> -----Original Message-----
> From: Laszlo Ersek <ler...@redhat.com>
> Sent: Tuesday, September 01, 2020 5:12 PM
> To: edk2-devel-groups-io <devel@edk2.groups.io>
> Cc: Wang, Jian J <jian.j.w...@intel.com>; Yao, Jiewen
> <jiewen....@intel.com>; Xu, Min M <min.m...@intel.com>; Wenyi Xie
> <xiewen...@huawei.com>
> Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
> WinCertificate after size check
>
> Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only
> guards the de-referencing of the "WinCertificate" pointer. It does not guard
> the calculation of the pointer itself:
>
> WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
>
> This is wrong; if we don't know for sure that we have enough room for a
> WIN_CERTIFICATE, then even creating such a pointer, not just de-
> referencing it, may invoke undefined behavior.
>
> Move the pointer calculation after the size check.
>
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Min Xu <min.m...@intel.com>
> Cc: Wenyi Xie <xiewen...@huawei.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
> Signed-off-by: Laszlo Ersek <ler...@redhat.com>
Reviewed-by: Min M Xu <min.m...@intel.com>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 8
> +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 377feebb205a..100739eb3eb6 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
> +++ b.c
> @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
> for (OffSet = SecDataDir->VirtualAddress;
> OffSet < SecDataDirEnd;
> OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
> >dwLength))) {
> - WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> SecDataDirLeft = SecDataDirEnd - OffSet;
> - if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
> - SecDataDirLeft < WinCertificate->dwLength) {
> + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
> + break;
> + }
> + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
> + if (SecDataDirLeft < WinCertificate->dwLength) {
> break;
> }
>
> --
> 2.19.1.3.g30247aa5d201
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#64942): https://edk2.groups.io/g/devel/message/64942
Mute This Topic: https://groups.io/mt/76552539/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
