|
|
4210fa |
From 034466b7734a2749346151d903bbd7c8a1288db1 Mon Sep 17 00:00:00 2001
|
|
|
4210fa |
From: Sebastian Krahmer <krahmer@suse.com>
|
|
|
4210fa |
Date: Tue, 12 Aug 2014 09:23:28 +0000
|
|
|
4210fa |
Subject: [PATCH 71/74] OOB access when parsing MOK List/Certificates on MOK
|
|
|
4210fa |
enrollment
|
|
|
4210fa |
|
|
|
4210fa |
---
|
|
|
4210fa |
MokManager.c | 30 ++++++++++++++++++++++++++++++
|
|
|
4210fa |
1 file changed, 30 insertions(+)
|
|
|
4210fa |
|
|
|
4210fa |
diff --git a/MokManager.c b/MokManager.c
|
|
|
4210fa |
index ecbcdd3..4a9b102 100644
|
|
|
4210fa |
--- a/MokManager.c
|
|
|
4210fa |
+++ b/MokManager.c
|
|
|
4210fa |
@@ -100,8 +100,18 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
|
|
|
4210fa |
EFI_GUID HashType = EFI_CERT_SHA256_GUID;
|
|
|
4210fa |
UINTN dbsize = DataSize;
|
|
|
4210fa |
UINT32 MokNum = 0;
|
|
|
4210fa |
+ void *end = Data + DataSize;
|
|
|
4210fa |
|
|
|
4210fa |
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
|
4210fa |
+
|
|
|
4210fa |
+ /* Use ptr arithmetics to ensure bounded access. Do not allow 0
|
|
|
4210fa |
+ * SignatureListSize that will cause endless loop.
|
|
|
4210fa |
+ */
|
|
|
4210fa |
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
|
|
|
4210fa |
+ console_notify(L"Invalid MOK detected! Ignoring MOK List.");
|
|
|
4210fa |
+ return 0;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+
|
|
|
4210fa |
if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
|
|
|
4210fa |
(CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
|
|
|
4210fa |
console_notify(L"Doesn't look like a key or hash");
|
|
|
4210fa |
@@ -137,6 +147,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
|
|
|
4210fa |
EFI_GUID HashType = EFI_CERT_SHA256_GUID;
|
|
|
4210fa |
UINTN dbsize = DataSize;
|
|
|
4210fa |
UINTN count = 0;
|
|
|
4210fa |
+ void *end = Data + DataSize;
|
|
|
4210fa |
|
|
|
4210fa |
list = AllocatePool(sizeof(MokListNode) * num);
|
|
|
4210fa |
|
|
|
4210fa |
@@ -146,6 +157,11 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
|
|
|
4210fa |
}
|
|
|
4210fa |
|
|
|
4210fa |
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
|
4210fa |
+ /* CertList out of bounds? */
|
|
|
4210fa |
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
|
|
|
4210fa |
+ FreePool(list);
|
|
|
4210fa |
+ return NULL;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
|
|
|
4210fa |
(CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
|
|
|
4210fa |
dbsize -= CertList->SignatureListSize;
|
|
|
4210fa |
@@ -165,10 +181,22 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
|
|
|
4210fa |
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
|
|
|
4210fa |
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
|
|
|
4210fa |
|
|
|
4210fa |
+ /* Cert out of bounds? */
|
|
|
4210fa |
+ if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) {
|
|
|
4210fa |
+ FreePool(list);
|
|
|
4210fa |
+ return NULL;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+
|
|
|
4210fa |
list[count].MokSize = CertList->SignatureSize - sizeof(EFI_GUID);
|
|
|
4210fa |
list[count].Mok = (void *)Cert->SignatureData;
|
|
|
4210fa |
list[count].Type = CertList->SignatureType;
|
|
|
4210fa |
|
|
|
4210fa |
+ /* MOK out of bounds? */
|
|
|
4210fa |
+ if (list[count].MokSize > end - (void *)list[count].Mok) {
|
|
|
4210fa |
+ FreePool(list);
|
|
|
4210fa |
+ return NULL;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+
|
|
|
4210fa |
count++;
|
|
|
4210fa |
dbsize -= CertList->SignatureListSize;
|
|
|
4210fa |
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
|
|
|
4210fa |
@@ -449,6 +477,8 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
|
|
|
4210fa |
}
|
|
|
4210fa |
|
|
|
4210fa |
MokNum = count_keys(KeyList, KeyListSize);
|
|
|
4210fa |
+ if (MokNum == 0)
|
|
|
4210fa |
+ return 0;
|
|
|
4210fa |
keys = build_mok_list(MokNum, KeyList, KeyListSize);
|
|
|
4210fa |
|
|
|
4210fa |
if (!keys) {
|
|
|
4210fa |
--
|
|
|
4210fa |
1.9.3
|
|
|
4210fa |
|