arrfab / rpms / shim

Forked from rpms/shim 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0071-OOB-access-when-parsing-MOK-List-Certificates-on-MOK.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta
  1.   c7-aarch64
  2.   SOURCES
  3.   0071-OOB-access-when-parsing-MOK-List-Certificates-on-MOK.patch
Blob History Raw
4210fa 
From 034466b7734a2749346151d903bbd7c8a1288db1 Mon Sep 17 00:00:00 2001
4210fa 
From: Sebastian Krahmer <krahmer@suse.com>
4210fa 
Date: Tue, 12 Aug 2014 09:23:28 +0000
4210fa 
Subject: [PATCH 71/74] OOB access when parsing MOK List/Certificates on MOK
4210fa 
 enrollment
4210fa
4210fa 
---
4210fa 
 MokManager.c | 30 ++++++++++++++++++++++++++++++
4210fa 
 1 file changed, 30 insertions(+)
4210fa
4210fa 
diff --git a/MokManager.c b/MokManager.c
4210fa 
index ecbcdd3..4a9b102 100644
4210fa 
--- a/MokManager.c
4210fa 
+++ b/MokManager.c
4210fa 
@@ -100,8 +100,18 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
4210fa 
 	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
4210fa 
 	UINTN dbsize = DataSize;
4210fa 
 	UINT32 MokNum = 0;
4210fa 
+	void *end = Data + DataSize;
4210fa
4210fa 
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
4210fa 
+
4210fa 
+		/* Use ptr arithmetics to ensure bounded access. Do not allow 0
4210fa 
+		 * SignatureListSize that will cause endless loop.
4210fa 
+		 */
4210fa 
+		if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
4210fa 
+			console_notify(L"Invalid MOK detected! Ignoring MOK List.");
4210fa 
+			return 0;
4210fa 
+		}
4210fa 
+
4210fa 
 		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
4210fa 
 		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
4210fa 
 			console_notify(L"Doesn't look like a key or hash");
4210fa 
@@ -137,6 +147,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
4210fa 
 	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
4210fa 
 	UINTN dbsize = DataSize;
4210fa 
 	UINTN count = 0;
4210fa 
+	void *end = Data + DataSize;
4210fa
4210fa 
 	list = AllocatePool(sizeof(MokListNode) * num);
4210fa
4210fa 
@@ -146,6 +157,11 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
4210fa 
 	}
4210fa
4210fa 
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
4210fa 
+		/* CertList out of bounds? */
4210fa 
+		if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
4210fa 
+			FreePool(list);
4210fa 
+			return NULL;
4210fa 
+		}
4210fa 
 		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
4210fa 
 		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
4210fa 
 			dbsize -= CertList->SignatureListSize;
4210fa 
@@ -165,10 +181,22 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
4210fa 
 		Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
4210fa 
 		  sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
4210fa
4210fa 
+		/* Cert out of bounds? */
4210fa 
+		if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) {
4210fa 
+			FreePool(list);
4210fa 
+			return NULL;
4210fa 
+		}
4210fa 
+
4210fa 
 		list[count].MokSize = CertList->SignatureSize - sizeof(EFI_GUID);
4210fa 
 		list[count].Mok = (void *)Cert->SignatureData;
4210fa 
 		list[count].Type = CertList->SignatureType;
4210fa
4210fa 
+		/* MOK out of bounds? */
4210fa 
+		if (list[count].MokSize > end - (void *)list[count].Mok) {
4210fa 
+			FreePool(list);
4210fa 
+			return NULL;
4210fa 
+		}
4210fa 
+
4210fa 
 		count++;
4210fa 
 		dbsize -= CertList->SignatureListSize;
4210fa 
 		CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
4210fa 
@@ -449,6 +477,8 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
4210fa 
 	}
4210fa
4210fa 
 	MokNum = count_keys(KeyList, KeyListSize);
4210fa 
+	if (MokNum == 0)
4210fa 
+		return 0;
4210fa 
 	keys = build_mok_list(MokNum, KeyList, KeyListSize);
4210fa
4210fa 
 	if (!keys) {
4210fa 
--
4210fa 
1.9.3
4210fa

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation