diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2019-10-10 14:28:36 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-02-19 14:08:23 +0000 |
| commit | 929d1a24d12822942fd4f9fa83582e27f92de243 (patch) | |
| tree | 67ce536e462dafea2962da43b0e2b833049802d9 | |
| parent | 9e569700901857d0ba418ebdd30b8086b908688c (diff) | |
| download | edk2-929d1a24d12822942fd4f9fa83582e27f92de243.tar.gz edk2-929d1a24d12822942fd4f9fa83582e27f92de243.tar.bz2 edk2-929d1a24d12822942fd4f9fa83582e27f92de243.zip | |
SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx (CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
In timestamp check after the cert is found in db, the original code jumps
to 'Done' if any error happens in fetching dbx variable. At any of the
jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should
not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
because it could be used to bypass timestamp check.
This patch add code to change VerifyStatus to FALSE in the case of memory
allocation failure and dbx fetching failure to avoid potential bypass
issue.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
| -rw-r--r-- | SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 1efb2f96cd..ed5dbf26b0 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1459,15 +1459,26 @@ IsAllowedByDb ( DbxDataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
if (Status != EFI_BUFFER_TOO_SMALL) {
+ if (Status != EFI_NOT_FOUND) {
+ VerifyStatus = FALSE;
+ }
goto Done;
}
DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
if (DbxData == NULL) {
+ //
+ // Force not-allowed-by-db to avoid bypass
+ //
+ VerifyStatus = FALSE;
goto Done;
}
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
if (EFI_ERROR (Status)) {
+ //
+ // Force not-allowed-by-db to avoid bypass
+ //
+ VerifyStatus = FALSE;
goto Done;
}
|