie Subject: Re: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) Thread-Topic: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) Thread-Index: AQHWgEAOTNx4FvNBmEiUQC6KZ7XF26lUn5Kg Date: Wed, 2 Sep 2020 02:34:41 +0000 Message-ID: References: <20200901091221.20948-1-lersek@redhat.com> <20200901091221.20948-4-lersek@redhat.com> In-Reply-To: <20200901091221.20948-4-lersek@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMTBlNzlmMWUtNTNlMy00NzcwLWE1NTgtMjJjMzAzZjFmYjU1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiM2xLK2NRNFBYM1JrMDJySDIyXC9HN3RzMUJCSnJpRVJueWhsMlBEaTRDcGQ0cmdJNVNOV1dETjE5Z3ZvMDljbW4ifQ== dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 x-ctpclassification: CTP_NT authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.213] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8f7c935c-f482-42ee-a61a-08d84ee8bed4 x-ms-traffictypediagnostic: DM5PR1101MB2283: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: QLxx+sC6sDDJk0JQk2q8wyXDMlXamrmY0yLBbtdVc74GzVj7tZT8NgECB2C23P/byD4JoKwoive19ktOqGQdYFlXoL+So8x05ajk/H3rf1LIzau+FrnOZsTQWSOqAgNYmJn4jBeCsQXxfoc0h5YwZFgtiP553+iYe0HyE5PMJ1GAEePGKDikFv9eawBWO0aBKA4GB/wZ6dni+JmuanlQpqyllxSKw29NtlExThaslIJFrpliokuH1n76tgjesoAHzoTFFb9Y4DtWZkl3Sz8LCUS+6BcoFrtTGLhJzX5u5LwvvKTdrRCzaOiNZaDifSoKn55zcFDoOHBXPPilQwiml3/H1F2xLwydjDjQDo5ehRTZmSGqY0aG5JKsgoDtmGCmp+8K9/gxBJJIIAbD9Cb1mg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR1101MB2347.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(376002)(396003)(346002)(366004)(55016002)(64756008)(66946007)(66556008)(7696005)(66446008)(316002)(26005)(186003)(76116006)(9686003)(54906003)(66476007)(6506007)(110136005)(86362001)(478600001)(71200400001)(52536014)(15650500001)(5660300002)(8676002)(33656002)(2906002)(8936002)(966005)(4326008)(83380400001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: q5sHt1/uRnPsiQ3LpjLGyETHcS14Klz1dluCP2AUTsJIfKPrxoByzJMZOvhaKOByWBC+mlkJ7oal3sMrJC9AoZEAGT4GGsgh55PxzUh0JKyd6n0F5nrYBcoXOS2AqJf/U77eNoXc0awQuomPJOiefw/xaRaYigsRCGGWN6c2BAaGWATXewDkqxCxrwWWw2i1KVjvTBEscaO2lPXiunFZkfgd0dl/cTSp6sxlwROwcB0UzheqVUjNaFtfC/EHYXekL9y5c9JDJI8x8l4U7C2reHeJUMH1O9TeZscWneFJ0XhhQdowvztaDq9qay6yN/VObYXjzQYWfFMj0RPZ1VgD7dFMNHmIhffUwhdPagteLQT5tTO0i6looYzmpuXCV8pQwhv97Juc3ab4TiD8uRAsCfNjHyfnIhTixHHgzeyDqtle06HOgcoJgwABSmlYN9G6bDURIE7PGSKNUCtSz/Qx5W+WVFqVGoIZnY9Lve6I0k/7XZywWBseRW6mY0AMCYr8mU2a7V+ROfFBBzlPITjuHOyzIjmBO3Yo04jAv/fRgNWPSLWMoihRPQXmdJwkYnG5PVJn/7V0B6CJrtdOh9s6WSEUy8e+GKCanQG0x59A/xeB4n/Z5jXrepC+JY9KdWSaR0QIQ5dXlS/hwtGDgS692w== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM5PR1101MB2347.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8f7c935c-f482-42ee-a61a-08d84ee8bed4 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 02:34:41.2732 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LNEvCNrqzAKIQu2Jl8fzQZM6BWfzy9GzsqHk49HCuSXBBdwz2TYN33lLR6KL2nuiaBwtUQ01hM/twyCY/nr8MQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2283 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On September 01, 2020 5:12 PM, Laszlo Ersek wrote: > The DxeImageVerificationHandler() function currently checks whether > "SecDataDir" has enough room for "WinCertificate->dwLength". However, > for advancing "OffSet", "WinCertificate->dwLength" is aligned to the next > multiple of 8. If "WinCertificate->dwLength" is large enough, the alignme= nt > will return 0, and "OffSet" will be stuck at the same value. >=20 > Check whether "SecDataDir" has room left for both "WinCertificate- > >dwLength" and the alignment. >=20 > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Min Xu > Cc: Wenyi Xie > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2215 > Signed-off-by: Laszlo Ersek Reviewed-by: Min M Xu > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | = 4 > +++- > 1 file changed, 3 insertions(+), 1 deletion(-) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 100739eb3eb6..11154b6cc58a 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi > +++ b.c > @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( > break; > } > WinCertificate =3D (WIN_CERTIFICATE *) (mImageBase + OffSet); > - if (SecDataDirLeft < WinCertificate->dwLength) { > + if (SecDataDirLeft < WinCertificate->dwLength || > + (SecDataDirLeft - WinCertificate->dwLength < > + ALIGN_SIZE (WinCertificate->dwLength))) { > break; > } >=20 > -- > 2.19.1.3.g30247aa5d201