[tianocore/edk2] 5f0863: SecurityPkg: Out of bound read in HashPeImageByType()

[Doug Flick via edk2-commits]

  Branch: refs/heads/master
  Home:   https://github.com/tianocore/edk2
  Commit: 5f08635ee7c176f78f788aa6528b43f18536a80b
      
https://github.com/tianocore/edk2/commit/5f08635ee7c176f78f788aa6528b43f18536a80b
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-09 (Wed, 09 Apr 2025)

  Changed paths:
    M SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c

  Log Message:
  -----------
  SecurityPkg: Out of bound read in HashPeImageByType()

In HashPeImageByType(), the hash of PE/COFF image is calculated.
This function may get untrusted input.

Inside this function, the following code verifies the loaded image has
the correct format, by reading the second byte of the buffer.

```c
  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
        ...
  }
```

The input image is not trusted and that may not have the second byte to
read. So this poses an out of bound read error.

With below fix we are assuring that we don't do out of bound read. i.e,
we make sure that AuthDataSize is greater than 1.

```c
  if (AuthDataSize > 1
      && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
    ...
  }
```

AuthDataSize size is verified before reading the second byte.
So if AuthDataSize is less than 2, the second byte will not be read, and
the out of bound read situation won't occur.

Tested the patch on real platform with and without TPM connected and
verified image is booting fine.

Authored-by: Raj AlwinX Selvaraj <alw...@intel.com>
Signed-off-by: Doug Flick <dougfl...@microsoft.com>


  Commit: b90693965b6b1566bcac4652ad1bb436e1bb461f
      
https://github.com/tianocore/edk2/commit/b90693965b6b1566bcac4652ad1bb436e1bb461f
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-09 (Wed, 09 Apr 2025)

  Changed paths:
    M SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c

  Log Message:
  -----------
  SecurityPkg: Improving HashPeImageByType () logic

Namely:

(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
    to TRUE for Index==0, then it will evaluate to TRUE for all other
    Index values as well. As a result, the (Index == HASHALG_MAX)
    condition will fire after the loop, and we'll return
    EFI_UNSUPPORTED.

    While this is correct, functionally speaking, it is wasteful to
    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
    should be made at the top of the function, and EFI_UNSUPPORTED
    should be returned at once, if appropriate.

(2) If the hash algorithm selected by Index has such a large OID that
    the OID comparison cannot even be performed (because AuthDataSize
    is not large enough for containing the OID in question, starting
    at offset 32), then the function returns EFI_UNSUPPORTED at once.

    This is bogus; this case should simply be treated as an OID
    mismatch, and the loop should advance to the next Index value /
    hash algorithm candidate. A remaining hash algo may have a shorter
    OID and yield an OID match.

Signed-off-by: Doug Flick <dougfl...@microsoft.com>


  Commit: 025ab811fb2afac6b4036b0fc2fa46d0b04d1c80
      
https://github.com/tianocore/edk2/commit/025ab811fb2afac6b4036b0fc2fa46d0b04d1c80
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-09 (Wed, 09 Apr 2025)

  Changed paths:
    M 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c

  Log Message:
  -----------
  SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic

Namely:

(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
    to TRUE for Index==0, then it will evaluate to TRUE for all other
    Index values as well. As a result, the (Index == HASHALG_MAX)
    condition will fire after the loop, and we'll return
    EFI_UNSUPPORTED.

    While this is correct, functionally speaking, it is wasteful to
    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
    should be made at the top of the function, and EFI_UNSUPPORTED
    should be returned at once, if appropriate.

(2) If the hash algorithm selected by Index has such a large OID that
    the OID comparison cannot even be performed (because AuthDataSize
    is not large enough for containing the OID in question, starting
    at offset 32), then the function returns EFI_UNSUPPORTED at once.

    This is bogus; this case should simply be treated as an OID
    mismatch, and the loop should advance to the next Index value /
    hash algorithm candidate. A remaining hash algo may have a shorter
    OID and yield an OID match.

Signed-off-by: Doug Flick <dougfl...@microsoft.com>


  Commit: d79d8d6a8dc3b7324b167031c89400390261acf3
      
https://github.com/tianocore/edk2/commit/d79d8d6a8dc3b7324b167031c89400390261acf3
  Author: Doug Flick <dougfl...@microsoft.com>
  Date:   2025-04-09 (Wed, 09 Apr 2025)

  Changed paths:
    M SecurityPkg/SecurityFixes.yaml

  Log Message:
  -----------
  SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797

This commit updates the SecurityFixes.yaml file to include
information about the CVE-2024-38797 vulnerability.

Signed-off-by: Doug Flick <dougfl...@microsoft.com>


Compare: https://github.com/tianocore/edk2/compare/e4140a57015b...d79d8d6a8dc3

To unsubscribe from these emails, change your notification settings at 
https://github.com/tianocore/edk2/settings/notifications


_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits