[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970518: marked as done (buster-pu: package edk2/0~20181115.85588389-3+deb10u1)

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #970518,
regarding buster-pu: package edk2/0~20181115.85588389-3+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970518
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
I'd like to fix CVE-2019-14562 in edk2 for buster.

[ Impact ]
Vulnerability to an integer overflow when parsing signatures of a specially
crafted PE file.

[ Tests ]
Regression tested only using the autopkgtests from the unstable version
of the package.

[ Risks ]
A regression could break the booting of QEMU-emulated machines.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Cherry-picks from upstream to resolve CVE-2019-14562.

[ Other info ]
N/A

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog	2020-04-23 13:33:06.000000000 -0600
+++ edk2-0~20181115.85588389/debian/changelog	2020-09-17 13:45:52.000000000 -0600
@@ -1,3 +1,13 @@
+edk2 (0~20181115.85588389-3+deb10u2) buster; urgency=medium
+
+  * Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
+    (Closes: #968819)
+     - d/p/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
+     - d/p/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
+     - d/p/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
+
+ -- dann frazier <dannf@debian.org>  Thu, 17 Sep 2020 13:45:52 -0600
+
 edk2 (0~20181115.85588389-3+deb10u1) buster; urgency=medium
 
   * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
diff -Nru edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
--- edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,87 @@
+From 503248ccdf45c14d4040ce44163facdc212e4991 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:19 +0200
+Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
+ SecDataDirEnd, SecDataDirLeft
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The following two quantities:
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+  SecDataDir->VirtualAddress + SecDataDir->Size - OffSet
+
+are used multiple times in DxeImageVerificationHandler(). Introduce helper
+variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
+This saves us multiple calculations and significantly simplifies the code.
+
+Note that all three summands above have type UINT32, therefore the new
+variables are also of type UINT32.
+
+This patch does not change behavior.
+
+(Note that the code already handles the case when the
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+
+UINT32 addition overflows -- namely, in that case, the certificate loop is
+never entered, and the corruption check right after the loop fires.)
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-2-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/503248ccdf45c14d4040ce44163facdc212e4991
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1658,6 +1658,8 @@ DxeImageVerificationHandler (
+   UINT8                                *AuthData;
+   UINTN                                AuthDataSize;
+   EFI_IMAGE_DATA_DIRECTORY             *SecDataDir;
++  UINT32                               SecDataDirEnd;
++  UINT32                               SecDataDirLeft;
+   UINT32                               OffSet;
+   CHAR16                               *NameStr;
+   EFI_STATUS                           DbStatus;

+@@ -1855,12 +1857,14 @@ DxeImageVerificationHandler (
+   // "Attribute Certificate Table".
+   // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.
+   //
++  SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
+   for (OffSet = SecDataDir->VirtualAddress;
+-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
++       OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||
+-        (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {
++    SecDataDirLeft = SecDataDirEnd - OffSet;
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
++        SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
+@@ -1952,7 +1956,7 @@ DxeImageVerificationHandler (
+     }
+   }
+ 
+-  if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
++  if (OffSet != SecDataDirEnd) {
+     //
+     // The Size in Certificate Table or the attribute certicate table is corrupted.
+     //
diff -Nru edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
--- edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,58 @@
+From a7632e913c1c106f436aefd5e76c394249c383a8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:20 +0200
+Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
+ WinCertificate after size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only
+guards the de-referencing of the "WinCertificate" pointer. It does not
+guard the calculation of the pointer itself:
+
+  WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+
+This is wrong; if we don't know for sure that we have enough room for a
+WIN_CERTIFICATE, then even creating such a pointer, not just
+de-referencing it, may invoke undefined behavior.
+
+Move the pointer calculation after the size check.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-3-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/a7632e913c1c106f436aefd5e76c394249c383a8
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1861,10 +1861,12 @@ DxeImageVerificationHandler (
+   for (OffSet = SecDataDir->VirtualAddress;
+        OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+-    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+     SecDataDirLeft = SecDataDirEnd - OffSet;
+-    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
+-        SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
++      break;
++    }
++    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
++    if (SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
diff -Nru edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
--- edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,50 @@
+From 0b143fa43e92be15d11e22f80773bcb1b2b0608f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:21 +0200
+Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment
+ overflow (CVE-2019-14562)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The DxeImageVerificationHandler() function currently checks whether
+"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
+advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
+multiple of 8. If "WinCertificate->dwLength" is large enough, the
+alignment will return 0, and "OffSet" will be stuck at the same value.
+
+Check whether "SecDataDir" has room left for both
+"WinCertificate->dwLength" and the alignment.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-4-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/0b143fa43e92be15d11e22f80773bcb1b2b0608f
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1866,7 +1866,9 @@ DxeImageVerificationHandler (
+       break;
+     }
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if (SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft < WinCertificate->dwLength ||
++        (SecDataDirLeft - WinCertificate->dwLength <
++         ALIGN_SIZE (WinCertificate->dwLength))) {
+       break;
+     }
+ 
diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series	2020-04-22 17:03:10.000000000 -0600
+++ edk2-0~20181115.85588389/debian/patches/series	2020-09-17 13:45:52.000000000 -0600
@@ -24,3 +24,6 @@
 0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
 0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch
 0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch
+0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
+0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
+0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---
Reply to: