git.proxmox.com Git - mirror

SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608

Normally two times of calling gRT->GetVariable() are needed to get
the data of a variable: get the variable size by passing zero variable
size, and then allocate enough memory and pass the correct variable size
and buffer.

But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
initialized to zero before calling gRT->GetVariable(). It won't cause
problem if dbx does not exist. But it will give wrong result if dbx
exists and the DbxDataSize happens to be a small enough value. In this
situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
code followed will jump to 'Done', which is not correct because it's
actually the value expected.

            if (Status == EFI_BUFFER_TOO_SMALL) {
              goto Done;
            }

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

author	Jian J Wang <jian.j.wang@intel.com>
	Thu, 10 Oct 2019 03:46:16 +0000 (11:46 +0800)
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
	Wed, 19 Feb 2020 14:08:23 +0000 (14:08 +0000)
commit	9e569700901857d0ba418ebdd30b8086b908688c
tree	0bab007e9327f7f3042421620dfac10b5e9fc6ff	tree
parent	c13742b180095e5181e41dffda954581ecbd9b9c	commit \| diff