0876ada789
- Fixed buffer overflow and OOB access in shim trusted code path (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch - Added new certificate by Microsoft OBS-URL: https://build.opensuse.org/request/show/255752 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=88
70 lines
2.2 KiB
Diff
70 lines
2.2 KiB
Diff
Index: shim-0.7.318.81ee561d/MokManager.c
|
|
===================================================================
|
|
--- shim-0.7.318.81ee561d.orig/MokManager.c
|
|
+++ shim-0.7.318.81ee561d/MokManager.c
|
|
@@ -163,8 +163,18 @@ static UINT32 count_keys(void *Data, UIN
|
|
EFI_SIGNATURE_LIST *CertList = Data;
|
|
UINTN dbsize = DataSize;
|
|
UINT32 MokNum = 0;
|
|
+ void *end = Data + DataSize;
|
|
|
|
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
+
|
|
+ /* Use ptr arithmetics to ensure bounded access. Do not allow 0
|
|
+ * SignatureListSize that will cause endless loop.
|
|
+ */
|
|
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
|
|
+ console_notify(L"Invalid MOK detected! Ignoring MOK List.");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (CertList->SignatureListSize == 0 ||
|
|
CertList->SignatureListSize <= CertList->SignatureSize) {
|
|
console_errorbox(L"Corrupted signature list");
|
|
@@ -192,6 +202,7 @@ static MokListNode *build_mok_list(UINT3
|
|
EFI_GUID CertType = X509_GUID;
|
|
UINTN dbsize = DataSize;
|
|
UINTN count = 0;
|
|
+ void *end = Data + DataSize;
|
|
|
|
list = AllocatePool(sizeof(MokListNode) * num);
|
|
|
|
@@ -201,12 +212,24 @@ static MokListNode *build_mok_list(UINT3
|
|
}
|
|
|
|
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
+ /* CertList out of bounds? */
|
|
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
|
|
+ FreePool(list);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/* Omit the signature check here since we already did it
|
|
in count_keys() */
|
|
|
|
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
|
|
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
|
|
|
|
+ /* Cert out of bounds? */
|
|
+ if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) {
|
|
+ FreePool(list);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
list[count].Type = CertList->SignatureType;
|
|
if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
|
|
list[count].MokSize = CertList->SignatureSize -
|
|
@@ -218,6 +241,12 @@ static MokListNode *build_mok_list(UINT3
|
|
list[count].Mok = (void *)Cert;
|
|
}
|
|
|
|
+ /* MOK out of bounds? */
|
|
+ if (list[count].MokSize > end - (void *)list[count].Mok) {
|
|
+ FreePool(list);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
count++;
|
|
dbsize -= CertList->SignatureListSize;
|
|
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
|