From 0b143fa43e92be15d11e22f80773bcb1b2b0608f Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 1 Sep 2020 11:12:21 +0200 Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The DxeImageVerificationHandler() function currently checks whether "SecDataDir" has enough room for "WinCertificate->dwLength". However, for advancing "OffSet", "WinCertificate->dwLength" is aligned to the next multiple of 8. If "WinCertificate->dwLength" is large enough, the alignment will return 0, and "OffSet" will be stuck at the same value. Check whether "SecDataDir" has room left for both "WinCertificate->dwLength" and the alignment. Cc: Jian J Wang Cc: Jiewen Yao Cc: Min Xu Cc: Wenyi Xie Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 Signed-off-by: Laszlo Ersek Message-Id: <20200901091221.20948-4-lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé Tested-by: Wenyi Xie Reviewed-by: Min M Xu Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 100739eb3e..11154b6cc5 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( break; } WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); - if (SecDataDirLeft < WinCertificate->dwLength) { + if (SecDataDirLeft < WinCertificate->dwLength || + (SecDataDirLeft - WinCertificate->dwLength < + ALIGN_SIZE (WinCertificate->dwLength))) { break; } -- 2.39.2