From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web10.15965.1598974861655353722 for ; Tue, 01 Sep 2020 08:41:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=A9QyCgXn; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: philmd@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598974860; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=vlXX8cHReKx8kskvqsCmYMHo5c77PDx4q+nJI1ET/7w=; b=A9QyCgXngedHeUr1Aa45txYD5QiQAv99mgM0jEl6ofofE/+fo/htYu/LZt3U/XqGXXL29d BFS2u3NmbE+O83cGxcoaCJIKyLM8gtTOKBiGX7bqpK4KjScHqTbHQR1l50nPYj7OWAFh9p XyUpbrveEpS8crtrl610tUx486lK9IA= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-470-dvjkTvLoPnimVdt6odbkGA-1; Tue, 01 Sep 2020 11:40:58 -0400 X-MC-Unique: dvjkTvLoPnimVdt6odbkGA-1 Received: by mail-wr1-f71.google.com with SMTP id y3so728455wrl.21 for ; Tue, 01 Sep 2020 08:40:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=vlXX8cHReKx8kskvqsCmYMHo5c77PDx4q+nJI1ET/7w=; b=f2QSAD1c+p60hcetnJ/kABTGf1DAtvVQgHAormQD9CTJQnjYNX4idzHgNfCIE5dcKS h6ury0X/cydtcgHtkyFS4wnYOqz1sg1Jqn1/b71YetjahYR49Gs9HqcN2DnIdedK4cll TrcUZffvX30Zswj89iVl5n8SL4YrY64mngyONyRbM9JHdOaQBnVJaGJEOoXTcEKTifvz VAQ4tZRO71hVkeX+LF+H/Bfjy2JXAUcRH8h1MYAX8SJhPdu9hfL/AHG912KB4FEdyHOC LwEcbfa5yfLUWmUHvvlXUu6Cqt/jjxKSysZuE2xzQkGfmQwy+nEO+prleValY41tp50o xg4Q== X-Gm-Message-State: AOAM530dFnT5gX1qWQ3prmb5VhMNSvzyOZ3IJQA1PT83sVi7FE2Sfm0J Q4Vbk4Z75ToQc/nXi5/csrpHpebU43ZDhoDM/MaKJvDkX3uqL9dx/4nkNt8gelPr0B03NrEXEIy 6pwnsVGorprF+bQ== X-Received: by 2002:a1c:4cd:: with SMTP id 196mr2268941wme.145.1598974857291; Tue, 01 Sep 2020 08:40:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtxCAz2M61Vc5AEm7XuHzybYb/H1zv3XUjli/qL0EKhXMMAK82+PBRQsuPhA+TZnk0inbKRQ== X-Received: by 2002:a1c:4cd:: with SMTP id 196mr2268925wme.145.1598974857092; Tue, 01 Sep 2020 08:40:57 -0700 (PDT) Return-Path: Received: from [192.168.1.36] (50.red-83-52-54.dynamicip.rima-tde.net. [83.52.54.50]) by smtp.gmail.com with ESMTPSA id i1sm3855144wrc.49.2020.09.01.08.40.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Sep 2020 08:40:56 -0700 (PDT) Subject: Re: [edk2-devel] [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check To: devel@edk2.groups.io, lersek@redhat.com Cc: Jian J Wang , Jiewen Yao , Min Xu , Wenyi Xie References: <20200901091221.20948-1-lersek@redhat.com> <20200901091221.20948-3-lersek@redhat.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Autocrypt: addr=philmd@redhat.com; keydata= mQINBDXML8YBEADXCtUkDBKQvNsQA7sDpw6YLE/1tKHwm24A1au9Hfy/OFmkpzo+MD+dYc+7 bvnqWAeGweq2SDq8zbzFZ1gJBd6+e5v1a/UrTxvwBk51yEkadrpRbi+r2bDpTJwXc/uEtYAB GvsTZMtiQVA4kRID1KCdgLa3zztPLCj5H1VZhqZsiGvXa/nMIlhvacRXdbgllPPJ72cLUkXf z1Zu4AkEKpccZaJspmLWGSzGu6UTZ7UfVeR2Hcc2KI9oZB1qthmZ1+PZyGZ/Dy+z+zklC0xl XIpQPmnfy9+/1hj1LzJ+pe3HzEodtlVA+rdttSvA6nmHKIt8Ul6b/h1DFTmUT1lN1WbAGxmg CH1O26cz5nTrzdjoqC/b8PpZiT0kO5MKKgiu5S4PRIxW2+RA4H9nq7nztNZ1Y39bDpzwE5Sp bDHzd5owmLxMLZAINtCtQuRbSOcMjZlg4zohA9TQP9krGIk+qTR+H4CV22sWldSkVtsoTaA2 qNeSJhfHQY0TyQvFbqRsSNIe2gTDzzEQ8itsmdHHE/yzhcCVvlUzXhAT6pIN0OT+cdsTTfif MIcDboys92auTuJ7U+4jWF1+WUaJ8gDL69ThAsu7mGDBbm80P3vvUZ4fQM14NkxOnuGRrJxO qjWNJ2ZUxgyHAh5TCxMLKWZoL5hpnvx3dF3Ti9HW2dsUUWICSQARAQABtDJQaGlsaXBwZSBN YXRoaWV1LURhdWTDqSAoUGhpbCkgPHBoaWxtZEByZWRoYXQuY29tPokCVQQTAQgAPwIbDwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSJweePYB7obIZ0lcuio/1u3q3A3gUCXsfWwAUJ KtymWgAKCRCio/1u3q3A3ircD/9Vjh3aFNJ3uF3hddeoFg1H038wZr/xi8/rX27M1Vj2j9VH 0B8Olp4KUQw/hyO6kUxqkoojmzRpmzvlpZ0cUiZJo2bQIWnvScyHxFCv33kHe+YEIqoJlaQc JfKYlbCoubz+02E2A6bFD9+BvCY0LBbEj5POwyKGiDMjHKCGuzSuDRbCn0Mz4kCa7nFMF5Jv piC+JemRdiBd6102ThqgIsyGEBXuf1sy0QIVyXgaqr9O2b/0VoXpQId7yY7OJuYYxs7kQoXI 6WzSMpmuXGkmfxOgbc/L6YbzB0JOriX0iRClxu4dEUg8Bs2pNnr6huY2Ft+qb41RzCJvvMyu gS32LfN0bTZ6Qm2A8ayMtUQgnwZDSO23OKgQWZVglGliY3ezHZ6lVwC24Vjkmq/2yBSLakZE 6DZUjZzCW1nvtRK05ebyK6tofRsx8xB8pL/kcBb9nCuh70aLR+5cmE41X4O+MVJbwfP5s/RW 9BFSL3qgXuXso/3XuWTQjJJGgKhB6xXjMmb1J4q/h5IuVV4juv1Fem9sfmyrh+Wi5V1IzKI7 RPJ3KVb937eBgSENk53P0gUorwzUcO+ASEo3Z1cBKkJSPigDbeEjVfXQMzNt0oDRzpQqH2vp apo2jHnidWt8BsckuWZpxcZ9+/9obQ55DyVQHGiTN39hkETy3Emdnz1JVHTU0Q== Message-ID: Date: Tue, 1 Sep 2020 17:40:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20200901091221.20948-3-lersek@redhat.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US On 9/1/20 11:12 AM, Laszlo Ersek wrote: > Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only > guards the de-referencing of the "WinCertificate" pointer. It does not > guard the calculation of the pointer itself: > > WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); > > This is wrong; if we don't know for sure that we have enough room for a > WIN_CERTIFICATE, then even creating such a pointer, not just > de-referencing it, may invoke undefined behavior. Tricky to catch... Reviewed-by: Philippe Mathieu-Daude > > Move the pointer calculation after the size check. > > Cc: Jian J Wang > Cc: Jiewen Yao > Cc: Min Xu > Cc: Wenyi Xie > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 > Signed-off-by: Laszlo Ersek > --- > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 377feebb205a..100739eb3eb6 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler ( > for (OffSet = SecDataDir->VirtualAddress; > OffSet < SecDataDirEnd; > OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) { > - WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); > SecDataDirLeft = SecDataDirEnd - OffSet; > - if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) || > - SecDataDirLeft < WinCertificate->dwLength) { > + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) { > + break; > + } > + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); > + if (SecDataDirLeft < WinCertificate->dwLength) { > break; > } > >