summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/Library/DxeImageVerificationLib
diff options
context:
space:
mode:
authorJian J Wang <jian.j.wang@intel.com>2019-10-10 11:46:16 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2020-02-19 14:08:23 +0000
commit9e569700901857d0ba418ebdd30b8086b908688c (patch)
tree0bab007e9327f7f3042421620dfac10b5e9fc6ff /SecurityPkg/Library/DxeImageVerificationLib
parentc13742b180095e5181e41dffda954581ecbd9b9c (diff)
downloadedk2-9e569700901857d0ba418ebdd30b8086b908688c.tar.gz
edk2-9e569700901857d0ba418ebdd30b8086b908688c.tar.bz2
edk2-9e569700901857d0ba418ebdd30b8086b908688c.zip
SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 Normally two times of calling gRT->GetVariable() are needed to get the data of a variable: get the variable size by passing zero variable size, and then allocate enough memory and pass the correct variable size and buffer. But in the inner loop in IsAllowedByDb(), the DbxDataSize was not initialized to zero before calling gRT->GetVariable(). It won't cause problem if dbx does not exist. But it will give wrong result if dbx exists and the DbxDataSize happens to be a small enough value. In this situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check code followed will jump to 'Done', which is not correct because it's actually the value expected. if (Status == EFI_BUFFER_TOO_SMALL) { goto Done; } Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'SecurityPkg/Library/DxeImageVerificationLib')
-rw-r--r--SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5dcd6efed5..1efb2f96cd 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1456,8 +1456,9 @@ IsAllowedByDb (
//
// Here We still need to check if this RootCert's Hash is revoked
//
+ DbxDataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
- if (Status == EFI_BUFFER_TOO_SMALL) {
+ if (Status != EFI_BUFFER_TOO_SMALL) {
goto Done;
}
DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);