lersek / edk2

Clone
Source Code
GIT

9e56970 SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)

1 file Authored by Jian J Wang 4 years ago, Committed by mergify[bot] 4 years ago,
raw patch tree parent
1 file changed. 2 lines added. 1 lines removed.
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
file modified
+2 -1 
    SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)
    
    REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
    
    Normally two times of calling gRT->GetVariable() are needed to get
    the data of a variable: get the variable size by passing zero variable
    size, and then allocate enough memory and pass the correct variable size
    and buffer.
    
    But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
    initialized to zero before calling gRT->GetVariable(). It won't cause
    problem if dbx does not exist. But it will give wrong result if dbx
    exists and the DbxDataSize happens to be a small enough value. In this
    situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
    code followed will jump to 'Done', which is not correct because it's
    actually the value expected.
    
                if (Status == EFI_BUFFER_TOO_SMALL) {
                  goto Done;
                }
    
    Cc: Jiewen Yao <jiewen.yao@intel.com>
    Cc: Chao Zhang <chao.b.zhang@intel.com>
    Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
    Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
file modified
+2 -1
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.