File: 0002-SecurityPkg-Improving-HashPeImageByType-logic.patch

package info (click to toggle)
edk2 2025.02-9
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 271,992 kB
  • sloc: ansic: 2,110,013; asm: 263,832; perl: 227,730; python: 149,823; sh: 34,967; cpp: 21,813; makefile: 3,285; xml: 806; pascal: 721; lisp: 35; ruby: 16; sed: 6; tcl: 4
file content (97 lines) | stat: -rw-r--r-- 4,264 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
From b90693965b6b1566bcac4652ad1bb436e1bb461f Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Thu, 3 Oct 2024 10:16:57 -0700
Subject: [PATCH 2/4] SecurityPkg: Improving HashPeImageByType () logic

Namely:

(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
    to TRUE for Index==0, then it will evaluate to TRUE for all other
    Index values as well. As a result, the (Index == HASHALG_MAX)
    condition will fire after the loop, and we'll return
    EFI_UNSUPPORTED.

    While this is correct, functionally speaking, it is wasteful to
    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
    should be made at the top of the function, and EFI_UNSUPPORTED
    should be returned at once, if appropriate.

(2) If the hash algorithm selected by Index has such a large OID that
    the OID comparison cannot even be performed (because AuthDataSize
    is not large enough for containing the OID in question, starting
    at offset 32), then the function returns EFI_UNSUPPORTED at once.

    This is bogus; this case should simply be treated as an OID
    mismatch, and the loop should advance to the next Index value /
    hash algorithm candidate. A remaining hash algo may have a shorter
    OID and yield an OID match.

Signed-off-by: Doug Flick <DougFlick@microsoft.com>

Origin: https://github.com/tianocore/edk2/commit/b90693965b6b1566bcac4652ad1bb436e1bb461f
Bug: https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102519
Last-Updated: 2025-05-11

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 2afa2c93d9..2eca39d563 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -618,6 +618,7 @@ Done:
   @param[in]  AuthDataSize        Size of the Authenticode Signature in bytes.
 
   @retval EFI_UNSUPPORTED             Hash algorithm is not supported.
+  @retval EFI_BAD_BUFFER_SIZE         AuthData provided is invalid size.
   @retval EFI_SUCCESS                 Hash successfully.
 
 **/
@@ -629,28 +630,28 @@ HashPeImageByType (
 {
   UINT8  Index;
 
-  for (Index = 0; Index < HASHALG_MAX; Index++) {
+  //
+  // Check the Hash algorithm in PE/COFF Authenticode.
+  //    According to PKCS#7 Definition:
+  //        SignedData ::= SEQUENCE {
+  //            version Version,
+  //            digestAlgorithms DigestAlgorithmIdentifiers,
+  //            contentInfo ContentInfo,
+  //            .... }
+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+  //
+  if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
     //
-    // Check the Hash algorithm in PE/COFF Authenticode.
-    //    According to PKCS#7 Definition:
-    //        SignedData ::= SEQUENCE {
-    //            version Version,
-    //            digestAlgorithms DigestAlgorithmIdentifiers,
-    //            contentInfo ContentInfo,
-    //            .... }
-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
+    // Only support two bytes of Long Form of Length Encoding.
     //
-    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
-      //
-      // Only support two bytes of Long Form of Length Encoding.
-      //
-      continue;
-    }
+    return EFI_BAD_BUFFER_SIZE;
+  }
 
+  for (Index = 0; Index < HASHALG_MAX; Index++) {
     if (AuthDataSize < 32 + mHash[Index].OidLength) {
-      return EFI_UNSUPPORTED;
+      continue;
     }
 
     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
-- 
2.49.0