Reviewed-by: Jiewen Yao <jiewen....@intel.com> > -----Original Message----- > From: Wang, Jian J <jian.j.w...@intel.com> > Sent: Thursday, February 6, 2020 10:20 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B > <chao.b.zh...@intel.com>; Laszlo Ersek <ler...@redhat.com> > Subject: [PATCH 7/9] SecurityPkg/DxeImageVerificationLib: tighten default > result of IsForbiddenByDbx()(CVE-2019-14575) > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 > > All intermediate results inside this function will be checked and > returned immediately upon any failure or error, like out-of-resource, > hash calculation error or certificate retrieval failure. > > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Chao Zhang <chao.b.zh...@intel.com> > Signed-off-by: Jian J Wang <jian.j.w...@intel.com> > Signed-off-by: Laszlo Ersek <ler...@redhat.com> > --- > .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index a5dfee0f8e..2236ce98ce 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -1240,7 +1240,7 @@ IsForbiddenByDbx ( > // > > // Variable Initialization > > // > > - IsForbidden = FALSE; > > + IsForbidden = TRUE; > > Data = NULL; > > CertList = NULL; > > CertData = NULL; > > @@ -1257,7 +1257,14 @@ IsForbiddenByDbx ( > // > > DataSize = 0; > > Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, > &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); > > + ASSERT (EFI_ERROR (Status)); > > if (Status != EFI_BUFFER_TOO_SMALL) { > > + if (Status == EFI_NOT_FOUND) { > > + // > > + // Evidently not in dbx if the database doesn't exist. > > + // > > + IsForbidden = FALSE; > > + } > > return IsForbidden; > > } > > Data = (UINT8 *) AllocateZeroPool (DataSize); > > @@ -1366,6 +1373,8 @@ IsForbiddenByDbx ( > > > } > > > > + IsForbidden = FALSE; > > + > > Done: > > if (Data != NULL) { > > FreePool (Data); > > -- > 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54352): https://edk2.groups.io/g/devel/message/54352 Mute This Topic: https://groups.io/mt/71023425/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-