summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJian J Wang <jian.j.wang@intel.com>2019-10-10 11:46:16 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2020-02-19 14:08:23 +0000
commit9e569700901857d0ba418ebdd30b8086b908688c (patch)
tree0bab007e9327f7f3042421620dfac10b5e9fc6ff
parentc13742b180095e5181e41dffda954581ecbd9b9c (diff)
downloadedk2-9e569700901857d0ba418ebdd30b8086b908688c.zip
edk2-9e569700901857d0ba418ebdd30b8086b908688c.tar.gz
edk2-9e569700901857d0ba418ebdd30b8086b908688c.tar.bz2
SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 Normally two times of calling gRT->GetVariable() are needed to get the data of a variable: get the variable size by passing zero variable size, and then allocate enough memory and pass the correct variable size and buffer. But in the inner loop in IsAllowedByDb(), the DbxDataSize was not initialized to zero before calling gRT->GetVariable(). It won't cause problem if dbx does not exist. But it will give wrong result if dbx exists and the DbxDataSize happens to be a small enough value. In this situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check code followed will jump to 'Done', which is not correct because it's actually the value expected. if (Status == EFI_BUFFER_TOO_SMALL) { goto Done; } Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
-rw-r--r--SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5dcd6ef..1efb2f9 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1456,8 +1456,9 @@ IsAllowedByDb (
//
// Here We still need to check if this RootCert's Hash is revoked
//
+ DbxDataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
- if (Status == EFI_BUFFER_TOO_SMALL) {
+ if (Status != EFI_BUFFER_TOO_SMALL) {
goto Done;
}
DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);