]> git.proxmox.com Git - mirror_edk2.git/commit
projects / mirror_edk2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7632e9) | patch
SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562)
authorLaszlo Ersek <lersek@redhat.com>
Tue, 1 Sep 2020 09:12:21 +0000 (11:12 +0200)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Wed, 2 Sep 2020 10:16:18 +0000 (10:16 +0000)
commit0b143fa43e92be15d11e22f80773bcb1b2b0608f
tree74600657473becb59587b0dcdaf8c6fa54c2b811tree
parenta7632e913c1c106f436aefd5e76c394249c383a8commit | diff
SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562)

The DxeImageVerificationHandler() function currently checks whether
"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
multiple of 8. If "WinCertificate->dwLength" is large enough, the
alignment will return 0, and "OffSet" will be stuck at the same value.

Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200901091221.20948-4-lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: Min M Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c diff | blob | blame | history
EFI Development Kit II mirror for PVE