fix CVE-2019-14562

0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch

@@ -0,0 +1,88 @@
+From 503248ccdf45c14d4040ce44163facdc212e4991 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:19 +0200
+Subject: [PATCH 2/4] SecurityPkg/DxeImageVerificationLib: extract
+ SecDataDirEnd, SecDataDirLeft
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The following two quantities:
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+  SecDataDir->VirtualAddress + SecDataDir->Size - OffSet
+
+are used multiple times in DxeImageVerificationHandler(). Introduce helper
+variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
+This saves us multiple calculations and significantly simplifies the code.
+
+Note that all three summands above have type UINT32, therefore the new
+variables are also of type UINT32.
+
+This patch does not change behavior.
+
+(Note that the code already handles the case when the
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+
+UINT32 addition overflows -- namely, in that case, the certificate loop is
+never entered, and the corruption check right after the loop fires.)
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-2-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../DxeImageVerificationLib.c                        | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b08fe24e85..377feebb20 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
+   UINT8                                *AuthData;
+   UINTN                                AuthDataSize;
+   EFI_IMAGE_DATA_DIRECTORY             *SecDataDir;
++  UINT32                               SecDataDirEnd;
++  UINT32                               SecDataDirLeft;
+   UINT32                               OffSet;
+   CHAR16                               *NameStr;
+   RETURN_STATUS                        PeCoffStatus;
+@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
+   // "Attribute Certificate Table".
+   // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.
+   //
++  SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
+   for (OffSet = SecDataDir->VirtualAddress;
+-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
++       OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||
+-        (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {
++    SecDataDirLeft = SecDataDirEnd - OffSet;
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
++        SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
+@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
+     }
+   }
+ 
+-  if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
++  if (OffSet != SecDataDirEnd) {
+     //
+     // The Size in Certificate Table or the attribute certificate table is corrupted.
+     //
+-- 
+2.27.0
+

0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch

@@ -0,0 +1,59 @@
+From a7632e913c1c106f436aefd5e76c394249c383a8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:20 +0200
+Subject: [PATCH 3/4] SecurityPkg/DxeImageVerificationLib: assign
+ WinCertificate after size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only
+guards the de-referencing of the "WinCertificate" pointer. It does not
+guard the calculation of the pointer itself:
+
+  WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+
+This is wrong; if we don't know for sure that we have enough room for a
+WIN_CERTIFICATE, then even creating such a pointer, not just
+de-referencing it, may invoke undefined behavior.
+
+Move the pointer calculation after the size check.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-3-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../DxeImageVerificationLib/DxeImageVerificationLib.c     | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 377feebb20..100739eb3e 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
+   for (OffSet = SecDataDir->VirtualAddress;
+        OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+-    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+     SecDataDirLeft = SecDataDirEnd - OffSet;
+-    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
+-        SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
++      break;
++    }
++    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
++    if (SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
+-- 
+2.27.0
+

0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch

@@ -0,0 +1,51 @@
+From 0b143fa43e92be15d11e22f80773bcb1b2b0608f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:21 +0200
+Subject: [PATCH 4/4] SecurityPkg/DxeImageVerificationLib: catch alignment
+ overflow (CVE-2019-14562)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The DxeImageVerificationHandler() function currently checks whether
+"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
+advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
+multiple of 8. If "WinCertificate->dwLength" is large enough, the
+alignment will return 0, and "OffSet" will be stuck at the same value.
+
+Check whether "SecDataDir" has room left for both
+"WinCertificate->dwLength" and the alignment.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-4-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 100739eb3e..11154b6cc5 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
+       break;
+     }
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if (SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft < WinCertificate->dwLength ||
++        (SecDataDirLeft - WinCertificate->dwLength <
++         ALIGN_SIZE (WinCertificate->dwLength))) {
+       break;
+     }
+ 
+-- 
+2.27.0
+

edk2.spec

@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 2
+Release: 3
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -14,6 +14,9 @@ Source1: openssl-%{openssl_version}.tar.gz
 
 Patch0001: 0001-CryptoPkg-OpensslLib-Modify-process_files.pl-for-Ope.patch
 Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1f.patch
+Patch0003: 0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
+Patch0004: 0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
+Patch0005: 0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
 
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2
 
@@ -209,6 +212,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Wed 19 May 2021 openEuler Buildteam <buildteam@openeuler.org> - 202002-3
+  Fix CVE-2019-14562
+
 * Wed Oct 14 2020 zhangxinhao <zhangxinhao1@huawei.com> - 202002-2
 - add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot