diff --git a/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch b/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch new file mode 100644 index 0000000000000000000000000000000000000000..3934c8447e3d6648d4ff627979493fff8e3cec22 --- /dev/null +++ b/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch @@ -0,0 +1,88 @@ +From 503248ccdf45c14d4040ce44163facdc212e4991 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 1 Sep 2020 11:12:19 +0200 +Subject: [PATCH 2/4] SecurityPkg/DxeImageVerificationLib: extract + SecDataDirEnd, SecDataDirLeft +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The following two quantities: + + SecDataDir->VirtualAddress + SecDataDir->Size + SecDataDir->VirtualAddress + SecDataDir->Size - OffSet + +are used multiple times in DxeImageVerificationHandler(). Introduce helper +variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively. +This saves us multiple calculations and significantly simplifies the code. + +Note that all three summands above have type UINT32, therefore the new +variables are also of type UINT32. + +This patch does not change behavior. + +(Note that the code already handles the case when the + + SecDataDir->VirtualAddress + SecDataDir->Size + +UINT32 addition overflows -- namely, in that case, the certificate loop is +never entered, and the corruption check right after the loop fires.) + +Cc: Jian J Wang +Cc: Jiewen Yao +Cc: Min Xu +Cc: Wenyi Xie +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 +Signed-off-by: Laszlo Ersek +Message-Id: <20200901091221.20948-2-lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Wenyi Xie +Reviewed-by: Min M Xu +Reviewed-by: Jiewen Yao +--- + .../DxeImageVerificationLib.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index b08fe24e85..377feebb20 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler ( + UINT8 *AuthData; + UINTN AuthDataSize; + EFI_IMAGE_DATA_DIRECTORY *SecDataDir; ++ UINT32 SecDataDirEnd; ++ UINT32 SecDataDirLeft; + UINT32 OffSet; + CHAR16 *NameStr; + RETURN_STATUS PeCoffStatus; +@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler ( + // "Attribute Certificate Table". + // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file. + // ++ SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size; + for (OffSet = SecDataDir->VirtualAddress; +- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size); ++ OffSet < SecDataDirEnd; + OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) { + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); +- if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) || +- (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) { ++ SecDataDirLeft = SecDataDirEnd - OffSet; ++ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) || ++ SecDataDirLeft < WinCertificate->dwLength) { + break; + } + +@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler ( + } + } + +- if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) { ++ if (OffSet != SecDataDirEnd) { + // + // The Size in Certificate Table or the attribute certificate table is corrupted. + // +-- +2.27.0 + diff --git a/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch b/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0261412079de4f5ab76bb0950a6e81a1aaeffa6 --- /dev/null +++ b/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch @@ -0,0 +1,59 @@ +From a7632e913c1c106f436aefd5e76c394249c383a8 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 1 Sep 2020 11:12:20 +0200 +Subject: [PATCH 3/4] SecurityPkg/DxeImageVerificationLib: assign + WinCertificate after size check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only +guards the de-referencing of the "WinCertificate" pointer. It does not +guard the calculation of the pointer itself: + + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); + +This is wrong; if we don't know for sure that we have enough room for a +WIN_CERTIFICATE, then even creating such a pointer, not just +de-referencing it, may invoke undefined behavior. + +Move the pointer calculation after the size check. + +Cc: Jian J Wang +Cc: Jiewen Yao +Cc: Min Xu +Cc: Wenyi Xie +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 +Signed-off-by: Laszlo Ersek +Message-Id: <20200901091221.20948-3-lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Wenyi Xie +Reviewed-by: Min M Xu +Reviewed-by: Jiewen Yao +--- + .../DxeImageVerificationLib/DxeImageVerificationLib.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 377feebb20..100739eb3e 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1855,10 +1855,12 @@ DxeImageVerificationHandler ( + for (OffSet = SecDataDir->VirtualAddress; + OffSet < SecDataDirEnd; + OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) { +- WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); + SecDataDirLeft = SecDataDirEnd - OffSet; +- if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) || +- SecDataDirLeft < WinCertificate->dwLength) { ++ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) { ++ break; ++ } ++ WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); ++ if (SecDataDirLeft < WinCertificate->dwLength) { + break; + } + +-- +2.27.0 + diff --git a/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch b/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch new file mode 100644 index 0000000000000000000000000000000000000000..2723b17351747063f206eaba5c30960f6a7e5620 --- /dev/null +++ b/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch @@ -0,0 +1,51 @@ +From 0b143fa43e92be15d11e22f80773bcb1b2b0608f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 1 Sep 2020 11:12:21 +0200 +Subject: [PATCH 4/4] SecurityPkg/DxeImageVerificationLib: catch alignment + overflow (CVE-2019-14562) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The DxeImageVerificationHandler() function currently checks whether +"SecDataDir" has enough room for "WinCertificate->dwLength". However, for +advancing "OffSet", "WinCertificate->dwLength" is aligned to the next +multiple of 8. If "WinCertificate->dwLength" is large enough, the +alignment will return 0, and "OffSet" will be stuck at the same value. + +Check whether "SecDataDir" has room left for both +"WinCertificate->dwLength" and the alignment. + +Cc: Jian J Wang +Cc: Jiewen Yao +Cc: Min Xu +Cc: Wenyi Xie +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 +Signed-off-by: Laszlo Ersek +Message-Id: <20200901091221.20948-4-lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Wenyi Xie +Reviewed-by: Min M Xu +Reviewed-by: Jiewen Yao +--- + .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 100739eb3e..11154b6cc5 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( + break; + } + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); +- if (SecDataDirLeft < WinCertificate->dwLength) { ++ if (SecDataDirLeft < WinCertificate->dwLength || ++ (SecDataDirLeft - WinCertificate->dwLength < ++ ALIGN_SIZE (WinCertificate->dwLength))) { + break; + } + +-- +2.27.0 + diff --git a/edk2.spec b/edk2.spec index 4943db537f7cd528aec563a2a8eca27644f38bf1..32f9399e04b294f3d410f247673d87797d69bc31 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 2 +Release: 3 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -14,6 +14,9 @@ Source1: openssl-%{openssl_version}.tar.gz Patch0001: 0001-CryptoPkg-OpensslLib-Modify-process_files.pl-for-Ope.patch Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1f.patch +Patch0003: 0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch +Patch0004: 0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch +Patch0005: 0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 @@ -209,6 +212,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon May 10 2021 openEuler Buildteam - 202002-3 +- Fix CVE-2019-14562 + * Wed Oct 14 2020 zhangxinhao - 202002-2 - add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot