[edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
Yao, Jiewen
jiewen.yao at intel.com
Mon Aug 31 16:06:52 UTC 2020
Sounds great. Appreciate your hard work on that.
Will you post a patch to fix the issue again?
Thank you
Yao Jiewen
> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of wenyi,xie
> via groups.io
> Sent: Monday, August 31, 2020 7:24 PM
> To: Yao, Jiewen <jiewen.yao at intel.com>; devel at edk2.groups.io; Laszlo Ersek
> <lersek at redhat.com>; Wang, Jian J <jian.j.wang at intel.com>
> Cc: songdongkuang at huawei.com; Mathews, John <john.mathews at intel.com>
> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
>
> Hi,Jiewen,
>
> I modify the PE file again, this time it can pass the check in PeCoffLib and cause
> offset overflow.
>
> First, create a PE file and sign it(only one signature), then using binary edit tool
> to modify content of PE file like below,
> 1.check the value of SecDataDir->VirtualAddress, in my PE file, it's 0xE000
> 2.changing SecDataDir->Size from 0x5F8 to 0xFFFF1FFC
> 3.changing WinCertificate->dwLength from 0x5F1 to 0xFFFF1FFB
> 4.padding PE file with 0 until the size of the file is 0xFFFFFFFC(it will make the PE
> file so large)
> OffSet + WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength) is
> 0xE000 + 0xFFFF1FFB + 0x5 = 0x100000000
>
> Below is the DEBUG code and log, in second loop the offset overflow and
> become 0
>
> for (OffSet = SecDataDir->VirtualAddress;
> OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >dwLength))) {
> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> DEBUG((DEBUG_INFO, "OffSet=0x%x.\n", OffSet));
> if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
> (WIN_CERTIFICATE) ||
> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate-
> >dwLength) {
> break;
> }
> DEBUG((DEBUG_INFO, "WinCertificate->dwLength=0x%x, ALIGN_SIZE
> (WinCertificate->dwLength)=0x%x.\n", WinCertificate->dwLength,
> ALIGN_SIZE(WinCertificate->dwLength)));
>
>
> SecDataDir->VirtualAddress=0xE000, SecDataDir->Size=0xFFFF1FFC.
> OffSet=0xE000.
> WinCertificate->dwLength=0xFFFF1FFB, ALIGN_SIZE (WinCertificate-
> >dwLength)=0x5.
> DxeImageVerificationLib: Image is signed but signature is not allowed by DB and
> SHA256 hash of image is notOffSet=0x0.
> WinCertificate->dwLength=0x5A4D, ALIGN_SIZE (WinCertificate-
> >dwLength)=0x3.
> OffSet=0x5A50.
> WinCertificate->dwLength=0x9024, ALIGN_SIZE (WinCertificate-
> >dwLength)=0x4.
> OffSet=0xEA78.
> WinCertificate->dwLength=0x0, ALIGN_SIZE (WinCertificate->dwLength)=0x0.
> The image doesn't pass verification: VenHw(5CF32E0B-8EDF-2E44-9CDA-
> 93205E99EC1C,00000000)/VenHw(964E5B22-6459-11D2-8E39-
> 00A0C969723B,00000000)/\signed_1234_4G.efi
>
>
> Regards
> Wenyi
>
>
> On 2020/8/28 14:43, Yao, Jiewen wrote:
> > Apology that I did not say clearly.
> > I mean you should not modify any code to perform an attack.
> >
> > I am not asking you to exploit the system. Attack here just means: to cause
> system hang or buffer overflow. That is enough.
> > But you cannot modify code to remove any existing checker.
> >
> > Thank you
> > Yao Jiewen
> >
> >> -----Original Message-----
> >> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of
> wenyi,xie
> >> via groups.io
> >> Sent: Friday, August 28, 2020 2:18 PM
> >> To: Yao, Jiewen <jiewen.yao at intel.com>; devel at edk2.groups.io; Laszlo
> Ersek
> >> <lersek at redhat.com>; Wang, Jian J <jian.j.wang at intel.com>
> >> Cc: songdongkuang at huawei.com; Mathews, John
> <john.mathews at intel.com>
> >> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> >> SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
> >>
> >> Hi,Jiewen,
> >>
> >> I don't really get the meaning "create a case that bypass all checks in
> PeCoffLib",
> >> do you mean I need to create a PE file that can bypass all check in PeCoffLib
> >> without modify any
> >> code and then cause the problem in DxeImageVerificationLib, or just modify
> >> some code in PeCoffLib to bypass check instead of removing the calling of
> >> PeCoffLoaderGetImageInfo. Would
> >> you mind explaining a little more specifically? As far as I tried, it's really hard
> to
> >> reproduce the issue without touching any code.
> >>
> >> Thanks
> >> Wenyi
> >>
> >> On 2020/8/28 11:50, Yao, Jiewen wrote:
> >>> HI Wenyi
> >>> Thank you very much to take time to reproduce.
> >>>
> >>> I am particular interested in below:
> >>> "As PE file is modified, function PeCoffLoaderGetImageInfo will return
> >> error, so I have to remove it so that for loop can be tested in
> >> DxeImageVerificationHandler."
> >>>
> >>> By design, the PeCoffLib should catch illegal PE/COFF image and return error.
> >> (even it cannot catch all, it should catch most ones).
> >>> Other PE/COFF parser may rely on the checker in PeCoffLib and *no need*
> to
> >> duplicate all checkers.
> >>> As such, DxeImageVerificationLib (and other PeCoff consumer) just need
> >> checks what has passed the check in PeCoffLib.
> >>>
> >>> I don’t think you should remove the checker. If people can remove the
> checker,
> >> I am sure the rest code will be vulnerable, according to the current design.
> >>> Could you please to create a case that bypass all checks in PeCoffLib, then
> run
> >> into DxeImageVerificationLib and cause the problem? That would be more
> >> valuable for us.
> >>>
> >>> Thank you
> >>> Yao Jiewen
> >>>
> >>>> -----Original Message-----
> >>>> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of
> >> wenyi,xie
> >>>> via groups.io
> >>>> Sent: Friday, August 28, 2020 11:18 AM
> >>>> To: Laszlo Ersek <lersek at redhat.com>; Wang, Jian J
> >> <jian.j.wang at intel.com>;
> >>>> devel at edk2.groups.io; Yao, Jiewen <jiewen.yao at intel.com>
> >>>> Cc: songdongkuang at huawei.com; Mathews, John
> >> <john.mathews at intel.com>
> >>>> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> >>>> SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
> >>>>
> >>>> Hi,Laszlo and everyone,
> >>>>
> >>>> These days I tried to reproduce the issue,and made some progress. I
> think
> >>>> there are two way to cause overflow from a mathematical point of view,
> >>>> 1.As Laszlo analysed before, if WinCertificate->dwLength is large enough,
> >> close
> >>>> to MAX_UINT32, then (WinCertificate->dwLength + ALIGN_SIZE
> >> (WinCertificate-
> >>>>> dwLength)) will cause overflow.
> >>>> 2.(WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) is
> >> good,
> >>>> OffSet is good, but OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> >>>> (WinCertificate->dwLength)) cause overflow.
> >>>>
> >>>> Here I choose the second way to reproduce the issue, I choose a PE file
> and
> >> sign
> >>>> it with my own db certificate. Then I use binary edit tool to modify the PE
> file
> >> like
> >>>> below,
> >>>>
> >>>> 1.change SecDataDir->Size from 0x5F8 to 0xFFFF1FFF
> >>>> 2.change WinCertificate->dwLength from 0x5F1 to 0xFFFF1FFE
> >>>> SecDataDir->VirtualAddress in my PE is 0xe000 and no need to change.
> >>>>
> >>>> As PE file is modified, function PeCoffLoaderGetImageInfo will return error,
> >> so I
> >>>> have to remove it so that for loop can be tested in
> >> DxeImageVerificationHandler.
> >>>> The log is as below,
> >>>>
> >>>> SecDataDir->VirtualAddress=0xE000, SecDataDir->Size=0xFFFF1FFF.
> >>>> (First Loop)
> >>>> OffSet=0xE000.
> >>>> WinCertificate->dwLength=0xFFFF1FFE, ALIGN_SIZE (WinCertificate-
> >>>>> dwLength)=0x2.
> >>>> (Second Loop)
> >>>> OffSet=0x0.
> >>>> WinCertificate->dwLength=0x5A4D, ALIGN_SIZE (WinCertificate-
> >>>>> dwLength)=0x3.
> >>>> (Third Loop)
> >>>> OffSet=0x5A50.
> >>>> WinCertificate->dwLength=0x9024, ALIGN_SIZE (WinCertificate-
> >>>>> dwLength)=0x4.
> >>>> (Forth Loop)
> >>>> OffSet=0xEA78.
> >>>> WinCertificate->dwLength=0xAFAFAFAF, ALIGN_SIZE (WinCertificate-
> >>>>> dwLength)=0x1.
> >>>> (Fifth Loop)
> >>>> OffSet=0xAFB09A28.
> >>>>
> >>>> As I modify SecDataDir->Size and WinCertificate->dwLength, so in first
> loop
> >> the
> >>>> condition check whether the Security Data Directory has enough room left
> >> for
> >>>> "WinCertificate->dwLength" is ok.
> >>>>
> >>>> if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
> >>>> (WIN_CERTIFICATE) ||
> >>>> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> WinCertificate-
> >>>>> dwLength) {
> >>>> break;
> >>>> }
> >>>>
> >>>> In the beginning of second loop, WinCertificate->dwLength + ALIGN_SIZE
> >>>> (WinCertificate->dwLength) is 0xFFFF2000, offset is 0xE000
> >>>>
> >>>> OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >>> dwLength))
> >>>>
> >>>> Offset now is 0 and overflow happens. So even if my PE only have one
> >> signature,
> >>>> the for loop is still going untill exception happens.
> >>>>
> >>>>
> >>>> I can't reproduce the issue using the first way, because if WinCertificate-
> >>>>> dwLength is close to MAX_UINT32, it means SecDataDir->Size should also
> >> close
> >>>> to MAX_UINT32, or the condition check
> >>>> "(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> WinCertificate-
> >>>>> dwLength" will break. But if SecDataDir->Size is very large, SecDataDir-
> >>>>> VirtualAddress have to be smaller than 8 bytes,
> >>>> because SecDataDir->VirtualAddress + SecDataDir->Size < MAX_UINT32.
> >>>> SecDataDir->VirtualAddress is the beginning address of the signature, and
> >> before
> >>>> SecDataDir->VirtualAddress is the content of origin PE file, I think it's
> >> impossible
> >>>> that the size of PE file is only 8 bytes.
> >>>>
> >>>> As I changed the one line code in DxeImageVerificationHandler to
> reproduce
> >> the
> >>>> issue, I'm not sure whether it's ok.
> >>>>
> >>>> Thanks
> >>>> Wenyi
> >>>>
> >>>> On 2020/8/19 17:26, Laszlo Ersek wrote:
> >>>>> On 08/18/20 17:18, Mathews, John wrote:
> >>>>>> I dug up the original report details. This was noted as a concern during a
> >>>> source code inspection. There was no demonstration of how it might be
> >>>> triggered.
> >>>>>>
> >>>>>> " There is an integer overflow vulnerability in the
> >>>> DxeImageVerificationHandler function when
> >>>>>> parsing the PE files attribute certificate table. In cases where
> >> WinCertificate-
> >>>>> dwLength is
> >>>>>> sufficiently large, it's possible to overflow Offset back to 0 causing an
> >> endless
> >>>> loop."
> >>>>>>
> >>>>>> The recommendation was to add stricter checking of "Offset" and the
> >>>> embedded length fields of certificate data
> >>>>>> before using them.
> >>>>>
> >>>>> Thanks for checking!
> >>>>>
> >>>>> Laszlo
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Laszlo Ersek <lersek at redhat.com>
> >>>>>> Sent: Tuesday, August 18, 2020 1:59 AM
> >>>>>> To: Wang, Jian J <jian.j.wang at intel.com>; devel at edk2.groups.io; Yao,
> >>>> Jiewen <jiewen.yao at intel.com>; xiewenyi2 at huawei.com
> >>>>>> Cc: huangming23 at huawei.com; songdongkuang at huawei.com;
> Mathews,
> >>>> John <john.mathews at intel.com>
> >>>>>> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> >>>> SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
> >>>>>>
> >>>>>> On 08/18/20 04:10, Wang, Jian J wrote:
> >>>>>>> Laszlo,
> >>>>>>>
> >>>>>>> My apologies for the slow response. I'm not the original reporter but
> >>>>>>> just the BZ submitter. And I didn't do deep analysis to this issue.
> >>>>>>> The issues was reported from one internal team. Add John in loop to
> see
> >> if
> >>>> he knows more about it or not.
> >>>>>>>
> >>>>>>> My superficial understanding on such issue is that, if there's
> >>>>>>> "potential" issue in theory and hard to reproduce, it's still worthy
> >>>>>>> of using an alternative way to replace the original implementation
> >>>>>>> with no "potential" issue at all. Maybe we don't have to prove old way
> is
> >>>> something wrong but must prove that the new way is really safe.
> >>>>>>
> >>>>>> I agree, thanks.
> >>>>>>
> >>>>>> It would be nice to hear more from the internal team about the
> originally
> >>>> reported (even if hard-to-trigger) issue.
> >>>>>>
> >>>>>> Thanks!
> >>>>>> Laszlo
> >>>>>>
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Jian
> >>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of
> >> Laszlo
> >>>>>>>> Ersek
> >>>>>>>> Sent: Tuesday, August 18, 2020 12:53 AM
> >>>>>>>> To: Yao, Jiewen <jiewen.yao at intel.com>; devel at edk2.groups.io;
> >>>>>>>> xiewenyi2 at huawei.com; Wang, Jian J <jian.j.wang at intel.com>
> >>>>>>>> Cc: huangming23 at huawei.com; songdongkuang at huawei.com
> >>>>>>>> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> >>>>>>>> SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset
> >>>>>>>>
> >>>>>>>> Hi Jiewen,
> >>>>>>>>
> >>>>>>>> On 08/14/20 10:53, Yao, Jiewen wrote:
> >>>>>>>>>> To Jiewen,
> >>>>>>>>>> Sorry, I don't have environment to reproduce the issue.
> >>>>>>>>>
> >>>>>>>>> Please help me understand, if you don’t have environment to
> >>>>>>>>> reproduce the
> >>>>>>>> issue, how do you guarantee that your patch does fix the problem and
> >>>>>>>> we don’t have any other vulnerabilities?
> >>>>>>>>
> >>>>>>>> The original bug report in
> >>>>>>>> <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is
> seriously
> >>>>>>>> lacking. It does not go into detail about the alleged integer overflow.
> >>>>>>>> It does not quote the code, does not explain the control flow, does
> >>>>>>>> not identify the exact edk2 commit at which the vulnerability exists.
> >>>>>>>>
> >>>>>>>> The bug report also does not offer a reproducer.
> >>>>>>>>
> >>>>>>>> Additionally, the exact statement that the bug report does make,
> >>>>>>>> namely
> >>>>>>>>
> >>>>>>>> it's possible to overflow Offset back to 0 causing an endless loop
> >>>>>>>>
> >>>>>>>> is wrong (as far as I can tell anyway). It is not "OffSet" that can
> >>>>>>>> be overflowed to zero, but the *addend* that is added to OffSet can
> >>>>>>>> be overflowed to zero. Therefore the infinite loop will arise because
> >>>>>>>> OffSet remains stuck at its present value, and not because OffSet
> >>>>>>>> will be re-set to zero.
> >>>>>>>>
> >>>>>>>> For the reasons, we can only speculate as to what the actual problem
> >>>>>>>> is, unless Jian decides to join the discussion and clarifies what he
> >>>>>>>> had in mind originally.
> >>>>>>>>
> >>>>>>>> My understanding (or even "reconstruction") of the vulnerability is
> >>>>>>>> described above, and in the patches that I proposed.
> >>>>>>>>
> >>>>>>>> We can write a patch based on code analysis. It's possible to
> >>>>>>>> identify integer overflows based on code analysis, and it's possible
> >>>>>>>> to verify the correctness of fixes by code review. Obviously testing
> >>>>>>>> is always good, but many times, constructing reproducers for such
> >>>>>>>> issues that were found by code review, is difficult and time
> >>>>>>>> consuming. We can say that we don't fix vulnerabilities without
> >>>>>>>> reproducers, or we can say that we make an effort to fix them even if
> >>>>>>>> all we have is code analysis (and not a reproducer).
> >>>>>>>>
> >>>>>>>> So the above paragraph concerns "correctness". Regarding
> >>>>>>>> "completeness", I guarantee you that this patch does not fix *all*
> >>>>>>>> problems related to PE parsing. (See the other BZ tickets.) It does
> >>>>>>>> fix *one* issue with PE parsing. We can say that we try to fix such
> >>>>>>>> issues gradually (give different CVE numbers to different issues, and
> >>>>>>>> address them one at a time), or we can say that we rewrite PE parsing
> >>>> from the ground up.
> >>>>>>>> (BTW: I have seriously attempted that in the past, and I gave up,
> >>>>>>>> because the PE format is FUBAR.)
> >>>>>>>>
> >>>>>>>> In summary:
> >>>>>>>>
> >>>>>>>> - the problem statement is unclear,
> >>>>>>>>
> >>>>>>>> - it seems like there is indeed an integer overflow problem in the
> >>>>>>>> SecDataDir parsing loop, but it's uncertain whether the bug reporter
> >>>>>>>> had exactly that in mind
> >>>>>>>>
> >>>>>>>> - PE parsing is guaranteed to have other vulnerabilities elsewhere in
> >>>>>>>> edk2, but I'm currently unaware of other such issues in
> >>>>>>>> DxeImageVerificationLib specifically
> >>>>>>>>
> >>>>>>>> - even if there are other such problems (in DxeImageVerificationLib
> >>>>>>>> or elswehere), fixing this bug that we know about is likely
> >>>>>>>> worthwhile
> >>>>>>>>
> >>>>>>>> - for many such bugs, constructing a reproducer is difficult and time
> >>>>>>>> consuming; code analysis, and *regression-testing* are frequently the
> >>>>>>>> only tools we have. That doesn't mean we should ignore this class of
> >> bugs.
> >>>>>>>>
> >>>>>>>> (Fixing integer overflows retro-actively is more difficult than
> >>>>>>>> writing overflow-free code in the first place, but that ship has
> >>>>>>>> sailed; so we can only fight these bugs incrementally now, unless we
> >>>>>>>> can rewrite PE parsing with a new data structure from the ground up.
> >>>>>>>> Again I tried that and gave up, because the spec is not public, and
> >>>>>>>> what I did manage to learn about PE, showed that it was insanely
> >>>>>>>> over-engineered. I'm not saying that other binary / executable
> >>>>>>>> formats are better, of course.)
> >>>>>>>>
> >>>>>>>> Please check out my patches (inlined elsewhere in this thread), and
> >>>>>>>> comment whether you'd like me to post them to the list as a
> >>>>>>>> standalone series.
> >>>>>>>>
> >>>>>>>> Jian: it wouldn't hurt if you commented as well.
> >>>>>>>>
> >>>>>>>> Thanks
> >>>>>>>> Laszlo
> >>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf
> Of
> >>>>>>>> wenyi,xie
> >>>>>>>>>> via groups.io
> >>>>>>>>>> Sent: Friday, August 14, 2020 3:54 PM
> >>>>>>>>>> To: Laszlo Ersek <lersek at redhat.com>; devel at edk2.groups.io; Yao,
> >>>>>>>>>> Jiewen <jiewen.yao at intel.com>; Wang, Jian J
> >> <jian.j.wang at intel.com>
> >>>>>>>>>> Cc: huangming23 at huawei.com; songdongkuang at huawei.com
> >>>>>>>>>> Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
> >>>>>>>>>> SecurityPkg/DxeImageVerificationLib:Enhanced verification of
> Offset
> >>>>>>>>>>
> >>>>>>>>>> To Laszlo,
> >>>>>>>>>> Thank you for your detailed description, I agree with what you
> >>>>>>>>>> analyzed and
> >>>>>>>> I'm
> >>>>>>>>>> OK with your patches, it's
> >>>>>>>>>> correct and much simpler.
> >>>>>>>>>>
> >>>>>>>>>> To Jiewen,
> >>>>>>>>>> Sorry, I don't have environment to reproduce the issue.
> >>>>>>>>>>
> >>>>>>>>>> Thanks
> >>>>>>>>>> Wenyi
> >>>>>>>>>>
> >>>>>>>>>> On 2020/8/14 2:50, Laszlo Ersek wrote:
> >>>>>>>>>>> On 08/13/20 13:55, Wenyi Xie wrote:
> >>>>>>>>>>>> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2215
> >>>>>>>>>>>>
> >>>>>>>>>>>> There is an integer overflow vulnerability in
> >>>>>>>>>>>> DxeImageVerificationHandler function when parsing the PE files
> >>>>>>>>>>>> attribute certificate table. In cases where
> >>>>>>>>>>>> WinCertificate->dwLength is sufficiently large, it's possible to
> >>>> overflow Offset back to 0 causing an endless loop.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Check offset inbetween VirtualAddress and VirtualAddress + Size.
> >>>>>>>>>>>> Using SafeintLib to do offset addition with result check.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Cc: Jiewen Yao <jiewen.yao at intel.com>
> >>>>>>>>>>>> Cc: Jian J Wang <jian.j.wang at intel.com>
> >>>>>>>>>>>> Cc: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> Signed-off-by: Wenyi Xie <xiewenyi2 at huawei.com>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.inf
> >>>>>>>> |
> >>>>>>>>>> 1 +
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.h
> >>>>>>>> |
> >>>>>>>>>> 1 +
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.c
> >>>>>>>> |
> >>>>>>>>>> 111 +++++++++++---------
> >>>>>>>>>>>> 3 files changed, 63 insertions(+), 50 deletions(-)
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.inf
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.inf
> >>>>>>>>>>>> index 1e1a639857e0..a7ac4830b3d4 100644
> >>>>>>>>>>>> ---
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.inf
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.inf
> >>>>>>>>>>>> @@ -53,6 +53,7 @@ [LibraryClasses]
> >>>>>>>>>>>> SecurityManagementLib
> >>>>>>>>>>>> PeCoffLib
> >>>>>>>>>>>> TpmMeasurementLib
> >>>>>>>>>>>> + SafeIntLib
> >>>>>>>>>>>>
> >>>>>>>>>>>> [Protocols]
> >>>>>>>>>>>> gEfiFirmwareVolume2ProtocolGuid ##
> >> SOMETIMES_CONSUMES
> >>>>>>>>>>>> diff --git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.h
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.h
> >>>>>>>>>>>> index 17955ff9774c..060273917d5d 100644
> >>>>>>>>>>>> ---
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.h
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.h
> >>>>>>>>>>>> @@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-
> Patent
> >>>>>>>>>>>> #include <Library/DevicePathLib.h> #include
> >>>>>>>>>>>> <Library/SecurityManagementLib.h> #include
> <Library/PeCoffLib.h>
> >>>>>>>>>>>> +#include <Library/SafeIntLib.h>
> >>>>>>>>>>>> #include <Protocol/FirmwareVolume2.h> #include
> >>>>>>>>>>>> <Protocol/DevicePath.h> #include <Protocol/BlockIo.h> diff --
> git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> index 36b87e16d53d..dbc03e28c05b 100644
> >>>>>>>>>>>> ---
> >>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
> >>>>>>>> .c
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> @@ -1658,6 +1658,10 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> EFI_STATUS HashStatus;
> >>>>>>>>>>>> EFI_STATUS DbStatus;
> >>>>>>>>>>>> BOOLEAN IsFound;
> >>>>>>>>>>>> + UINT32 AlignedLength;
> >>>>>>>>>>>> + UINT32 Result;
> >>>>>>>>>>>> + EFI_STATUS AddStatus;
> >>>>>>>>>>>> + BOOLEAN IsAuthDataAssigned;
> >>>>>>>>>>>>
> >>>>>>>>>>>> SignatureList = NULL;
> >>>>>>>>>>>> SignatureListSize = 0;
> >>>>>>>>>>>> @@ -1667,6 +1671,7 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
> >>>>>>>>>>>> IsVerified = FALSE;
> >>>>>>>>>>>> IsFound = FALSE;
> >>>>>>>>>>>> + Result = 0;
> >>>>>>>>>>>>
> >>>>>>>>>>>> //
> >>>>>>>>>>>> // Check the image type and get policy setting.
> >>>>>>>>>>>> @@ -1850,9 +1855,10 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> // The first certificate starts at offset
> >>>>>>>>>>>> (SecDataDir->VirtualAddress) from
> >>>>>>>> the
> >>>>>>>>>> start of the file.
> >>>>>>>>>>>> //
> >>>>>>>>>>>> for (OffSet = SecDataDir->VirtualAddress;
> >>>>>>>>>>>> - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> >>>>>>>>>>>> - OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> >>>> (WinCertificate-
> >>>>>>>>>>> dwLength))) {
> >>>>>>>>>>>> + (OffSet >= SecDataDir->VirtualAddress) && (OffSet <
> >>>>>>>>>>>> + (SecDataDir-
> >>>>>>>>>>> VirtualAddress + SecDataDir->Size));) {
> >>>>>>>>>>>> + IsAuthDataAssigned = FALSE;
> >>>>>>>>>>>> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> >>>>>>>>>>>> + AlignedLength = WinCertificate->dwLength + ALIGN_SIZE
> >>>>>>>> (WinCertificate-
> >>>>>>>>>>> dwLength);
> >>>>>>>>>>>
> >>>>>>>>>>> I disagree with this patch.
> >>>>>>>>>>>
> >>>>>>>>>>> The primary reason for my disagreement is that the bug report
> >>>>>>>>>>> <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is
> >>>>>>>>>>> inexact, and so this patch tries to fix the wrong thing.
> >>>>>>>>>>>
> >>>>>>>>>>> With edk2 master at commit 65904cdbb33c, it is *not* possible to
> >>>>>>>>>>> overflow the OffSet variable to zero with "WinCertificate-
> >>> dwLength"
> >>>>>>>>>>> *purely*, and cause an endless loop. Note that we have (at
> commit
> >>>>>>>>>>> 65904cdbb33c):
> >>>>>>>>>>>
> >>>>>>>>>>> for (OffSet = SecDataDir->VirtualAddress;
> >>>>>>>>>>> OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> >>>>>>>>>>> OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> >>>>>>>>>>> (WinCertificate-
> >>>>>>>>>>> dwLength))) {
> >>>>>>>>>>> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> >>>>>>>>>>> if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
> >>>>>>>>>>> <= sizeof
> >>>>>>>>>> (WIN_CERTIFICATE) ||
> >>>>>>>>>>> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> >>>>>>>> WinCertificate-
> >>>>>>>>>>> dwLength) {
> >>>>>>>>>>> break;
> >>>>>>>>>>> }
> >>>>>>>>>>>
> >>>>>>>>>>> The last sub-condition checks whether the Security Data Directory
> >>>>>>>>>>> has enough room left for "WinCertificate->dwLength". If not, then
> >>>>>>>>>>> we break out of the loop.
> >>>>>>>>>>>
> >>>>>>>>>>> If we *do* have enough room, that is:
> >>>>>>>>>>>
> >>>>>>>>>>> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) >=
> >>>>>>>> WinCertificate-
> >>>>>>>>>>> dwLength
> >>>>>>>>>>>
> >>>>>>>>>>> then we have (by adding OffSet to both sides):
> >>>>>>>>>>>
> >>>>>>>>>>> SecDataDir->VirtualAddress + SecDataDir->Size >= OffSet +
> >>>>>>>>>>> WinCertificate- dwLength
> >>>>>>>>>>>
> >>>>>>>>>>> The left hand side is a known-good UINT32, and so incrementing
> >>>>>>>>>>> OffSet (a
> >>>>>>>>>>> UINT32) *solely* by "WinCertificate->dwLength" (also a UINT32)
> >>>>>>>>>>> does not cause an overflow.
> >>>>>>>>>>>
> >>>>>>>>>>> Instead, the problem is with the alignment. The "if" statement
> >>>>>>>>>>> checks whether we have enough room for "dwLength", but then
> >>>>>>>>>>> "OffSet" is advanced by "dwLength" *aligned up* to the next
> >>>>>>>>>>> multiple of 8. And that may indeed cause various overflows.
> >>>>>>>>>>>
> >>>>>>>>>>> Now, the main problem with the present patch is that it does not
> >>>>>>>>>>> fix one of those overflows. Namely, consider that "dwLength" is
> >>>>>>>>>>> very close to
> >>>>>>>>>>> MAX_UINT32 (or even think it's exactly MAX_UINT32). Then
> aligning
> >>>>>>>>>>> it up to the next multiple of 8 will yield 0. In other words,
> >>>> "AlignedLength"
> >>>>>>>>>>> will be zero.
> >>>>>>>>>>>
> >>>>>>>>>>> And when that happens, there's going to be an infinite loop just
> >>>>>>>>>>> the
> >>>>>>>>>>> same: "OffSet" will not be zero, but it will be *stuck*. The
> >>>>>>>>>>> SafeUint32Add() call at the bottom will succeed, but it will not
> >>>>>>>>>>> change the value of "OffSet".
> >>>>>>>>>>>
> >>>>>>>>>>> More at the bottom.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>> if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
> >>>>>>>>>>>> <= sizeof
> >>>>>>>>>> (WIN_CERTIFICATE) ||
> >>>>>>>>>>>> (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
> >>>>>>>>>>>> <
> >>>>>>>>>> WinCertificate->dwLength) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> @@ -1872,6 +1878,8 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> }
> >>>>>>>>>>>> AuthData = PkcsCertData->CertData;
> >>>>>>>>>>>> AuthDataSize = PkcsCertData->Hdr.dwLength -
> >>>>>>>>>>>> sizeof(PkcsCertData-
> >>>>>>>>> Hdr);
> >>>>>>>>>>>> + IsAuthDataAssigned = TRUE;
> >>>>>>>>>>>> + HashStatus = HashPeImageByType (AuthData, AuthDataSize);
> >>>>>>>>>>>> } else if (WinCertificate->wCertificateType ==
> >>>>>>>> WIN_CERT_TYPE_EFI_GUID)
> >>>>>>>>>> {
> >>>>>>>>>>>> //
> >>>>>>>>>>>> // The certificate is formatted as
> >>>>>>>>>>>> WIN_CERTIFICATE_UEFI_GUID which
> >>>>>>>> is
> >>>>>>>>>> described in UEFI Spec.
> >>>>>>>>>>>> @@ -1880,72 +1888,75 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> if (WinCertUefiGuid->Hdr.dwLength <=
> >>>>>>>>>> OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> - if (!CompareGuid (&WinCertUefiGuid->CertType,
> >>>> &gEfiCertPkcs7Guid))
> >>>>>>>> {
> >>>>>>>>>>>> - continue;
> >>>>>>>>>>>> + if (CompareGuid (&WinCertUefiGuid->CertType,
> >>>>>>>>>>>> + &gEfiCertPkcs7Guid))
> >>>>>>>> {
> >>>>>>>>>>>> + AuthData = WinCertUefiGuid->CertData;
> >>>>>>>>>>>> + AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
> >>>>>>>>>> OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
> >>>>>>>>>>>> + IsAuthDataAssigned = TRUE;
> >>>>>>>>>>>> + HashStatus = HashPeImageByType (AuthData,
> AuthDataSize);
> >>>>>>>>>>>> }
> >>>>>>>>>>>> - AuthData = WinCertUefiGuid->CertData;
> >>>>>>>>>>>> - AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
> >>>>>>>>>> OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
> >>>>>>>>>>>> } else {
> >>>>>>>>>>>> if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> - continue;
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> - HashStatus = HashPeImageByType (AuthData, AuthDataSize);
> >>>>>>>>>>>> - if (EFI_ERROR (HashStatus)) {
> >>>>>>>>>>>> - continue;
> >>>>>>>>>>>> - }
> >>>>>>>>>>>> -
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - // Check the digital signature against the revoked certificate
> in
> >>>>>>>> forbidden
> >>>>>>>>>> database (dbx).
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> >>>>>>>>>>>> - Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> >>>>>>>>>>>> - IsVerified = FALSE;
> >>>>>>>>>>>> - break;
> >>>>>>>>>>>> - }
> >>>>>>>>>>>> -
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - // Check the digital signature against the valid certificate in
> >>>> allowed
> >>>>>>>>>> database (db).
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - if (!IsVerified) {
> >>>>>>>>>>>> - if (IsAllowedByDb (AuthData, AuthDataSize)) {
> >>>>>>>>>>>> - IsVerified = TRUE;
> >>>>>>>>>>>> + if (IsAuthDataAssigned && !EFI_ERROR (HashStatus)) {
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> + // Check the digital signature against the revoked
> >>>>>>>>>>>> + certificate in
> >>>>>>>> forbidden
> >>>>>>>>>> database (dbx).
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> + if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
> >>>>>>>>>>>> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
> >>>>>>>>>>>> + IsVerified = FALSE;
> >>>>>>>>>>>> + break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> - }
> >>>>>>>>>>>>
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - // Check the image's hash value.
> >>>>>>>>>>>> - //
> >>>>>>>>>>>> - DbStatus = IsSignatureFoundInDatabase (
> >>>>>>>>>>>> - EFI_IMAGE_SECURITY_DATABASE1,
> >>>>>>>>>>>> - mImageDigest,
> >>>>>>>>>>>> - &mCertType,
> >>>>>>>>>>>> - mImageDigestSize,
> >>>>>>>>>>>> - &IsFound
> >>>>>>>>>>>> - );
> >>>>>>>>>>>> - if (EFI_ERROR (DbStatus) || IsFound) {
> >>>>>>>>>>>> - Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
> >>>>>>>>>>>> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
> >>>> signed
> >>>>>>>> but %s
> >>>>>>>>>> hash of image is found in DBX.\n", mHashTypeStr));
> >>>>>>>>>>>> - IsVerified = FALSE;
> >>>>>>>>>>>> - break;
> >>>>>>>>>>>> - }
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> + // Check the digital signature against the valid
> >>>>>>>>>>>> + certificate in allowed
> >>>>>>>>>> database (db).
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> + if (!IsVerified) {
> >>>>>>>>>>>> + if (IsAllowedByDb (AuthData, AuthDataSize)) {
> >>>>>>>>>>>> + IsVerified = TRUE;
> >>>>>>>>>>>> + }
> >>>>>>>>>>>> + }
> >>>>>>>>>>>>
> >>>>>>>>>>>> - if (!IsVerified) {
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> + // Check the image's hash value.
> >>>>>>>>>>>> + //
> >>>>>>>>>>>> DbStatus = IsSignatureFoundInDatabase (
> >>>>>>>>>>>> - EFI_IMAGE_SECURITY_DATABASE,
> >>>>>>>>>>>> + EFI_IMAGE_SECURITY_DATABASE1,
> >>>>>>>>>>>> mImageDigest,
> >>>>>>>>>>>> &mCertType,
> >>>>>>>>>>>> mImageDigestSize,
> >>>>>>>>>>>> &IsFound
> >>>>>>>>>>>> );
> >>>>>>>>>>>> - if (!EFI_ERROR (DbStatus) && IsFound) {
> >>>>>>>>>>>> - IsVerified = TRUE;
> >>>>>>>>>>>> - } else {
> >>>>>>>>>>>> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
> >>>> signed
> >>>>>>>> but
> >>>>>>>>>> signature is not allowed by DB and %s hash of image is not found in
> >>>>>>>> DB/DBX.\n",
> >>>>>>>>>> mHashTypeStr));
> >>>>>>>>>>>> + if (EFI_ERROR (DbStatus) || IsFound) {
> >>>>>>>>>>>> + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
> >>>>>>>>>>>> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
> >>>>>>>>>>>> + signed
> >>>>>>>>>> but %s hash of image is found in DBX.\n", mHashTypeStr));
> >>>>>>>>>>>> + IsVerified = FALSE;
> >>>>>>>>>>>> + break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> +
> >>>>>>>>>>>> + if (!IsVerified) {
> >>>>>>>>>>>> + DbStatus = IsSignatureFoundInDatabase (
> >>>>>>>>>>>> + EFI_IMAGE_SECURITY_DATABASE,
> >>>>>>>>>>>> + mImageDigest,
> >>>>>>>>>>>> + &mCertType,
> >>>>>>>>>>>> + mImageDigestSize,
> >>>>>>>>>>>> + &IsFound
> >>>>>>>>>>>> + );
> >>>>>>>>>>>> + if (!EFI_ERROR (DbStatus) && IsFound) {
> >>>>>>>>>>>> + IsVerified = TRUE;
> >>>>>>>>>>>> + } else {
> >>>>>>>>>>>> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image
> is
> >>>>>>>>>>>> + signed
> >>>>>>>> but
> >>>>>>>>>> signature is not allowed by DB and %s hash of image is not found in
> >>>>>>>> DB/DBX.\n",
> >>>>>>>>>> mHashTypeStr));
> >>>>>>>>>>>> + }
> >>>>>>>>>>>> + }
> >>>>>>>>>>>> + }
> >>>>>>>>>>>> +
> >>>>>>>>>>>> + AddStatus = SafeUint32Add (OffSet, AlignedLength, &Result);
> >>>>>>>>>>>> + if (EFI_ERROR (AddStatus)) {
> >>>>>>>>>>>> + break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> + OffSet = Result;
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
> >>>>>>>>>>>> {
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> There are other (smaller) reasons why I dislike this patch:
> >>>>>>>>>>>
> >>>>>>>>>>> - The "IsAuthDataAssigned" variable is superfluous; we could use
> >>>>>>>>>>> the existent "AuthData" variable (with a NULL-check and a
> >>>>>>>>>>> NULL-assignment) similarly.
> >>>>>>>>>>>
> >>>>>>>>>>> - The patch complicates / reorganizes the control flow needlessly.
> >>>>>>>>>>> This complication originates from placing the checked "OffSet"
> >>>>>>>>>>> increment at the bottom of the loop, which then requires the
> >>>>>>>>>>> removal of all the "continue" statements. But we don't need to
> >>>>>>>>>>> check-and-increment at the bottom. We can keep the increment
> >>>>>>>>>>> inside the "for" statement, only extend the *existent* room check
> >>>>>>>>>>> (which I've quoted) to take the alignment into account as well. If
> >>>>>>>>>>> there is enough room for the alignment in the security data
> >>>>>>>>>>> directory, then that guarantees there won't be a UINT32 overflow
> >>>> either.
> >>>>>>>>>>>
> >>>>>>>>>>> All in all, I'm proposing the following three patches instead. The
> >>>>>>>>>>> first two patches are preparation, the last patch is the fix.
> >>>>>>>>>>>
> >>>>>>>>>>> Patch#1:
> >>>>>>>>>>>
> >>>>>>>>>>>> From 11af0a104d34d39bf1b1aab256428ae4edbddd77 Mon Sep
> 17
> >>>>>>>> 00:00:00
> >>>>>>>>>> 2001
> >>>>>>>>>>>> From: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> Date: Thu, 13 Aug 2020 19:11:39 +0200
> >>>>>>>>>>>> Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib:
> extract
> >>>>>>>>>>>> SecDataDirEnd, SecDataDirLeft
> >>>>>>>>>>>>
> >>>>>>>>>>>> The following two quantities:
> >>>>>>>>>>>>
> >>>>>>>>>>>> SecDataDir->VirtualAddress + SecDataDir->Size
> >>>>>>>>>>>> SecDataDir->VirtualAddress + SecDataDir->Size - OffSet
> >>>>>>>>>>>>
> >>>>>>>>>>>> are used multiple times in DxeImageVerificationHandler().
> >>>>>>>>>>>> Introduce helper variables for them: "SecDataDirEnd" and
> >>>> "SecDataDirLeft", respectively.
> >>>>>>>>>>>> This saves us multiple calculations and significantly simplifies the
> >> code.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Note that all three summands above have type UINT32,
> therefore
> >>>>>>>>>>>> the new variables are also of type UINT32.
> >>>>>>>>>>>>
> >>>>>>>>>>>> This patch does not change behavior.
> >>>>>>>>>>>>
> >>>>>>>>>>>> (Note that the code already handles the case when the
> >>>>>>>>>>>>
> >>>>>>>>>>>> SecDataDir->VirtualAddress + SecDataDir->Size
> >>>>>>>>>>>>
> >>>>>>>>>>>> UINT32 addition overflows -- namely, in that case, the
> >>>>>>>>>>>> certificate loop is never entered, and the corruption check right
> >>>>>>>>>>>> after the loop fires.)
> >>>>>>>>>>>>
> >>>>>>>>>>>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.c |
> >>>>>>>> 12
> >>>>>>>>>> ++++++++----
> >>>>>>>>>>>> 1 file changed, 8 insertions(+), 4 deletions(-)
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> index 36b87e16d53d..8761980c88aa 100644
> >>>>>>>>>>>> ---
> >>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
> >>>>>>>> .c
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> @@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> UINT8 *AuthData;
> >>>>>>>>>>>> UINTN AuthDataSize;
> >>>>>>>>>>>> EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
> >>>>>>>>>>>> + UINT32 SecDataDirEnd;
> >>>>>>>>>>>> + UINT32 SecDataDirLeft;
> >>>>>>>>>>>> UINT32 OffSet;
> >>>>>>>>>>>> CHAR16 *NameStr;
> >>>>>>>>>>>> RETURN_STATUS PeCoffStatus;
> >>>>>>>>>>>> @@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> // "Attribute Certificate Table".
> >>>>>>>>>>>> // The first certificate starts at offset
> >>>>>>>>>>>> (SecDataDir->VirtualAddress) from
> >>>>>>>> the
> >>>>>>>>>> start of the file.
> >>>>>>>>>>>> //
> >>>>>>>>>>>> + SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir-
> >Size;
> >>>>>>>>>>>> for (OffSet = SecDataDir->VirtualAddress;
> >>>>>>>>>>>> - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
> >>>>>>>>>>>> + OffSet < SecDataDirEnd;
> >>>>>>>>>>>> OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> >>>>>>>>>>>> (WinCertificate-
> >>>>>>>>>>> dwLength))) {
> >>>>>>>>>>>> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> >>>>>>>>>>>> - if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <=
> >>>> sizeof
> >>>>>>>>>> (WIN_CERTIFICATE) ||
> >>>>>>>>>>>> - (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
> >>>>>>>>>> WinCertificate->dwLength) {
> >>>>>>>>>>>> + SecDataDirLeft = SecDataDirEnd - OffSet;
> >>>>>>>>>>>> + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
> >>>>>>>>>>>> + SecDataDirLeft < WinCertificate->dwLength) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> @@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> }
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> - if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
> >>>>>>>>>>>> {
> >>>>>>>>>>>> + if (OffSet != SecDataDirEnd) {
> >>>>>>>>>>>> //
> >>>>>>>>>>>> // The Size in Certificate Table or the attribute
> >>>>>>>>>>>> certificate table is
> >>>>>>>> corrupted.
> >>>>>>>>>>>> //
> >>>>>>>>>>>> --
> >>>>>>>>>>>> 2.19.1.3.g30247aa5d201
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Patch#2:
> >>>>>>>>>>>
> >>>>>>>>>>>> From 72012c065a53582f7df695e7b9730c45f49226c6 Mon Sep
> 17
> >>>> 00:00:00
> >>>>>>>>>> 2001
> >>>>>>>>>>>> From: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> Date: Thu, 13 Aug 2020 19:19:06 +0200
> >>>>>>>>>>>> Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib:
> assign
> >>>>>>>>>>>> WinCertificate after size check
> >>>>>>>>>>>>
> >>>>>>>>>>>> Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE))
> check
> >>>>>>>>>>>> only guards the de-referencing of the "WinCertificate" pointer.
> >>>>>>>>>>>> It does not guard the calculation of hte pointer itself:
> >>>>>>>>>>>>
> >>>>>>>>>>>> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> >>>>>>>>>>>>
> >>>>>>>>>>>> This is wrong; if we don't know for sure that we have enough
> room
> >>>>>>>>>>>> for a WIN_CERTIFICATE, then even creating such a pointer, not
> >>>>>>>>>>>> just de-referencing it, may invoke undefined behavior.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Move the pointer calculation after the size check.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.c |
> >>>>>>>> 8
> >>>>>>>>>> +++++---
> >>>>>>>>>>>> 1 file changed, 5 insertions(+), 3 deletions(-)
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> index 8761980c88aa..461ed7cfb5ac 100644
> >>>>>>>>>>>> ---
> >>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
> >>>>>>>> .c
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> for (OffSet = SecDataDir->VirtualAddress;
> >>>>>>>>>>>> OffSet < SecDataDirEnd;
> >>>>>>>>>>>> OffSet += (WinCertificate->dwLength + ALIGN_SIZE
> >>>>>>>>>>>> (WinCertificate-
> >>>>>>>>>>> dwLength))) {
> >>>>>>>>>>>> - WinCertificate = (WIN_CERTIFICATE *) (mImageBase +
> OffSet);
> >>>>>>>>>>>> SecDataDirLeft = SecDataDirEnd - OffSet;
> >>>>>>>>>>>> - if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
> >>>>>>>>>>>> - SecDataDirLeft < WinCertificate->dwLength) {
> >>>>>>>>>>>> + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
> >>>>>>>>>>>> + break;
> >>>>>>>>>>>> + }
> >>>>>>>>>>>> + WinCertificate = (WIN_CERTIFICATE *) (mImageBase +
> OffSet);
> >>>>>>>>>>>> + if (SecDataDirLeft < WinCertificate->dwLength) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> 2.19.1.3.g30247aa5d201
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Patch#3:
> >>>>>>>>>>>
> >>>>>>>>>>>> From 0bbba15b84f8f9f2cdc770a89f418aaec6cfb31e Mon Sep 17
> >>>> 00:00:00
> >>>>>>>>>> 2001
> >>>>>>>>>>>> From: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> Date: Thu, 13 Aug 2020 19:34:33 +0200
> >>>>>>>>>>>> Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch
> >>>>>>>> alignment
> >>>>>>>>>>>> overflow (CVE-2019-14562)
> >>>>>>>>>>>>
> >>>>>>>>>>>> The DxeImageVerificationHandler() function currently checks
> >>>>>>>>>>>> whether "SecDataDir" has enough room for
> >>>>>>>>>>>> "WinCertificate->dwLength". However,
> >>>>>>>>>> for
> >>>>>>>>>>>> advancing "OffSet", "WinCertificate->dwLength" is aligned to the
> >>>>>>>>>>>> next multiple of 8. If "WinCertificate->dwLength" is large
> >>>>>>>>>>>> enough, the alignment will return 0, and "OffSet" will be stuck at
> >> the
> >>>> same value.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Check whether "SecDataDir" has room left for both
> >>>>>>>>>>>> "WinCertificate->dwLength" and the alignment.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>>>> ib.c |
> >>>>>>>> 4
> >>>>>>>>>> +++-
> >>>>>>>>>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git
> >>>>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> index 461ed7cfb5ac..e38eb981b7a0 100644
> >>>>>>>>>>>> ---
> >>>>>>>>
> >> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
> >>>>>>>> .c
> >>>>>>>>>>>> +++
> >>>>>>>>>>
> >> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
> >>>>>>>>>> ib.c
> >>>>>>>>>>>> @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> >>>>>>>>>>>> - if (SecDataDirLeft < WinCertificate->dwLength) {
> >>>>>>>>>>>> + if (SecDataDirLeft < WinCertificate->dwLength ||
> >>>>>>>>>>>> + (SecDataDirLeft - WinCertificate->dwLength <
> >>>>>>>>>>>> + ALIGN_SIZE (WinCertificate->dwLength))) {
> >>>>>>>>>>>> break;
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> 2.19.1.3.g30247aa5d201
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> If Wenyi and the reviewers are OK with these patches, I can
> submit
> >>>>>>>>>>> them as a standalone patch series.
> >>>>>>>>>>>
> >>>>>>>>>>> Note that I do not have any reproducer for the issue; the best
> >>>>>>>>>>> testing that I could offer would be some light-weight Secure Boot
> >>>>>>>>>>> regression tests.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks
> >>>>>>>>>>> Laszlo
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> .
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> .
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64844): https://edk2.groups.io/g/devel/message/64844
Mute This Topic: https://groups.io/mt/76165658/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list