fix CVE-2023-0401

2023-02-26 11:51:59 +08:00 · 2023-02-26 11:51:59 +08:00 · b07403874c
commit b07403874c
parent 7f648c5147
2 changed files with 62 additions and 1 deletions
--- a/0039-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
+++ b/0039-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
@ -0,0 +1,57 @@
+From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001
+From: Shao Denghui <shaodenghui@huawei.com>
+Date: Tue, 21 Feb 2023 20:12:59 +0800
+Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls
+
+These calls invoke EVP_DigestInit() which can fail for digests
+with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
+or EVP_DigestFinal() from BIO_read() will segfault on NULL
+dereference. This can be triggered by an attacker providing
+PKCS7 data digested with MD4 for example if the legacy provider
+is not loaded.
+
+If BIO_set_md() fails the md BIO cannot be used.
+
+CVE-2023-0401
+
+Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Signed-off-by: Shao Denghui <shaodenghui@huawei.com>
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc5..bbfcf27 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
+         goto err;
+     }
+ 
+-    BIO_set_md(btmp, md);
+    if (BIO_set_md(btmp, md) <= 0) {
+        PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
+        goto err;
+    }
+     if (*pbio == NULL)
+         *pbio = btmp;
+     else if (!BIO_push(*pbio, btmp)) {
+@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+                 goto err;
+             }
+ 
+-            BIO_set_md(btmp, evp_md);
+            if (BIO_set_md(btmp, evp_md) <= 0) {
+                PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
+                goto err;
+            }
+             if (out == NULL)
+                 out = btmp;
+             else
+-- 
+2.27.0
+
--- a/edk2.spec
+++ b/edk2.spec
@ -5,7 +5,7 @@

 Name: edk2
 Version: %{stable_date}
-Release: 12
+Release: 13
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@ -52,6 +52,7 @@ Patch0037: 0035-SecurityPkg-TcgPei-Use-Migrated-FV-Info-Hob-for-calc.patch
 Patch0038: 0036-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
 Patch0039: 0037-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
 Patch0040: 0038-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
+Patch0041: 0039-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch

 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2

@ -247,6 +248,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif

 %changelog
+* Sun Feb 26 2023 shaodenghui<shaodenghui@huawei.com> - 202002-13
+- fix CVE-2023-0401
+
 * Sun Feb 26 2023 shaodenghui<shaodenghui@huawei.com> - 202002-12
 - fix CVE-2022-4450