From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.92.23.36]) by mx.groups.io with SMTP id smtpd.web12.5787.1603247564405183881 for ; Tue, 20 Oct 2020 19:32:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=imrQJ4cR; spf=pass (domain: outlook.com, ip: 40.92.23.36, mailfrom: kun.q@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BomSX3d47YK40st2iG94wBl9R5sJwqpfzrA2puyeSc6G53QCKyvrIaPr+BGpe3lgaatB3dM81s6zQzeWPa268ZLh5bQEfuS8g5J/l53FMFQtoVVkzAzXqMcnhWCH8LIvrzkiN1sAfkNlbMRSvz1no4WZ+hENq+LZolknSKlll/3iSlxpnRkcjGFo4kaQLFmZTJciISkkzJoNUZ4sFMowEJRa1mPlbAO8b/3SuxPFjIo7XAjEbyPvmeiS4DgT7JetvIoTJ1W1fSEsRvxprB0yiuEJQ1IKVcxzW8gOWhNPy2+wkpre/WebUynnY9Pj5U1dlkzJUrsUFhEkSOxeEPovlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MXgGRRBWj70F0J0R1vYnrEeBlaA5XHfY6IR2XNXJm4I=; b=ITp/oL/JmN+mIHyB3ARLxnX5DbAskZyknrB7moOO8IQjIWNssqXeDktklaQfPzJtjngrSUzPnRAmakF1RoAugUN8GnILsPsVAlSZ7NwvQrHoVyccP2U4HDXyTIk6k9Zt7aQqnSartpdEX7SlLyzPun0oLnLZ0s8Q6QK7bp1LMyiSwqHyRDvsheeB798cRUYz4oN5MBEbzCSObkGGTQLpwaxquiuw/vcvsOQZUORo++Aszt16kWrc12V5jffA5ZbfvXB8PbeHDxL7AryNdDPrmmvwehL4t0PR/2Z8pUa/sTLyoSCME7YcquoH45yUUPKEqKKhzy1UMiROiA47TWmTHA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MXgGRRBWj70F0J0R1vYnrEeBlaA5XHfY6IR2XNXJm4I=; b=imrQJ4cR0wWhOPeqysFJ+67pTw2HmnsCc/lYAqJeM8Ho5dD4ucjHiYIBA8KGfYKo6yBiuwmzsu1E4eg296egGkdL+znudjAGylUKEyYdt6vBIZHAKPIs793HVbpm9eiZdKjJmje+dXZYlQhsklFeGF5MibosWO4ZiMRKzlfsTrgzQMT5VO27myhI2x9NwFxLYwT9zjhteWot+5DMAhnrbFK5HsI9fWTJbx6AkbueS3Dklyi7SZQkb0BRdt28WvkTmH387dqY++XxGz1fc89JXX1tRggUUiWgPKIz/Tp8Ss1Nlav3Odi5Zh8N9Uo6FOIVXgH+hDuQz/Ruk4hS2rm31w== Received: from MW2NAM12FT027.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::53) by MW2NAM12HT191.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7; Wed, 21 Oct 2020 02:32:43 +0000 Received: from MWHPR06MB3102.namprd06.prod.outlook.com (2a01:111:e400:fc65::47) by MW2NAM12FT027.mail.protection.outlook.com (2a01:111:e400:fc65::94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7 via Frontend Transport; Wed, 21 Oct 2020 02:32:43 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:38FA2B187AE80DBF045020963CBEF8A58CE27E22624282B2CE6ECCE5F6A2BCB7;UpperCasedChecksum:586AB101E3027BEFDB57BF3B878A2C9D3B8EAC9536805E2D125F744DD01FBC8D;SizeAsReceived:7399;Count:45 Received: from MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::2814:c86b:7446:74e1]) by MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::2814:c86b:7446:74e1%3]) with mapi id 15.20.3499.018; Wed, 21 Oct 2020 02:32:43 +0000 From: Kun Qin To: devel@edk2.groups.io Cc: Jian J Wang , Xiaoyu Lu , Jiewen Yao , Guomin Jiang Subject: [PATCH v1 0/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku Date: Tue, 20 Oct 2020 19:32:27 -0700 Message-ID: X-Mailer: git-send-email 2.28.0.windows.1 X-TMN: [VZjgJDF7zrG8nVm94kays9SB2iRya8em] X-ClientProxiedBy: MWHPR12CA0060.namprd12.prod.outlook.com (2603:10b6:300:103::22) To MWHPR06MB3102.namprd06.prod.outlook.com (2603:10b6:301:3e::35) Return-Path: kun.q@outlook.com X-Microsoft-Original-Message-ID: <20201021023228.1884-1-kun.q@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (73.239.241.211) by MWHPR12CA0060.namprd12.prod.outlook.com (2603:10b6:300:103::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend Transport; Wed, 21 Oct 2020 02:32:42 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 45 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: dbe82242-697e-4737-3581-08d87569967c X-MS-TrafficTypeDiagnostic: MW2NAM12HT191: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3cNGM6BbLXEfphwsQ1+DGKwYJsqRvVUF1aU+xujEq3U+qIVg8U6LyV6bF6vPUHcHz2o3gDOme++JqNZQ4XB3vHbGSwPystful9U8Eqfh4reGBBBM7cmNLjw2NuahGg6VaokXiNaYSsIo4SJglpDUSjImg0gJ5z30qO41CoX+fNrgWxj/DDbAVhHtbhif3mGstccQjvt6M4gFAcFw7jqnzDHMXIstte1S78VzaifyS6MDOnjt6owRvzixVyejXjbT X-MS-Exchange-AntiSpam-MessageData: 0pdb4EO46bm7zaC+hfTfE31kZpUa5SXCor+EghD9jFewktpLgERAWPzxEQEX2XLIYsgTBbrkPyvBHTfClIXntuknMQ2cBcMPc00jO+kBvKBfIH4vbCjNgi2hg8lbUpvm3U6VoMnN3CXJkV1mBGkEPw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: dbe82242-697e-4737-3581-08d87569967c X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2020 02:32:43.3811 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT027.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT191 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain The issue is in VerifyEKUsInPkcs7Signature routine of CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c:=0D =0D At the "Exit" portion of this routine, this function uses X509_free to free SignerCert instance and PKCS7_free function to free Pkcs7. But SignerCert is part of Pkcs7 instance, thus PKCS7_free will release the memory of SignerCert for a second time with existed routine, which will cause page fault if use-after-free guard is enabled.=0D =0D The patch fix is to free Pkcs7 instance only using PKCS7_free. Patch v1 branch: https://github.com/kuqin12/edk2/tree/buffer_double_free_v1 Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Jiewen Yao Cc: Guomin Jiang Signed-off-by: Kun Qin Kun Qin (1): CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ---- 1 file changed, 4 deletions(-) --=20 2.28.0.windows.1