diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2020-09-01 11:12:21 +0200 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-09-02 10:16:18 +0000 |
| commit | 0b143fa43e92be15d11e22f80773bcb1b2b0608f (patch) | |
| tree | 74600657473becb59587b0dcdaf8c6fa54c2b811 /MdeModulePkg/Library | |
| parent | a7632e913c1c106f436aefd5e76c394249c383a8 (diff) | |
| download | edk2-0b143fa43e92be15d11e22f80773bcb1b2b0608f.tar.gz edk2-0b143fa43e92be15d11e22f80773bcb1b2b0608f.tar.bz2 edk2-0b143fa43e92be15d11e22f80773bcb1b2b0608f.zip | |
SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562)
The DxeImageVerificationHandler() function currently checks whether
"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
multiple of 8. If "WinCertificate->dwLength" is large enough, the
alignment will return 0, and "OffSet" will be stuck at the same value.
Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200901091221.20948-4-lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'MdeModulePkg/Library')
0 files changed, 0 insertions, 0 deletions