Accepting request 417039 from home:gary_lin:branches:devel:openSUSE:Factory

- fix the signature length passed to Authenticode (bsc#991885) OBS-URL: https://build.opensuse.org/request/show/417039 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=117
2016-08-05 08:00:13 +00:00 · 2016-08-05 08:00:13 +00:00 · 3b797a1f59
commit 3b797a1f59
parent 2e4b84ba97
3 changed files with 74 additions and 0 deletions
--- a/shim-bsc991885-fix-sig-length.patch
+++ b/shim-bsc991885-fix-sig-length.patch
@ -0,0 +1,65 @@
+From 6c12c7bf522d032922abb799cdf0d6f525de3c38 Mon Sep 17 00:00:00 2001
+From: Sachin Agrawal <sachin.agrawal@intel.com>
+Date: Tue, 2 Aug 2016 16:46:31 -0700
+Subject: [PATCH] Use authenticode signature length from WIN_CERTIFICATE
+ structure.
+
+Authenticode Certificate length is available in Certificate Table
+(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
+Code in 'check_backlist()' method uses length from signature header,
+whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
+the length in signature header. This causes a security vulnerability issue :
+
+Good Scenario : Assume shim1.crt is used for signing grub.efi and
+shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
+compromised and therefore it was added in 'dbx' database. Now, when
+shim.efi will attempt to load grub.efi, it will fail loading with
+log message "Binary is blacklisted" because 'check_blacklist' call
+will detect the presence of 'shim1.crt' in 'dbx'.
+
+Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
+Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
+WIN_CERTIFICATE.dwLength.
+(Open grub.efi/vmlinuz signed binary with hex editor.
+ Go to 0x128 address and read out the address from 0x128 until
+ 0x12B in little Indian order from right to left.
+ Jump to the address from 0x128 address area.
+ First 8bytes are the signature header area which consist of
+ signature size(4bytes), revision(2bytes) and type(2bytes).
+ So tamper the first 4 bytes for signature size and save the binary.
+)
+With this tampered grub.efi, shim.efi loads it successfully because
+'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
+database.
+
+
+Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
+---
+ shim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index ed01899..03a5604 100644
+--- a/shim.c
+++ b/shim.c
+@@ -966,7 +966,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ 		 */
+ 		if (sizeof(shim_cert) &&
+ 		    AuthenticodeVerify(cert->CertData,
+-			       context->SecDir->Size - sizeof(cert->Hdr),
+			       cert->Hdr.dwLength - sizeof(cert->Hdr),
+ 			       shim_cert, sizeof(shim_cert), sha256hash,
+ 			       SHA256_DIGEST_SIZE)) {
+ 			status = EFI_SUCCESS;
+@@ -977,7 +977,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ 		 * And finally, check against shim's built-in key
+ 		 */
+ 		if (vendor_cert_size && AuthenticodeVerify(cert->CertData,
+-							context->SecDir->Size - sizeof(cert->Hdr),
+							cert->Hdr.dwLength - sizeof(cert->Hdr),
+ 							vendor_cert, vendor_cert_size, sha256hash,
+ 							SHA256_DIGEST_SIZE)) {
+ 			status = EFI_SUCCESS;
+-- 
+2.9.2
+
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug  5 02:53:54 UTC 2016 - glin@suse.com
+
+- Add shim-bsc991885-fix-sig-length.patch to fix the signature
+  length passed to Authenticode (bsc#991885)
+
 -------------------------------------------------------------------
 Wed Aug  3 09:10:25 UTC 2016 - glin@suse.com

--- a/shim.spec
+++ b/shim.spec
@ -52,6 +52,8 @@ Patch3:         shim-update-openssl-1.0.2g.patch
 Patch4:         shim-bsc973496-mokmanager-no-append-write.patch
 # PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch glin@suse.com -- Update openssl to 1.0.2h
 Patch5:         shim-update-openssl-1.0.2h.patch
+# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch glin@suse.com -- Fix the signature length passed to Authenticode
+Patch6:         shim-bsc991885-fix-sig-length.patch
 # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
 Patch50:        shim-change-debug-file-path.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@ -96,6 +98,7 @@ Authors:
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %patch50 -p1
 %patch100 -p1
 %build