* [PATCH] SecurityPkg: check return value of GetEfiGlobalVariable2() in DxeImageVerificationHandler()
@ 2022-11-25 2:32 Jon Maloy
2022-11-25 2:51 ` Jon Maloy
0 siblings, 1 reply; 2+ messages in thread
From: Jon Maloy @ 2022-11-25 2:32 UTC (permalink / raw)
To: qemu-devel; +Cc: jmaloy, jasowang, philmd, stefanha
Fixes: CVE-2019-14560
GetEfiGlobalVariable2() is used in some instances when looking up the
SecureBoot UEFI variable. The API can fail in certain circumstances,
for example, if AllocatePool() fails or if gRT->GetVariable() fails.
In the case of secure boot checks, it is critical that this return value
is checked. if an attacker can cause the API to fail, it would currently
constitute a secure boot bypass.
This return value check is missing in the function DxeImageVerificationHandler(),
so we add it here.
This commit is almost identical to one suggested by Jian J Wang <jian.j.wang@intel.com>
on 2019-09-09, but that one was for some reason never posted to the edk2-devel
list. We now make a new attempt to get it reviewed and applied.
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeImageVerificationLib.c | 39 +++++++++++--------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 66e2f5eaa3..6c58b71d37 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1686,6 +1686,7 @@ DxeImageVerificationHandler (
RETURN_STATUS PeCoffStatus;
EFI_STATUS HashStatus;
EFI_STATUS DbStatus;
+ EFI_STATUS SecBootStatus;
BOOLEAN IsFound;
SignatureList = NULL;
@@ -1742,23 +1743,29 @@ DxeImageVerificationHandler (
CpuDeadLoop ();
}
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
- //
- // Skip verification if SecureBoot variable doesn't exist.
- //
- if (SecureBoot == NULL) {
- return EFI_SUCCESS;
- }
-
- //
- // Skip verification if SecureBoot is disabled but not AuditMode
- //
- if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
- FreePool (SecureBoot);
- return EFI_SUCCESS;
- }
+ SecBootStatus = GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
+ if (!EFI_ERROR (SecBootStatus)) {
+ if (SecureBoot == NULL) {
+ //
+ // Skip verification if SecureBoot variable doesn't exist.
+ //
+ return EFI_SUCCESS;
+ } else {
+ //
+ // Skip verification if SecureBoot is disabled but not AuditMode
+ //
+ if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+ FreePool (SecureBoot);
+ return EFI_SUCCESS;
+ }
+ FreePool (SecureBoot);
+ }
+ } else {
+ //
+ // Assume SecureBoot enabled in the case of error.
+ //
+ }
- FreePool (SecureBoot);
//
// Read the Dos header.
--
2.35.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] SecurityPkg: check return value of GetEfiGlobalVariable2() in DxeImageVerificationHandler()
2022-11-25 2:32 [PATCH] SecurityPkg: check return value of GetEfiGlobalVariable2() in DxeImageVerificationHandler() Jon Maloy
@ 2022-11-25 2:51 ` Jon Maloy
0 siblings, 0 replies; 2+ messages in thread
From: Jon Maloy @ 2022-11-25 2:51 UTC (permalink / raw)
To: qemu-devel; +Cc: jasowang, philmd, stefanha
Please ignore this one. Sent to the wrong list.
///jon
On 11/24/22 21:32, Jon Maloy wrote:
> Fixes: CVE-2019-14560
>
> GetEfiGlobalVariable2() is used in some instances when looking up the
> SecureBoot UEFI variable. The API can fail in certain circumstances,
> for example, if AllocatePool() fails or if gRT->GetVariable() fails.
> In the case of secure boot checks, it is critical that this return value
> is checked. if an attacker can cause the API to fail, it would currently
> constitute a secure boot bypass.
>
> This return value check is missing in the function DxeImageVerificationHandler(),
> so we add it here.
>
> This commit is almost identical to one suggested by Jian J Wang <jian.j.wang@intel.com>
> on 2019-09-09, but that one was for some reason never posted to the edk2-devel
> list. We now make a new attempt to get it reviewed and applied.
>
> Signed-off-by: Jon Maloy <jmaloy@redhat.com>
> ---
> .../DxeImageVerificationLib.c | 39 +++++++++++--------
> 1 file changed, 23 insertions(+), 16 deletions(-)
>
> diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 66e2f5eaa3..6c58b71d37 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1686,6 +1686,7 @@ DxeImageVerificationHandler (
> RETURN_STATUS PeCoffStatus;
> EFI_STATUS HashStatus;
> EFI_STATUS DbStatus;
> + EFI_STATUS SecBootStatus;
> BOOLEAN IsFound;
>
> SignatureList = NULL;
> @@ -1742,23 +1743,29 @@ DxeImageVerificationHandler (
> CpuDeadLoop ();
> }
>
> - GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
> - //
> - // Skip verification if SecureBoot variable doesn't exist.
> - //
> - if (SecureBoot == NULL) {
> - return EFI_SUCCESS;
> - }
> -
> - //
> - // Skip verification if SecureBoot is disabled but not AuditMode
> - //
> - if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
> - FreePool (SecureBoot);
> - return EFI_SUCCESS;
> - }
> + SecBootStatus = GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
> + if (!EFI_ERROR (SecBootStatus)) {
> + if (SecureBoot == NULL) {
> + //
> + // Skip verification if SecureBoot variable doesn't exist.
> + //
> + return EFI_SUCCESS;
> + } else {
> + //
> + // Skip verification if SecureBoot is disabled but not AuditMode
> + //
> + if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
> + FreePool (SecureBoot);
> + return EFI_SUCCESS;
> + }
> + FreePool (SecureBoot);
> + }
> + } else {
> + //
> + // Assume SecureBoot enabled in the case of error.
> + //
> + }
>
> - FreePool (SecureBoot);
>
> //
> // Read the Dos header.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-25 2:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-25 2:32 [PATCH] SecurityPkg: check return value of GetEfiGlobalVariable2() in DxeImageVerificationHandler() Jon Maloy
2022-11-25 2:51 ` Jon Maloy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.