Skip to content
Commit 0b143fa4 authored by Laszlo Ersek's avatar Laszlo Ersek Committed by mergify[bot]
Browse files

SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) 

The DxeImageVerificationHandler() function currently checks whether
"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
multiple of 8. If "WinCertificate->dwLength" is large enough, the
alignment will return 0, and "OffSet" will be stuck at the same value.

Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Wenyi Xie <xiewenyi2@huawei.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215


Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
Message-Id: <20200901091221.20948-4-lersek@redhat.com>
Reviewed-by: default avatarPhilippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: default avatarWenyi Xie <xiewenyi2@huawei.com>
Reviewed-by: default avatarMin M Xu <min.m.xu@intel.com>
Reviewed-by: default avatarJiewen Yao <jiewen.yao@intel.com>
parent a7632e91
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment