SHA256
1
0
forked from pool/shim

Accepting request 417039 from home:gary_lin:branches:devel:openSUSE:Factory

- fix the signature length passed to Authenticode (bsc#991885)

OBS-URL: https://build.opensuse.org/request/show/417039
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=117
This commit is contained in:
Gary Ching-Pang Lin 2016-08-05 08:00:13 +00:00 committed by Git OBS Bridge
parent 2e4b84ba97
commit 3b797a1f59
3 changed files with 74 additions and 0 deletions

View File

@ -0,0 +1,65 @@
From 6c12c7bf522d032922abb799cdf0d6f525de3c38 Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Tue, 2 Aug 2016 16:46:31 -0700
Subject: [PATCH] Use authenticode signature length from WIN_CERTIFICATE
structure.
Authenticode Certificate length is available in Certificate Table
(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
Code in 'check_backlist()' method uses length from signature header,
whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
the length in signature header. This causes a security vulnerability issue :
Good Scenario : Assume shim1.crt is used for signing grub.efi and
shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
compromised and therefore it was added in 'dbx' database. Now, when
shim.efi will attempt to load grub.efi, it will fail loading with
log message "Binary is blacklisted" because 'check_blacklist' call
will detect the presence of 'shim1.crt' in 'dbx'.
Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
WIN_CERTIFICATE.dwLength.
(Open grub.efi/vmlinuz signed binary with hex editor.
Go to 0x128 address and read out the address from 0x128 until
0x12B in little Indian order from right to left.
Jump to the address from 0x128 address area.
First 8bytes are the signature header area which consist of
signature size(4bytes), revision(2bytes) and type(2bytes).
So tamper the first 4 bytes for signature size and save the binary.
)
With this tampered grub.efi, shim.efi loads it successfully because
'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
database.
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
shim.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index ed01899..03a5604 100644
--- a/shim.c
+++ b/shim.c
@@ -966,7 +966,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
*/
if (sizeof(shim_cert) &&
AuthenticodeVerify(cert->CertData,
- context->SecDir->Size - sizeof(cert->Hdr),
+ cert->Hdr.dwLength - sizeof(cert->Hdr),
shim_cert, sizeof(shim_cert), sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
@@ -977,7 +977,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
* And finally, check against shim's built-in key
*/
if (vendor_cert_size && AuthenticodeVerify(cert->CertData,
- context->SecDir->Size - sizeof(cert->Hdr),
+ cert->Hdr.dwLength - sizeof(cert->Hdr),
vendor_cert, vendor_cert_size, sha256hash,
SHA256_DIGEST_SIZE)) {
status = EFI_SUCCESS;
--
2.9.2

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
length passed to Authenticode (bsc#991885)
-------------------------------------------------------------------
Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com

View File

@ -52,6 +52,8 @@ Patch3: shim-update-openssl-1.0.2g.patch
Patch4: shim-bsc973496-mokmanager-no-append-write.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch glin@suse.com -- Update openssl to 1.0.2h
Patch5: shim-update-openssl-1.0.2h.patch
# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch glin@suse.com -- Fix the signature length passed to Authenticode
Patch6: shim-bsc991885-fix-sig-length.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@ -96,6 +98,7 @@ Authors:
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch50 -p1
%patch100 -p1
%build