From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"lersek@redhat.com" <lersek@redhat.com>
Cc: "Lu, XiaoyuX" <xiaoyux.lu@intel.com>,
"Jiang, Guomin" <guomin.jiang@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)
Date: Tue, 20 Oct 2020 02:28:21 +0000 [thread overview]
Message-ID: <SN6PR11MB331281B12DF229EC0C16C5FAB61F0@SN6PR11MB3312.namprd11.prod.outlook.com> (raw)
In-Reply-To: <b9dc7807-5040-07e4-0ecf-a1a701dc2d23@redhat.com>
Laszlo,
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Ersek
> Sent: Tuesday, October 20, 2020 3:13 AM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH] CryptoPkg/BaseCryptLib: fix NULL
> dereference (CVE-2019-14584)
>
> On 10/16/20 07:14, Wang, Jian J wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
> >
> > AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
> > signed authenticode pkcs#7 data. when this successfully returns, a type
> > check is done by calling PKCS7_type_is_signed() and then
> > Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
> > blob that successfully decodes and have d2i_PKCS7() return a valid pointer
> > and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
> > be a NULL pointer.
> >
> > Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
> > pkcs7 structs it does the following:
> > - call PKCS7_type_is_signed()
> > - call PKCS7_get_detached()
> > Looking into how PKCS7_get_detatched() is implemented, it checks to see if
> > p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
> >
> > As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
> > - Add call to PKS7_get_detached() to existing error handling
> >
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> > Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> > ---
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> > index 2772b1e2be..ae0ee61fb6 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> > @@ -9,7 +9,7 @@
> > AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check
> for
> > data structure.
> >
> > -Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
> > +Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.<BR>
> > SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > **/
>
> It's probably best to bump the (C) date to 2020; if you must update the
> (C) line in the first place.
>
> Otherwise, this patch seems identical to what I reviewed in
> <https://bugzilla.tianocore.org/show_bug.cgi?id=1914#c6>, so my R-b stands.
>
Thanks for catching this. I'll update it before pushing.
Regards,
Jian
> Thanks
> Laszlo
>
> > @@ -100,7 +100,7 @@ AuthenticodeVerify (
> > //
> > // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
> > //
> > - if (!PKCS7_type_is_signed (Pkcs7)) {
> > + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
> > goto _Exit;
> > }
> >
> >
>
>
>
>
>
prev parent reply other threads:[~2020-10-20 2:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 5:14 [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) Wang, Jian J
2020-10-18 1:02 ` Yao, Jiewen
2020-10-19 19:13 ` [edk2-devel] " Laszlo Ersek
2020-10-20 2:28 ` Wang, Jian J [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SN6PR11MB331281B12DF229EC0C16C5FAB61F0@SN6PR11MB3312.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox