Re: [edk2-devel] [PATCH 2/9] SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575)

Thu, 13 Feb 2020 01:37:11 -0800 

Reviewed-by: Jiewen Yao <jiewen....@intel.com>

> -----Original Message-----
> From: Wang, Jian J <jian.j.w...@intel.com>
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B
> <chao.b.zh...@intel.com>; Laszlo Ersek <ler...@redhat.com>
> Subject: [PATCH 2/9] SecurityPkg/DxeImageVerificationLib: reject
> CertStack.CertNumber==0 per DBX(CVE-2019-14575)
> 
> In case the signers' certificate stack, retrieved from the PE/COFF image's
> Authenticode blob, has zero elements (= there are zero signer certificates),
> then we should consider the image forbidden by DBX, not accepted by DBX.
> 
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Chao Zhang <chao.b.zh...@intel.com>
> Signed-off-by: Jian J Wang <jian.j.w...@intel.com>
> Reviewed-by: Laszlo Ersek <ler...@redhat.com>
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 74dbffa122..5dcd6efed5 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
>    //       UINT8  Certn[];
> 
>    //
> 
>    Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength,
> &TrustedCert, &TrustedCertLength);
> 
> -  if ((BufferLength == 0) || (CertBuffer == NULL)) {
> 
> +  if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
> 
>      IsForbidden = TRUE;
> 
>      goto Done;
> 
>    }
> 
> --
> 2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54346): https://edk2.groups.io/g/devel/message/54346
Mute This Topic: https://groups.io/mt/71023418/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to