|
 |
9de34f |
From 53509eaf2253e23bfb552e9386fd0877abe592b4 Mon Sep 17 00:00:00 2001
|
|
|
9de34f |
From: Jian J Wang <jian.j.wang@intel.com>
|
|
|
9de34f |
Date: Thu, 25 Apr 2019 23:42:16 +0800
|
|
|
9de34f |
Subject: [PATCH 13/13] CryptoPkg/BaseCryptLib: fix NULL dereference
|
|
|
9de34f |
|
|
|
9de34f |
AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
|
|
|
9de34f |
signed authenticode pkcs#7 data. when this successfully returns, a type
|
|
|
9de34f |
check is done by calling PKCS7_type_is_signed() and then
|
|
|
9de34f |
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
|
|
|
9de34f |
blob that successfully decodes and have d2i_PKCS7() return a valid pointer
|
|
|
9de34f |
and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
|
|
|
9de34f |
be a NULL pointer.
|
|
|
9de34f |
|
|
|
9de34f |
Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
|
|
|
9de34f |
pkcs7 structs it does the following:
|
|
|
9de34f |
- call PKCS7_type_is_signed()
|
|
|
9de34f |
- call PKCS7_get_detached()
|
|
|
9de34f |
Looking into how PKCS7_get_detatched() is implemented, it checks to see if
|
|
|
9de34f |
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
|
|
|
9de34f |
|
|
|
9de34f |
As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
|
|
|
9de34f |
- Add call to PKS7_get_detached() to existing error handling
|
|
|
9de34f |
|
|
|
9de34f |
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
|
|
9de34f |
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
|
|
9de34f |
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
|
|
|
9de34f |
Cherry-picked-from: https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
|
|
|
9de34f |
---
|
|
|
9de34f |
Cryptlib/Pk/CryptAuthenticode.c | 4 ++--
|
|
|
9de34f |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
9de34f |
|
|
|
9de34f |
diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c
|
|
|
9de34f |
index 74e50a2e862..f6f988b8480 100644
|
|
|
9de34f |
--- a/Cryptlib/Pk/CryptAuthenticode.c
|
|
|
9de34f |
+++ b/Cryptlib/Pk/CryptAuthenticode.c
|
|
|
9de34f |
@@ -9,7 +9,7 @@
|
|
|
9de34f |
AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
|
|
|
9de34f |
data structure.
|
|
|
9de34f |
|
|
|
9de34f |
-Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.
|
|
|
9de34f |
+Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.
|
|
|
9de34f |
This program and the accompanying materials
|
|
|
9de34f |
are licensed and made available under the terms and conditions of the BSD License
|
|
|
9de34f |
which accompanies this distribution. The full text of the license may be found at
|
|
|
9de34f |
@@ -106,7 +106,7 @@ AuthenticodeVerify (
|
|
|
9de34f |
//
|
|
|
9de34f |
// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
|
|
|
9de34f |
//
|
|
|
9de34f |
- if (!PKCS7_type_is_signed (Pkcs7)) {
|
|
|
9de34f |
+ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
|
|
|
9de34f |
goto _Exit;
|
|
|
9de34f |
}
|
|
|
9de34f |
|
|
|
9de34f |
--
|
|
|
9de34f |
2.37.1
|
|
|
9de34f |
|