[edk2-devel] [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)
Yao, Jiewen
jiewen.yao at intel.com
Sun Oct 18 01:02:52 UTC 2020
Reviewed-by: Jiewen Yao <Jiewen.yao at intel.com>
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang at intel.com>
> Sent: Friday, October 16, 2020 1:15 PM
> To: devel at edk2.groups.io
> Cc: Lu, XiaoyuX <xiaoyux.lu at intel.com>; Jiang, Guomin
> <guomin.jiang at intel.com>; Yao, Jiewen <jiewen.yao at intel.com>; Laszlo
> Ersek <lersek at redhat.com>
> Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-
> 14584)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
>
>
>
> AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
>
> signed authenticode pkcs#7 data. when this successfully returns, a type
>
> check is done by calling PKCS7_type_is_signed() and then
>
> Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
>
> blob that successfully decodes and have d2i_PKCS7() return a valid pointer
>
> and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
>
> be a NULL pointer.
>
>
>
> Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
>
> pkcs7 structs it does the following:
>
> - call PKCS7_type_is_signed()
>
> - call PKCS7_get_detached()
>
> Looking into how PKCS7_get_detatched() is implemented, it checks to see if
>
> p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
>
>
>
> As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
>
> - Add call to PKS7_get_detached() to existing error handling
>
>
>
> Cc: Xiaoyu Lu <xiaoyux.lu at intel.com>
>
> Cc: Guomin Jiang <guomin.jiang at intel.com>
>
> Cc: Jiewen Yao <jiewen.yao at intel.com>
>
> Cc: Laszlo Ersek <lersek at redhat.com>
> Signed-off-by: Jian J Wang <jian.j.wang at intel.com>
>
> Reviewed-by: Laszlo Ersek <lersek at redhat.com>
> ---
> CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> index 2772b1e2be..ae0ee61fb6 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
> @@ -9,7 +9,7 @@
> AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check
> for
>
> data structure.
>
>
>
> -Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
>
> +Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
> @@ -100,7 +100,7 @@ AuthenticodeVerify (
> //
>
> // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
>
> //
>
> - if (!PKCS7_type_is_signed (Pkcs7)) {
>
> + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
>
> goto _Exit;
>
> }
>
>
>
> --
> 2.19.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66353): https://edk2.groups.io/g/devel/message/66353
Mute This Topic: https://groups.io/mt/77544856/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list