* [Patch] SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents
@ 2017-05-03 9:28 Qin Long
2017-05-05 1:36 ` Zhang, Chao B
0 siblings, 1 reply; 2+ messages in thread
From: Qin Long @ 2017-05-03 9:28 UTC (permalink / raw)
To: chao.b.zhang; +Cc: edk2-devel
Add the size check for invalid format detection in AllowedDb,
RevokedDb and TimeStampDb list contents.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
.../Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c | 66 ++++++++++++++++++++--
1 file changed, 60 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
index 07fdf552be..3776f903d4 100644
--- a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
+++ b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
@@ -5,7 +5,7 @@
verify data signed using PKCS7 structure. The PKCS7 data to be verified must
be ASN.1 (DER) encoded.
-Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -801,11 +801,13 @@ VerifyBuffer (
IN OUT UINTN *ContentSize
)
{
- EFI_STATUS Status;
- UINT8 *AttachedData;
- UINTN AttachedDataSize;
- UINT8 *DataPtr;
- UINTN DataSize;
+ EFI_STATUS Status;
+ EFI_SIGNATURE_LIST *SigList;
+ UINTN Index;
+ UINT8 *AttachedData;
+ UINTN AttachedDataSize;
+ UINT8 *DataPtr;
+ UINTN DataSize;
//
// Parameters Checking
@@ -818,6 +820,58 @@ VerifyBuffer (
}
//
+ // Check if any invalid entry format in AllowedDb list contents
+ //
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(AllowedDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+
+ //
+ // Check if any invalid entry format in RevokedDb list contents
+ //
+ if (RevokedDb != NULL) {
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(RevokedDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+ }
+
+ //
+ // Check if any invalid entry format in TimeStampDb list contents
+ //
+ if (TimeStampDb != NULL) {
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(TimeStampDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+ }
+
+ //
// Try to retrieve the attached content from PKCS7 signedData
//
AttachedData = NULL;
--
2.12.2.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [Patch] SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents
2017-05-03 9:28 [Patch] SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents Qin Long
@ 2017-05-05 1:36 ` Zhang, Chao B
0 siblings, 0 replies; 2+ messages in thread
From: Zhang, Chao B @ 2017-05-05 1:36 UTC (permalink / raw)
To: Long, Qin; +Cc: edk2-devel@lists.01.org
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Qin Long
Sent: Wednesday, May 3, 2017 5:29 PM
To: Zhang, Chao B <chao.b.zhang@intel.com>
Cc: edk2-devel@lists.01.org
Subject: [edk2] [Patch] SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents
Add the size check for invalid format detection in AllowedDb, RevokedDb and TimeStampDb list contents.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
.../Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c | 66 ++++++++++++++++++++--
1 file changed, 60 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
index 07fdf552be..3776f903d4 100644
--- a/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
+++ b/SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
@@ -5,7 +5,7 @@
verify data signed using PKCS7 structure. The PKCS7 data to be verified must
be ASN.1 (DER) encoded.
-Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -801,11 +801,13 @@ VerifyBuffer (
IN OUT UINTN *ContentSize
)
{
- EFI_STATUS Status;
- UINT8 *AttachedData;
- UINTN AttachedDataSize;
- UINT8 *DataPtr;
- UINTN DataSize;
+ EFI_STATUS Status;
+ EFI_SIGNATURE_LIST *SigList;
+ UINTN Index;
+ UINT8 *AttachedData;
+ UINTN AttachedDataSize;
+ UINT8 *DataPtr;
+ UINTN DataSize;
//
// Parameters Checking
@@ -818,6 +820,58 @@ VerifyBuffer (
}
//
+ // Check if any invalid entry format in AllowedDb list contents //
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(AllowedDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+
+ //
+ // Check if any invalid entry format in RevokedDb list contents //
+ if (RevokedDb != NULL) {
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(RevokedDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+ }
+
+ //
+ // Check if any invalid entry format in TimeStampDb list contents //
+ if (TimeStampDb != NULL) {
+ for (Index = 0; ; Index++) {
+ SigList = (EFI_SIGNATURE_LIST *)(TimeStampDb[Index]);
+
+ if (SigList == NULL) {
+ break;
+ }
+ if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
+ SigList->SignatureHeaderSize +
+ SigList->SignatureSize) {
+ return EFI_ABORTED;
+ }
+ }
+ }
+
+ //
// Try to retrieve the attached content from PKCS7 signedData
//
AttachedData = NULL;
--
2.12.2.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-05 1:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-03 9:28 [Patch] SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents Qin Long
2017-05-05 1:36 ` Zhang, Chao B
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox