From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.92.23.31])
 by mx.groups.io with SMTP id smtpd.web11.5776.1603247565004050436
 for <devel@edk2.groups.io>;
 Tue, 20 Oct 2020 19:32:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@outlook.com header.s=selector1 header.b=Gv+BP2zk;
 spf=pass (domain: outlook.com, ip: 40.92.23.31, mailfrom: kun.q@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=IsNGGQ+EfQ3zosLoU7gjCpsVc0RUcHc/V9ztY9+M8OhEp0wBRrqjIOhtknRnP2ENvdXFOvCvNtUSuQaxV0Lnub/IlkA+wG/eTlsUALugla4xbRooqw2HQ/0ph/b5+afGfnmWb2nVwImjYlw81dMy8196lTKL2oWJEWlTqN/paTw6TyAbsJ1PPStBKrR5mH5W/V9iENJWmgdWueqRVWYxy+jk8LE5O/DGUEuUGAzze8uxhKnALk+94+BMQkTJhrc38YfsV1u2dDq9YcKaOb5UkOLuoz4FQ3ztvHj7HBKi4WCqLT/cBHXG7iR1U5TLgdhHYE3UsRK/0HBuxz7YS0dVaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=1Bgz0LKF1CHxyd7zUvzE6JeEScCopTqpud6o84s8P9g=;
 b=Yo75Zuvya+OoBZqlUN1XuHABvPCCroI1kyJp/Tlz3gBd+IZQYXkwwhWDpFszgBv6n2H3aadFOo+7estrKBFhXefgeFDlzPgBxaTc0HA5793yQwcYt4YvdEqHj1/3Uw4JuwHBDTY7oysuimE1x+aiU+a49VQzqfVxlBt1Gao6tzvsTWm1oDNXXTNWBpD0vDF+6TKlL7JCR7o5WkNU8D1fzz+RUWyEc9sNrtnZKlUS54Gjgzd6HJh29dIo1LHmNPKxj83l7NqKOSPI4l52JbBu6wY1KG00hmAN0jWf/puy0Fy+yVS0Ni3T5i42ne+A4PWndYOUkuisc2+BCHdpyQ4gag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=1Bgz0LKF1CHxyd7zUvzE6JeEScCopTqpud6o84s8P9g=;
 b=Gv+BP2zkwZNCWOSA2ltmfE0wCpA9TtbIFg2+llTWN7pfYb3uH7I9ER6PcetdxDF7I0zH01jy3R+1FEphUqg0Skl8rDbxQFI9RoOq6l45SqZse+1NxmvvC1185BWePauyAh4G5BBi1oVgDbq3N8A9TvbTjmcUyGWQj7zJiu541WJPr8ydUSLsLxycHfuSiUPqZTh1kg5xHp/Mcp0Iqb5Cm/fhl2KXIZrVidmFETPQguVpfJbKa8Vm30gaOyFddqXaa9TK70olWoZ4GoAz166O/ZbtCKaF5qzExa2x/64An1RJs+dB0t0HnamvTB2HWCRTRfsUtQDuEVwDvtiBzMNFCw==
Received: from MW2NAM12FT027.eop-nam12.prod.protection.outlook.com
 (2a01:111:e400:fc65::42) by
 MW2NAM12HT194.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::150)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7; Wed, 21 Oct
 2020 02:32:44 +0000
Received: from MWHPR06MB3102.namprd06.prod.outlook.com
 (2a01:111:e400:fc65::47) by MW2NAM12FT027.mail.protection.outlook.com
 (2a01:111:e400:fc65::94) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7 via Frontend
 Transport; Wed, 21 Oct 2020 02:32:44 +0000
X-IncomingTopHeaderMarker: 
 OriginalChecksum:DDF989721F35D7208C08B4085E50B9274C863DB1BD75DDA35CC4001717C74E52;UpperCasedChecksum:DE06332CC456452074B02E6EC19D6C9E37895FB4E00D10D97CFA8028C2A292C4;SizeAsReceived:7519;Count:47
Received: from MWHPR06MB3102.namprd06.prod.outlook.com
 ([fe80::2814:c86b:7446:74e1]) by MWHPR06MB3102.namprd06.prod.outlook.com
 ([fe80::2814:c86b:7446:74e1%3]) with mapi id 15.20.3499.018; Wed, 21 Oct 2020
 02:32:44 +0000
From: Kun Qin <kun.q@outlook.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Guomin Jiang <guomin.jiang@intel.com>
Subject: [PATCH v1 1/1] CryptoPkg: BaseCryptLib: Fix buffer double free in CryptPkcs7VerifyEku
Date: Tue, 20 Oct 2020 19:32:28 -0700
Message-ID: 
 <MWHPR06MB31028D4F9BFDDCFC15F4A5DAF31C0@MWHPR06MB3102.namprd06.prod.outlook.com>
X-Mailer: git-send-email 2.28.0.windows.1
In-Reply-To: <20201021023228.1884-1-kun.q@outlook.com>
References: <20201021023228.1884-1-kun.q@outlook.com>
X-TMN: [3Z3LrCq8cYqNpd3eBkf3sDrsq8EjIb5N]
X-ClientProxiedBy: MWHPR12CA0060.namprd12.prod.outlook.com
 (2603:10b6:300:103::22) To MWHPR06MB3102.namprd06.prod.outlook.com
 (2603:10b6:301:3e::35)
Return-Path: kun.q@outlook.com
X-Microsoft-Original-Message-ID: <20201021023228.1884-2-kun.q@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (73.239.241.211) by MWHPR12CA0060.namprd12.prod.outlook.com (2603:10b6:300:103::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend Transport; Wed, 21 Oct 2020 02:32:43 +0000
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 47
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: d2c5455b-75f3-44e2-dfe6-08d8756996e7
X-MS-TrafficTypeDiagnostic: MW2NAM12HT194:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	Gf1TecaGaLzitivnBWImqLcFWYj9Lwx+jNOCVp32GaoeJ/10C38afWPXUFT5e+8G5r4vgoiX2DBoQdyEMFwGT7vt5/XDRU9Xl6zoLMeEq86QAcrcDfrEAoPTnIZVtUpKt104kGnV59OK6+Qw8kRKAIzPAiHs7Xy+It8DQxevcgmk7l3uFlb29TZhBBfPZ/VXZLfmPMvH0tS1fYW0xNCjP7IrSiVOXN65ICUTMQZ9qGNxu0lsTbmout8hpMD/Sv6R
X-MS-Exchange-AntiSpam-MessageData: 
	HLzvCmWx6/sz8TpdgH66ZCba7vBtSXI8OSZivVouGgVNQCZgNTa0Pubpmka1TMELbY+c1LKoh3D6G1aofTWGJOLBhFqNgaUUT2Gjp9ZlxqV0IMchSIdECeU4jlc1hAvsuH/TbHm4OH0l53t17uog0g==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2c5455b-75f3-44e2-dfe6-08d8756996e7
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2020 02:32:43.9517
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource: 
	MW2NAM12FT027.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT194
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2459

SignerCert is part of Pkcs7 instance when both have valid content. OpenSLL
PKCS7_free function will release the memory of SignerCert when applicable.
Freeing SignerCert with X509_free again might cause page fault if use-
after-free guard is enabled.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Kun Qin <kun.q@outlook.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c b/Cryp=
toPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
index c9fdb65b99d1..40cc39afe7dd 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
@@ -508,10 +508,6 @@ Exit:
     free (SignedData);=0D
   }=0D
 =0D
-  if (SignerCert !=3D NULL) {=0D
-    X509_free (SignerCert);=0D
-  }=0D
-=0D
   if (Pkcs7 !=3D NULL) {=0D
     PKCS7_free (Pkcs7);=0D
   }=0D
--=20
2.28.0.windows.1