Bug#958568: buster-pu: package edk2/0~20181115.85588389-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
There are several security issues that have been marked nodsa, but I think
are worth fixing in a stable update. From the changelog:
* Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
* Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
* Clear memory before free to avoid potential password leak.
(CVE-2019-14558)
* Fix double-unmap in SdMmcCreateTrb(). This did not impact any
of the images built from this package. (CVE-2019-14587)
* Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
* Fix issue that could allow an efi image with a blacklisted hash in the
dbx to be loaded. (CVE-2019-14575) (Closes: 952935)
* Fix a memory leak in the ARP handler. (CVE-2019-14559) (Closes: #952926)
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog 2019-03-15 18:37:44.000000000 -0600
+++ edk2-0~20181115.85588389/debian/changelog 2020-04-23 13:33:06.000000000 -0600
@@ -1,3 +1,18 @@
+edk2 (0~20181115.85588389-3+deb10u1) buster; urgency=medium
+
+ * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
+ * Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
+ * Clear memory before free to avoid potential password leak.
+ (CVE-2019-14558)
+ * Fix double-unmap in SdMmcCreateTrb(). This did not impact any
+ of the images built from this package. (CVE-2019-14587)
+ * Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
+ * Fix issue that could allow an efi image with a blacklisted hash in the
+ dbx to be loaded. (CVE-2019-14575) (Closes: 952935)
+ * Fix a memory leak in the ARP handler. (CVE-2019-14559) (Closes: #952926)
+
+ -- dann frazier <dannf@debian.org> Thu, 23 Apr 2020 13:33:06 -0600
+
edk2 (0~20181115.85588389-3) unstable; urgency=medium
* Security fixes (Closes: #924615):
diff -Nru edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch
--- edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch 2020-04-22 16:55:02.000000000 -0600
@@ -0,0 +1,156 @@
+From 322ac05f8bbc1bce066af1dabd1b70ccdbe28891 Mon Sep 17 00:00:00 2001
+From: Hao A Wu <hao.a.wu@intel.com>
+Date: Fri, 28 Jun 2019 14:15:55 +0800
+Subject: [PATCH 01/17] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential
+ numeric truncation (CVE-2019-14563)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001
+
+For S3BootScriptLib APIs:
+
+S3BootScriptSaveIoWrite
+S3BootScriptSaveMemWrite
+S3BootScriptSavePciCfgWrite
+S3BootScriptSavePciCfg2Write
+S3BootScriptSaveSmbusExecute
+S3BootScriptSaveInformation
+S3BootScriptSaveInformationAsciiString
+S3BootScriptLabel (happen in S3BootScriptLabelInternal())
+
+possible numeric truncations will happen that may lead to S3 boot script
+entry with improper size being returned to store the boot script data.
+This commit will add checks to prevent this kind of issue.
+
+Please note that the remaining S3BootScriptLib APIs:
+
+S3BootScriptSaveIoReadWrite
+S3BootScriptSaveMemReadWrite
+S3BootScriptSavePciCfgReadWrite
+S3BootScriptSavePciCfg2ReadWrite
+S3BootScriptSaveStall
+S3BootScriptSaveDispatch2
+S3BootScriptSaveDispatch
+S3BootScriptSaveMemPoll
+S3BootScriptSaveIoPoll
+S3BootScriptSavePciPoll
+S3BootScriptSavePci2Poll
+S3BootScriptCloseTable
+S3BootScriptExecute
+S3BootScriptMoveLastOpcode
+S3BootScriptCompare
+
+are not affected by such numeric truncation.
+
+Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Eric Dong <eric.dong@intel.com>
+Acked-by: Jian J Wang <jian.j.wang@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2001
+Bug-Debian: https://bugs.debian.org/952934
+Last-Update: 2020-03-16
+
+Index: edk2-0~20181115.85588389/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
+===================================================================
+--- edk2-0~20181115.85588389.orig/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
++++ edk2-0~20181115.85588389/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
+@@ -998,6 +998,14 @@ S3BootScriptSaveIoWrite (
+ EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite;
+
+ WidthInByte = (UINT8) (0x01 << (Width & 0x03));
++
++ //
++ // Truncation check
++ //
++ if ((Count > MAX_UINT8) ||
++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
+@@ -1094,6 +1102,14 @@ S3BootScriptSaveMemWrite (
+ EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite;
+
+ WidthInByte = (UINT8) (0x01 << (Width & 0x03));
++
++ //
++ // Truncation check
++ //
++ if ((Count > MAX_UINT8) ||
++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count));
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
+@@ -1198,6 +1214,14 @@ S3BootScriptSavePciCfgWrite (
+ }
+
+ WidthInByte = (UINT8) (0x01 << (Width & 0x03));
++
++ //
++ // Truncation check
++ //
++ if ((Count > MAX_UINT8) ||
++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count));
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
+@@ -1316,6 +1340,14 @@ S3BootScriptSavePciCfg2Write (
+ }
+
+ WidthInByte = (UINT8) (0x01 << (Width & 0x03));
++
++ //
++ // Truncation check
++ //
++ if ((Count > MAX_UINT8) ||
++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count));
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
+@@ -1541,6 +1573,12 @@ S3BootScriptSaveSmbusExecute (
+ return Status;
+ }
+
++ //
++ // Truncation check
++ //
++ if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength);
+
+ Script = S3BootScriptGetEntryAddAddress (DataSize);
+@@ -1728,6 +1766,12 @@ S3BootScriptSaveInformation (
+ UINT8 *Script;
+ EFI_BOOT_SCRIPT_INFORMATION ScriptInformation;
+
++ //
++ // Truncation check
++ //
++ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
+@@ -2187,6 +2231,12 @@ S3BootScriptLabelInternal (
+ UINT8 *Script;
+ EFI_BOOT_SCRIPT_INFORMATION ScriptInformation;
+
++ //
++ // Truncation check
++ //
++ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) {
++ return RETURN_OUT_OF_RESOURCES;
++ }
+ Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength);
+
+ Script = S3BootScriptGetEntryAddAddress (Length);
diff -Nru edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch
--- edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch 2020-04-22 16:55:52.000000000 -0600
@@ -0,0 +1,51 @@
+From c32be82e99ef272e7fa742c2f06ff9a4c3756613 Mon Sep 17 00:00:00 2001
+From: Dandan Bi <dandan.bi@intel.com>
+Date: Tue, 24 Sep 2019 11:17:52 +0800
+Subject: [PATCH 02/17] MdeModulePkg/HiiDB: Remove configuration table when
+ it's freed (CVE-2019-14586)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1995
+
+Fix the corner case issue that the original configuration runtime
+memory is freed, but it is still exposed to the OS runtime.
+So this patch is to remove the configuration table to avoid being
+used in OS runtime when the configuration runtime memory is freed.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Dandan Bi <dandan.bi@intel.com>
+Reviewed-by: Eric Dong <eric.dong@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+[dannf: Minor context adjustments]
+
+Origin: https://github.com/tianocore/edk2/commit/c32be82e99ef272e7fa742c2f06ff9a4c3756613
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1995
+Last-Update: 2020-04-03
+
+Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
+===================================================================
+--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c
+@@ -3372,6 +3372,10 @@ HiiGetConfigRespInfo(
+ if (gRTConfigRespBuffer == NULL){
+ FreePool(ConfigAltResp);
+ DEBUG ((DEBUG_ERROR, "Not enough memory resource to get the ConfigResp string.\n"));
++ //
++ // Remove from the System Table when the configuration runtime buffer is freed.
++ //
++ gBS->InstallConfigurationTable (&gEfiHiiConfigRoutingProtocolGuid, NULL);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ } else {
+@@ -3422,6 +3426,10 @@ HiiGetDatabaseInfo(
+ gRTDatabaseInfoBuffer = AllocateRuntimeZeroPool(DatabaseInfoSize);
+ if (gRTDatabaseInfoBuffer == NULL){
+ DEBUG ((DEBUG_ERROR, "Not enough memory resource to get the HiiDatabase info.\n"));
++ //
++ // Remove from the System Table when the configuration runtime buffer is freed.
++ //
++ gBS->InstallConfigurationTable (&gEfiHiiDatabaseProtocolGuid, NULL);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ } else {
diff -Nru edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch
--- edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch 2020-04-22 16:56:42.000000000 -0600
@@ -0,0 +1,80 @@
+From 764e8ba1389a617639d79d2c4f0d53f4ea4a7387 Mon Sep 17 00:00:00 2001
+From: Dandan Bi <dandan.bi@intel.com>
+Date: Fri, 22 Feb 2019 15:45:24 +0800
+Subject: [PATCH 03/17] MdeModulePkg/String.c: Zero memory before free
+ (CVE-2019-14558)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Dandan Bi <dandan.bi@intel.com>
+Reviewed-by: Eric Dong <eric.dong@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+[dannf: dropped copyright year change due to conflict]
+
+Origin: https://github.com/tianocore/edk2/commit/764e8ba1389a617639d79d2c4f0d53f4ea4a7387
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
+Last-Update: 2020-04-03
+
+Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+===================================================================
+--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/String.c
+@@ -1012,6 +1012,7 @@ SetStringWorker (
+ TmpSize
+ );
+
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = Block;
+ StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
+@@ -1045,6 +1046,7 @@ SetStringWorker (
+ OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize
+ );
+
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = Block;
+ StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize);
+@@ -1096,6 +1098,7 @@ SetStringWorker (
+
+ CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize);
+
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = Block;
+ StringPackage->StringPkgHdr->Header.Length += Ext2.Length;
+@@ -1279,6 +1282,7 @@ HiiNewString (
+ // Append a EFI_HII_SIBT_END block to the end.
+ //
+ *BlockPtr = EFI_HII_SIBT_END;
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = StringBlock;
+ StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
+@@ -1410,6 +1414,7 @@ HiiNewString (
+ // Append a EFI_HII_SIBT_END block to the end.
+ //
+ *BlockPtr = EFI_HII_SIBT_END;
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = StringBlock;
+ StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize;
+@@ -1452,6 +1457,7 @@ HiiNewString (
+ // Append a EFI_HII_SIBT_END block to the end.
+ //
+ *BlockPtr = EFI_HII_SIBT_END;
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = StringBlock;
+ StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize;
+@@ -1513,6 +1519,7 @@ HiiNewString (
+ // Append a EFI_HII_SIBT_END block to the end.
+ //
+ *BlockPtr = EFI_HII_SIBT_END;
++ ZeroMem (StringPackage->StringBlock, OldBlockSize);
+ FreePool (StringPackage->StringBlock);
+ StringPackage->StringBlock = StringBlock;
+ StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize;
diff -Nru edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch
--- edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch 2020-04-22 16:57:17.000000000 -0600
@@ -0,0 +1,58 @@
+From f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d Mon Sep 17 00:00:00 2001
+From: Dandan Bi <dandan.bi@intel.com>
+Date: Mon, 6 May 2019 16:43:34 +0800
+Subject: [PATCH 04/17] MdeModulePkg/DisplayEngine: Zero memory before free
+ (CVE-2019-14558)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Dandan Bi <dandan.bi@intel.com>
+Reviewed-by: Eric Dong <eric.dong@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+[dannf: dropped copyright year change due to conflict]
+
+Origin: https://github.com/tianocore/edk2/commit/f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
+Last-Update: 2020-04-03
+
+Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+===================================================================
+--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+@@ -829,6 +829,7 @@ PasswordProcess (
+ //
+ Status = ReadString (MenuOption, gPromptForPassword, StringPtr);
+ if (EFI_ERROR (Status)) {
++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+ FreePool (StringPtr);
+ return Status;
+ }
+@@ -846,7 +847,7 @@ PasswordProcess (
+ } else {
+ Status = EFI_SUCCESS;
+ }
+-
++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+ FreePool (StringPtr);
+ return Status;
+ }
+@@ -862,6 +863,7 @@ PasswordProcess (
+ // Reset state machine for password
+ //
+ Question->PasswordCheck (gFormData, Question, NULL);
++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+ FreePool (StringPtr);
+ return Status;
+ }
+@@ -877,6 +879,8 @@ PasswordProcess (
+ // Reset state machine for password
+ //
+ Question->PasswordCheck (gFormData, Question, NULL);
++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
++ ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16));
+ FreePool (StringPtr);
+ FreePool (TempString);
+ return Status;
diff -Nru edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch
--- edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch 2020-04-22 16:58:10.000000000 -0600
@@ -0,0 +1,52 @@
+From e36d5ac7d10a6ff5becb0f52fdfd69a1752b0d14 Mon Sep 17 00:00:00 2001
+From: Hao A Wu <hao.a.wu@intel.com>
+Date: Wed, 26 Jun 2019 15:23:29 +0800
+Subject: [PATCH 05/17] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in
+ TRB creation (CVE-2019-14587)
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989
+
+The commit will avoid unmapping the same resource in error handling logic
+for function BuildAdmaDescTable() and SdMmcCreateTrb().
+
+For the error handling in BuildAdmaDescTable():
+The error is directly related with the corresponding Map() operation
+(mapped address beyond 4G, which is not supported in ADMA), so the Unmap()
+operation is done in the error handling logic, and then setting
+'Trb->AdmaMap' to NULL to avoid double Unmap.
+
+For the error handling in SdMmcCreateTrb():
+The error is not directly related with the corresponding Map() operation,
+so the commit will update the code to left SdMmcFreeTrb() for the Unmap
+operation to avoid double Unmap.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Signed-off-by: Hao A Wu <hao.a.wu@intel.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/e36d5ac7d10a6ff5becb0f52fdfd69a1752b0d14
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1989
+Last-Update: 2020-04-03
+
+Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
+===================================================================
+--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c
+@@ -1253,6 +1253,8 @@ BuildAdmaDescTable (
+ PciIo,
+ Trb->AdmaMap
+ );
++ Trb->AdmaMap = NULL;
++
+ PciIo->FreeBuffer (
+ PciIo,
+ EFI_SIZE_TO_PAGES (TableSize),
+@@ -1384,7 +1386,6 @@ SdMmcCreateTrb (
+ Trb->Mode = SdMmcAdmaMode;
+ Status = BuildAdmaDescTable (Trb);
+ if (EFI_ERROR (Status)) {
+- PciIo->Unmap (PciIo, Trb->DataMap);
+ goto Error;
+ }
+ } else if (Private->Capability[Slot].Sdma != 0) {
diff -Nru edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch
--- edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch 2020-04-22 16:59:37.000000000 -0600
@@ -0,0 +1,101 @@
+From 578bcdc2605e3438b9cbdac4e68339f90f5bf8af Mon Sep 17 00:00:00 2001
+From: Jiaxin Wu <Jiaxin.wu@intel.com>
+Date: Mon, 29 Apr 2019 09:51:53 +0800
+Subject: [PATCH 06/17] NetworkPkg/Ip4Dxe: Check the received package length
+ (CVE-2019-14559).
+
+v3: correct the coding style.
+v2: correct the commit message & add BZ number.
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
+
+This patch is to check the received package length to make sure the package
+has a valid length field.
+
+Cc: Fu Siyuan <siyuan.fu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
+Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
+[dannf: Change modified file path; drop conflicting Copyright date change]
+
+Origin: https://github.com/tianocore/edk2/commit/578bcdc2605e3438b9cbdac4e68339f90f5bf8af
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
+Bug-Debian: https://bugs.debian.org/952926
+Last-Update: 2020-04-22
+
+Index: edk2-0~20181115.85588389/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
+===================================================================
+--- edk2-0~20181115.85588389.orig/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
++++ edk2-0~20181115.85588389/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
+@@ -717,10 +717,6 @@ Ip4PreProcessPacket (
+ //
+ // Check if the IP4 header is correctly formatted.
+ //
+- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
+- return EFI_INVALID_PARAMETER;
+- }
+-
+ HeadLen = (Head->HeadLen << 2);
+ TotalLen = NTOHS (Head->TotalLen);
+
+@@ -815,6 +811,30 @@ Ip4PreProcessPacket (
+ }
+
+ /**
++ This function checks the IPv4 packet length.
++
++ @param[in] Packet Pointer to the IPv4 Packet to be checked.
++
++ @retval TRUE The input IPv4 packet length is valid.
++ @retval FALSE The input IPv4 packet length is invalid.
++
++**/
++BOOLEAN
++Ip4IsValidPacketLength (
++ IN NET_BUF *Packet
++ )
++{
++ //
++ // Check the IP4 packet length.
++ //
++ if (Packet->TotalSize < IP4_MIN_HEADLEN) {
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++/**
+ The IP4 input routine. It is called by the IP4_INTERFACE when a
+ IP4 fragment is received from MNP.
+
+@@ -850,6 +870,10 @@ Ip4AccpetFrame (
+ goto DROP;
+ }
+
++ if (!Ip4IsValidPacketLength (Packet)) {
++ goto RESTART;
++ }
++
+ Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
+ ASSERT (Head != NULL);
+ OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
+@@ -896,10 +920,14 @@ Ip4AccpetFrame (
+ //
+ ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
+ if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
+- // Packet may have been changed. Head, HeadLen, TotalLen, and
+- // info must be reloaded bofore use. The ownership of the packet
+- // is transfered to the packet process logic.
+- //
++ // Packet may have been changed. Head, HeadLen, TotalLen, and
++ // info must be reloaded before use. The ownership of the packet
++ // is transferred to the packet process logic.
++ //
++ if (!Ip4IsValidPacketLength (Packet)) {
++ goto RESTART;
++ }
++
+ Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
+ ASSERT (Head != NULL);
+ Status = Ip4PreProcessPacket (
diff -Nru edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch
--- edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch 2020-04-22 17:00:14.000000000 -0600
@@ -0,0 +1,38 @@
+From fbb96072233b5eaecf4d229cbee47b13dcab39e1 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 11:06:53 +0800
+Subject: [PATCH 07/17] SecurityPkg/DxeImageVerificationLib: Fix memory leaks
+ (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside
+the while-loop, if it will run more than once.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/fbb96072233b5eaecf4d229cbee47b13dcab39e1
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index dbfbfcb4fb..74dbffa122 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -908,6 +908,9 @@ IsCertHashFoundInDatabase (
+ goto Done;
+ }
+
++ FreePool (HashCtx);
++ HashCtx = NULL;
++
+ SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize;
+ CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize);
+ CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize;
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch
--- edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch 2020-04-22 17:00:54.000000000 -0600
@@ -0,0 +1,37 @@
+From c13742b180095e5181e41dffda954581ecbd9b9c Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 11:14:47 +0800
+Subject: [PATCH 08/17] SecurityPkg/DxeImageVerificationLib: reject
+ CertStack.CertNumber==0 per DBX (CVE-2019-14575)
+
+In case the signers' certificate stack, retrieved from the PE/COFF image's
+Authenticode blob, has zero elements (=there are zero signer certificates),
+then we should consider the image forbidden by DBX, not accepted by DBX.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/c13742b180095e5181e41dffda954581ecbd9b9c
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 74dbffa122..5dcd6efed5 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
+ // UINT8 Certn[];
+ //
+ Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength);
+- if ((BufferLength == 0) || (CertBuffer == NULL)) {
++ if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
+ IsForbidden = TRUE;
+ goto Done;
+ }
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch
--- edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch 2020-04-22 17:01:14.000000000 -0600
@@ -0,0 +1,53 @@
+From 9e569700901857d0ba418ebdd30b8086b908688c Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 11:46:16 +0800
+Subject: [PATCH 09/17] SecurityPkg/DxeImageVerificationLib: fix wrong fetch
+ dbx in IsAllowedByDb (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+Normally two times of calling gRT->GetVariable() are needed to get
+the data of a variable: get the variable size by passing zero variable
+size, and then allocate enough memory and pass the correct variable size
+and buffer.
+
+But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
+initialized to zero before calling gRT->GetVariable(). It won't cause
+problem if dbx does not exist. But it will give wrong result if dbx
+exists and the DbxDataSize happens to be a small enough value. In this
+situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
+code followed will jump to 'Done', which is not correct because it's
+actually the value expected.
+
+ if (Status == EFI_BUFFER_TOO_SMALL) {
+ goto Done;
+ }
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/9e569700901857d0ba418ebdd30b8086b908688c
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 5dcd6efed5..1efb2f96cd 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1456,8 +1456,9 @@ IsAllowedByDb (
+ //
+ // Here We still need to check if this RootCert's Hash is revoked
+ //
++ DbxDataSize = 0;
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
+- if (Status == EFI_BUFFER_TOO_SMALL) {
++ if (Status != EFI_BUFFER_TOO_SMALL) {
+ goto Done;
+ }
+ DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch
--- edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch 2020-04-22 17:01:31.000000000 -0600
@@ -0,0 +1,62 @@
+From 929d1a24d12822942fd4f9fa83582e27f92de243 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 14:28:36 +0800
+Subject: [PATCH 10/17] SecurityPkg/DxeImageVerificationLib: avoid bypass in
+ fetching dbx (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+In timestamp check after the cert is found in db, the original code jumps
+to 'Done' if any error happens in fetching dbx variable. At any of the
+jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should
+not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
+because it could be used to bypass timestamp check.
+
+This patch add code to change VerifyStatus to FALSE in the case of memory
+allocation failure and dbx fetching failure to avoid potential bypass
+issue.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/929d1a24d12822942fd4f9fa83582e27f92de243
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 1efb2f96cd..ed5dbf26b0 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1459,15 +1459,26 @@ IsAllowedByDb (
+ DbxDataSize = 0;
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
+ if (Status != EFI_BUFFER_TOO_SMALL) {
++ if (Status != EFI_NOT_FOUND) {
++ VerifyStatus = FALSE;
++ }
+ goto Done;
+ }
+ DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
+ if (DbxData == NULL) {
++ //
++ // Force not-allowed-by-db to avoid bypass
++ //
++ VerifyStatus = FALSE;
+ goto Done;
+ }
+
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
+ if (EFI_ERROR (Status)) {
++ //
++ // Force not-allowed-by-db to avoid bypass
++ //
++ VerifyStatus = FALSE;
+ goto Done;
+ }
+
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch
--- edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch 2020-04-22 17:01:44.000000000 -0600
@@ -0,0 +1,211 @@
+From adc6898366298d1f64b91785e50095527f682758 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 15:49:55 +0800
+Subject: [PATCH 11/17] SecurityPkg/DxeImageVerificationLib: refactor db/dbx
+ fetching code (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+The dbx fetching code inside the while/for-loop causes code hard to
+understand. Since there's no need to get dbx more than once, this patch
+simplify the code logic by moving related code to be outside the while-
+loop. db fetching code is also refined accordingly to reduce the indent
+level of code.
+
+More comments are also added or refined to explain more details.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/adc6898366298d1f64b91785e50095527f682758
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index ed5dbf26b0..8739d1fa29 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1412,76 +1412,92 @@ IsAllowedByDb (
+ RootCertSize = 0;
+ VerifyStatus = FALSE;
+
++ //
++ // Fetch 'db' content. If 'db' doesn't exist or encounters problem to get the
++ // data, return not-allowed-by-db (FALSE).
++ //
+ DataSize = 0;
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
+- if (Status == EFI_BUFFER_TOO_SMALL) {
+- Data = (UINT8 *) AllocateZeroPool (DataSize);
+- if (Data == NULL) {
+- return VerifyStatus;
++ ASSERT (EFI_ERROR (Status));
++ if (Status != EFI_BUFFER_TOO_SMALL) {
++ return VerifyStatus;
++ }
++
++ Data = (UINT8 *) AllocateZeroPool (DataSize);
++ if (Data == NULL) {
++ return VerifyStatus;
++ }
++
++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
++ if (EFI_ERROR (Status)) {
++ goto Done;
++ }
++
++ //
++ // Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'.
++ // If any other errors occured, no need to check 'db' but just return
++ // not-allowed-by-db (FALSE) to avoid bypass.
++ //
++ DbxDataSize = 0;
++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
++ ASSERT (EFI_ERROR (Status));
++ if (Status != EFI_BUFFER_TOO_SMALL) {
++ if (Status != EFI_NOT_FOUND) {
++ goto Done;
++ }
++ //
++ // 'dbx' does not exist. Continue to check 'db'.
++ //
++ } else {
++ //
++ // 'dbx' exists. Get its content.
++ //
++ DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
++ if (DbxData == NULL) {
++ goto Done;
+ }
+
+- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
+ if (EFI_ERROR (Status)) {
+ goto Done;
+ }
++ }
+
+- //
+- // Find X509 certificate in Signature List to verify the signature in pkcs7 signed data.
+- //
+- CertList = (EFI_SIGNATURE_LIST *) Data;
+- while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
+- if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
+- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
++ //
++ // Find X509 certificate in Signature List to verify the signature in pkcs7 signed data.
++ //
++ CertList = (EFI_SIGNATURE_LIST *) Data;
++ while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
++ if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
++ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
++ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
+
+- for (Index = 0; Index < CertCount; Index++) {
+- //
+- // Iterate each Signature Data Node within this CertList for verify.
+- //
+- RootCert = CertData->SignatureData;
+- RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
++ for (Index = 0; Index < CertCount; Index++) {
++ //
++ // Iterate each Signature Data Node within this CertList for verify.
++ //
++ RootCert = CertData->SignatureData;
++ RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
+
++ //
++ // Call AuthenticodeVerify library to Verify Authenticode struct.
++ //
++ VerifyStatus = AuthenticodeVerify (
++ AuthData,
++ AuthDataSize,
++ RootCert,
++ RootCertSize,
++ mImageDigest,
++ mImageDigestSize
++ );
++ if (VerifyStatus) {
+ //
+- // Call AuthenticodeVerify library to Verify Authenticode struct.
++ // The image is signed and its signature is found in 'db'.
+ //
+- VerifyStatus = AuthenticodeVerify (
+- AuthData,
+- AuthDataSize,
+- RootCert,
+- RootCertSize,
+- mImageDigest,
+- mImageDigestSize
+- );
+- if (VerifyStatus) {
++ if (DbxData != NULL) {
+ //
+ // Here We still need to check if this RootCert's Hash is revoked
+ //
+- DbxDataSize = 0;
+- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL);
+- if (Status != EFI_BUFFER_TOO_SMALL) {
+- if (Status != EFI_NOT_FOUND) {
+- VerifyStatus = FALSE;
+- }
+- goto Done;
+- }
+- DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
+- if (DbxData == NULL) {
+- //
+- // Force not-allowed-by-db to avoid bypass
+- //
+- VerifyStatus = FALSE;
+- goto Done;
+- }
+-
+- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData);
+- if (EFI_ERROR (Status)) {
+- //
+- // Force not-allowed-by-db to avoid bypass
+- //
+- VerifyStatus = FALSE;
+- goto Done;
+- }
+-
+ if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) {
+ //
+ // Check the timestamp signature and signing time to determine if the RootCert can be trusted.
+@@ -1491,17 +1507,23 @@ IsAllowedByDb (
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed and signature is accepted by DB, but its root cert failed the timestamp check.\n"));
+ }
+ }
+-
+- goto Done;
+ }
+
+- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList->SignatureSize);
++ //
++ // There's no 'dbx' to check revocation time against (must-be pass),
++ // or, there's revocation time found in 'dbx' and checked againt 'dbt'
++ // (maybe pass or fail, depending on timestamp compare result). Either
++ // way the verification job has been completed at this point.
++ //
++ goto Done;
+ }
+- }
+
+- DataSize -= CertList->SignatureListSize;
+- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
++ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList->SignatureSize);
++ }
+ }
++
++ DataSize -= CertList->SignatureListSize;
++ CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
+ }
+
+ Done:
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
--- edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 2020-04-22 17:01:58.000000000 -0600
@@ -0,0 +1,202 @@
+From a83dbf008cc73406cbdc0d5ac3164cc19fff6683 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Mon, 16 Sep 2019 16:52:58 +0800
+Subject: [PATCH 12/17] SecurityPkg/DxeImageVerificationLib: Differentiate
+ error/search result (1) (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+To avoid false-negative issue in check hash against dbx, both error
+condition (as return value) and check result (as out parameter) of
+IsCertHashFoundInDatabase() are added. So the caller of this function
+will know exactly if a failure is caused by a black list hit or
+other error happening, and enforce a more secure operation to prevent
+secure boot from being bypassed. For a white list check (db), there's
+no such necessity.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/a83dbf008cc73406cbdc0d5ac3164cc19fff6683
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 8739d1fa29..85261ba7f2 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -822,22 +822,23 @@ AddImageExeInfo (
+ @param[in] SignatureList Pointer to the Signature List in forbidden database.
+ @param[in] SignatureListSize Size of Signature List.
+ @param[out] RevocationTime Return the time that the certificate was revoked.
++ @param[out] IsFound Search result. Only valid if EFI_SUCCESS returned.
+
+- @return TRUE The certificate hash is found in the forbidden database.
+- @return FALSE The certificate hash is not found in the forbidden database.
++ @retval EFI_SUCCESS Finished the search without any error.
++ @retval Others Error occurred in the search of database.
+
+ **/
+-BOOLEAN
++EFI_STATUS
+ IsCertHashFoundInDatabase (
+ IN UINT8 *Certificate,
+ IN UINTN CertSize,
+ IN EFI_SIGNATURE_LIST *SignatureList,
+ IN UINTN SignatureListSize,
+- OUT EFI_TIME *RevocationTime
++ OUT EFI_TIME *RevocationTime,
++ OUT BOOLEAN *IsFound
+ )
+ {
+- BOOLEAN IsFound;
+- BOOLEAN Status;
++ EFI_STATUS Status;
+ EFI_SIGNATURE_LIST *DbxList;
+ UINTN DbxSize;
+ EFI_SIGNATURE_DATA *CertHash;
+@@ -851,21 +852,22 @@ IsCertHashFoundInDatabase (
+ UINT8 *TBSCert;
+ UINTN TBSCertSize;
+
+- IsFound = FALSE;
++ Status = EFI_ABORTED;
++ *IsFound = FALSE;
+ DbxList = SignatureList;
+ DbxSize = SignatureListSize;
+ HashCtx = NULL;
+ HashAlg = HASHALG_MAX;
+
+ if ((RevocationTime == NULL) || (DbxList == NULL)) {
+- return FALSE;
++ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Retrieve the TBSCertificate from the X.509 Certificate.
+ //
+ if (!X509GetTBSCert (Certificate, CertSize, &TBSCert, &TBSCertSize)) {
+- return FALSE;
++ return Status;
+ }
+
+ while ((DbxSize > 0) && (SignatureListSize >= DbxList->SignatureListSize)) {
+@@ -895,16 +897,13 @@ IsCertHashFoundInDatabase (
+ if (HashCtx == NULL) {
+ goto Done;
+ }
+- Status = mHash[HashAlg].HashInit (HashCtx);
+- if (!Status) {
++ if (!mHash[HashAlg].HashInit (HashCtx)) {
+ goto Done;
+ }
+- Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);
+- if (!Status) {
++ if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) {
+ goto Done;
+ }
+- Status = mHash[HashAlg].HashFinal (HashCtx, CertDigest);
+- if (!Status) {
++ if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) {
+ goto Done;
+ }
+
+@@ -923,7 +922,8 @@ IsCertHashFoundInDatabase (
+ //
+ // Hash of Certificate is found in forbidden database.
+ //
+- IsFound = TRUE;
++ Status = EFI_SUCCESS;
++ *IsFound = TRUE;
+
+ //
+ // Return the revocation time.
+@@ -938,12 +938,14 @@ IsCertHashFoundInDatabase (
+ DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize);
+ }
+
++ Status = EFI_SUCCESS;
++
+ Done:
+ if (HashCtx != NULL) {
+ FreePool (HashCtx);
+ }
+
+- return IsFound;
++ return Status;
+ }
+
+ /**
+@@ -1216,6 +1218,7 @@ IsForbiddenByDbx (
+ {
+ EFI_STATUS Status;
+ BOOLEAN IsForbidden;
++ BOOLEAN IsFound;
+ UINT8 *Data;
+ UINTN DataSize;
+ EFI_SIGNATURE_LIST *CertList;
+@@ -1344,20 +1347,29 @@ IsForbiddenByDbx (
+ //
+ CertPtr = CertPtr + sizeof (UINT32) + CertSize;
+
+- if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime)) {
++ Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound);
++ if (EFI_ERROR (Status)) {
+ //
+- // Check the timestamp signature and signing time to determine if the image can be trusted.
++ // Error in searching dbx. Consider it as 'found'. RevocationTime might
++ // not be valid in such situation.
+ //
+ IsForbidden = TRUE;
++ } else if (IsFound) {
++ //
++ // Found Cert in dbx successfully. Check the timestamp signature and
++ // signing time to determine if the image can be trusted.
++ //
+ if (PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime)) {
+ IsForbidden = FALSE;
+ //
+ // Pass DBT check. Continue to check other certs in image signer's cert list against DBX, DBT
+ //
+ continue;
++ } else {
++ IsForbidden = TRUE;
++ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature failed the timestamp check.\n"));
++ goto Done;
+ }
+- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature failed the timestamp check.\n"));
+- goto Done;
+ }
+
+ }
+@@ -1392,6 +1404,7 @@ IsAllowedByDb (
+ {
+ EFI_STATUS Status;
+ BOOLEAN VerifyStatus;
++ BOOLEAN IsFound;
+ EFI_SIGNATURE_LIST *CertList;
+ EFI_SIGNATURE_DATA *CertData;
+ UINTN DataSize;
+@@ -1498,7 +1511,14 @@ IsAllowedByDb (
+ //
+ // Here We still need to check if this RootCert's Hash is revoked
+ //
+- if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) {
++ Status = IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound);
++ if (EFI_ERROR (Status)) {
++ //
++ // Error in searching dbx. Consider it as 'found'. RevocationTime might
++ // not be valid in such situation.
++ //
++ VerifyStatus = FALSE;
++ } else if (IsFound) {
+ //
+ // Check the timestamp signature and signing time to determine if the RootCert can be trusted.
+ //
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch
--- edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch 2020-04-22 17:02:11.000000000 -0600
@@ -0,0 +1,63 @@
+From 5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Tue, 17 Sep 2019 11:04:33 +0800
+Subject: [PATCH 13/17] SecurityPkg/DxeImageVerificationLib: tighten default
+ result (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+All intermediate results inside this function will be checked and
+returned immediately upon any failure or error, like out-of-resource,
+hash calculation error or certificate retrieval failure.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 85261ba7f2..470a0d20ef 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1240,7 +1240,7 @@ IsForbiddenByDbx (
+ //
+ // Variable Initialization
+ //
+- IsForbidden = FALSE;
++ IsForbidden = TRUE;
+ Data = NULL;
+ CertList = NULL;
+ CertData = NULL;
+@@ -1257,7 +1257,14 @@ IsForbiddenByDbx (
+ //
+ DataSize = 0;
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
++ ASSERT (EFI_ERROR (Status));
+ if (Status != EFI_BUFFER_TOO_SMALL) {
++ if (Status == EFI_NOT_FOUND) {
++ //
++ // Evidently not in dbx if the database doesn't exist.
++ //
++ IsForbidden = FALSE;
++ }
+ return IsForbidden;
+ }
+ Data = (UINT8 *) AllocateZeroPool (DataSize);
+@@ -1374,6 +1381,8 @@ IsForbiddenByDbx (
+
+ }
+
++ IsForbidden = FALSE;
++
+ Done:
+ if (Data != NULL) {
+ FreePool (Data);
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch
--- edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch 2020-04-22 17:02:27.000000000 -0600
@@ -0,0 +1,37 @@
+From cb30c8f25162e6d8142c6b098f14c1e4e7f125ce Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 25 Sep 2019 13:41:57 +0200
+Subject: [PATCH 14/17] SecurityPkg/DxeImageVerificationLib: plug Data leak in
+ IsForbiddenByDbx() (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
+we have to free Data. Jump to "Done" for that.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/cb30c8f25162e6d8142c6b098f14c1e4e7f125ce
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 470a0d20ef..f20640af68 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
+
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
+ if (EFI_ERROR (Status)) {
+- return IsForbidden;
++ goto Done;
+ }
+
+ //
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
--- edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 2020-04-22 17:02:41.000000000 -0600
@@ -0,0 +1,203 @@
+From b1c11470598416c89c67b75c991fd0773bcbab9d Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 10 Oct 2019 15:02:17 +0800
+Subject: [PATCH 15/17] SecurityPkg/DxeImageVerificationLib: Differentiate
+ error/search result (2) (CVE-2019-14575)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+
+To avoid false-negative issue in check hash against dbx, both error
+condition (as return value) and check result (as out parameter) of
+IsSignatureFoundInDatabase() are added. So the caller of this function
+will know exactly if a failure is caused by a black list hit or
+other error happening, and enforce a more secure operation to prevent
+secure boot from being bypassed. For a white list check (db), there's
+no such necessity.
+
+All intermediate results inside this function will be checked and
+returned immediately upon any failure or error, like out-of-resource,
+hash calculation error or certificate retrieval failure.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+[dannf: backported to stable-201911]
+
+Origin: https://github.com/tianocore/edk2/commit/b1c11470598416c89c67b75c991fd0773bcbab9d
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+Index: edk2-0~20190606.20d2e5a1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2-0~20190606.20d2e5a1.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2-0~20190606.20d2e5a1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -954,17 +954,19 @@ Done:
+ @param[in] Signature Pointer to signature that is searched for.
+ @param[in] CertType Pointer to hash algrithom.
+ @param[in] SignatureSize Size of Signature.
++ @param[out] IsFound Search result. Only valid if EFI_SUCCESS returned
+
+- @return TRUE Found the signature in the variable database.
+- @return FALSE Not found the signature in the variable database.
++ @retval EFI_SUCCESS Finished the search without any error.
++ @retval Others Error occurred in the search of database.
+
+ **/
+-BOOLEAN
++EFI_STATUS
+ IsSignatureFoundInDatabase (
+- IN CHAR16 *VariableName,
+- IN UINT8 *Signature,
+- IN EFI_GUID *CertType,
+- IN UINTN SignatureSize
++ IN CHAR16 *VariableName,
++ IN UINT8 *Signature,
++ IN EFI_GUID *CertType,
++ IN UINTN SignatureSize,
++ OUT BOOLEAN *IsFound
+ )
+ {
+ EFI_STATUS Status;
+@@ -974,22 +976,28 @@ IsSignatureFoundInDatabase (
+ UINT8 *Data;
+ UINTN Index;
+ UINTN CertCount;
+- BOOLEAN IsFound;
+
+ //
+ // Read signature database variable.
+ //
+- IsFound = FALSE;
++ *IsFound = FALSE;
+ Data = NULL;
+ DataSize = 0;
+ Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
+ if (Status != EFI_BUFFER_TOO_SMALL) {
+- return FALSE;
++ if (Status == EFI_NOT_FOUND) {
++ //
++ // No database, no need to search.
++ //
++ Status = EFI_SUCCESS;
++ }
++
++ return Status;
+ }
+
+ Data = (UINT8 *) AllocateZeroPool (DataSize);
+ if (Data == NULL) {
+- return FALSE;
++ return EFI_OUT_OF_RESOURCES;
+ }
+
+ Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);
+@@ -1009,7 +1017,7 @@ IsSignatureFoundInDatabase (
+ //
+ // Find the signature in database.
+ //
+- IsFound = TRUE;
++ *IsFound = TRUE;
+ //
+ // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured
+ //
+@@ -1022,7 +1030,7 @@ IsSignatureFoundInDatabase (
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
+ }
+
+- if (IsFound) {
++ if (*IsFound) {
+ break;
+ }
+ }
+@@ -1036,7 +1044,7 @@ Done:
+ FreePool (Data);
+ }
+
+- return IsFound;
++ return Status;
+ }
+
+ /**
+@@ -1646,6 +1654,8 @@ DxeImageVerificationHandler (
+ EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
+ UINT32 OffSet;
+ CHAR16 *NameStr;
++ EFI_STATUS DbStatus;
++ BOOLEAN IsFound;
+
+ SignatureList = NULL;
+ SignatureListSize = 0;
+@@ -1655,7 +1665,7 @@ DxeImageVerificationHandler (
+ Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
+ Status = EFI_ACCESS_DENIED;
+ VerifyStatus = EFI_ACCESS_DENIED;
+-
++ IsFound = FALSE;
+
+ //
+ // Check the image type and get policy setting.
+@@ -1798,7 +1808,14 @@ DxeImageVerificationHandler (
+ goto Done;
+ }
+
+- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
++ DbStatus = IsSignatureFoundInDatabase (
++ EFI_IMAGE_SECURITY_DATABASE1,
++ mImageDigest,
++ &mCertType,
++ mImageDigestSize,
++ &IsFound
++ );
++ if (EFI_ERROR (DbStatus) || IsFound) {
+ //
+ // Image Hash is in forbidden database (DBX).
+ //
+@@ -1806,7 +1823,14 @@ DxeImageVerificationHandler (
+ goto Done;
+ }
+
+- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
++ DbStatus = IsSignatureFoundInDatabase (
++ EFI_IMAGE_SECURITY_DATABASE,
++ mImageDigest,
++ &mCertType,
++ mImageDigestSize,
++ &IsFound
++ );
++ if (!EFI_ERROR (DbStatus) && IsFound) {
+ //
+ // Image Hash is in allowed database (DB).
+ //
+@@ -1894,13 +1918,27 @@ DxeImageVerificationHandler (
+ //
+ // Check the image's hash value.
+ //
+- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
++ DbStatus = IsSignatureFoundInDatabase (
++ EFI_IMAGE_SECURITY_DATABASE1,
++ mImageDigest,
++ &mCertType,
++ mImageDigestSize,
++ &IsFound
++ );
++ if (EFI_ERROR (DbStatus) || IsFound) {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));
+ VerifyStatus = EFI_ACCESS_DENIED;
+ break;
+ } else if (EFI_ERROR (VerifyStatus)) {
+- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
++ DbStatus = IsSignatureFoundInDatabase (
++ EFI_IMAGE_SECURITY_DATABASE,
++ mImageDigest,
++ &mCertType,
++ mImageDigestSize,
++ &IsFound
++ );
++ if (!EFI_ERROR (DbStatus) && IsFound) {
+ VerifyStatus = EFI_SUCCESS;
+ } else {
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
diff -Nru edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch
--- edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch 2020-04-22 17:02:56.000000000 -0600
@@ -0,0 +1,55 @@
+From c230c002accc4281ccc57bba7153a9b2d9b9ccd3 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Fri, 14 Feb 2020 13:50:32 +0800
+Subject: [PATCH 16/17] SecurityPkg/DxeImageVerificationLib: change
+ IsCertHashFoundInDatabase name (CVE-2019-14575)
+
+IsCertHashFoundInDatabase() is actually used only for searching dbx,
+according to the function logic, its comments and its use cases. Changing
+it to IsCertHashFoundInDbx to avoid confusion.
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/c230c002accc4281ccc57bba7153a9b2d9b9ccd3
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
+Bug-Debian: https://bugs.debian.org/952935
+Last-Update: 2020-03-16
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 0e1587bc3c..b7fa8ea8c5 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -829,7 +829,7 @@ AddImageExeInfo (
+
+ **/
+ EFI_STATUS
+-IsCertHashFoundInDatabase (
++IsCertHashFoundInDbx (
+ IN UINT8 *Certificate,
+ IN UINTN CertSize,
+ IN EFI_SIGNATURE_LIST *SignatureList,
+@@ -1362,7 +1362,7 @@ IsForbiddenByDbx (
+ //
+ CertPtr = CertPtr + sizeof (UINT32) + CertSize;
+
+- Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound);
++ Status = IsCertHashFoundInDbx (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound);
+ if (EFI_ERROR (Status)) {
+ //
+ // Error in searching dbx. Consider it as 'found'. RevocationTime might
+@@ -1528,7 +1528,7 @@ IsAllowedByDb (
+ //
+ // Here We still need to check if this RootCert's Hash is revoked
+ //
+- Status = IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound);
++ Status = IsCertHashFoundInDbx (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound);
+ if (EFI_ERROR (Status)) {
+ //
+ // Error in searching dbx. Consider it as 'found'. RevocationTime might
+--
+2.25.1
+
diff -Nru edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch
--- edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch 2020-04-22 17:03:16.000000000 -0600
@@ -0,0 +1,46 @@
+From 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8 Mon Sep 17 00:00:00 2001
+From: Siyuan Fu <siyuan.fu@intel.com>
+Date: Fri, 21 Feb 2020 10:14:18 +0800
+Subject: [PATCH 17/17] NetworkPkg/ArpDxe: Recycle invalid ARP packets
+ (CVE-2019-14559)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
+
+This patch triggers the RecycleEvent for invalid ARP packets.
+Prior to this, we would just ignore invalid ARP packets,
+and never free them.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
+Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
+[dannf: Change modified file path; drop conflicting Copyright date change]
+
+Origin: https://github.com/tianocore/edk2/commit/1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
+Bug-Debian: https://bugs.debian.org/952926
+Last-Update: 2020-04-03
+
+Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
+===================================================================
+--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
+@@ -119,7 +119,7 @@ ArpOnFrameRcvdDpc (
+ //
+ // Restart the receiving if packet size is not correct.
+ //
+- goto RESTART_RECEIVE;
++ goto RECYCLE_RXDATA;
+ }
+
+ //
+@@ -131,7 +131,7 @@ ArpOnFrameRcvdDpc (
+ Head->OpCode = NTOHS (Head->OpCode);
+
+ if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
+- goto RESTART_RECEIVE;
++ goto RECYCLE_RXDATA;
+ }
+
+ if ((Head->HwType != ArpService->SnpMode.IfType) ||
diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series 2019-03-15 18:37:44.000000000 -0600
+++ edk2-0~20181115.85588389/debian/patches/series 2020-04-22 17:03:10.000000000 -0600
@@ -7,3 +7,20 @@
NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch
0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch
+0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch
+0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch
+0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch
+0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch
+0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch
+0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch
+0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch
+0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch
+0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch
+0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch
+0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch
+0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
+0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch
+0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch
+0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
+0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch
+0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch
Reply to: