Bug#970518: buster-pu: package edk2/0~20181115.85588389-3+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#970518: buster-pu: package edk2/0~20181115.85588389-3+deb10u1
From: dann frazier <dannf@dannf.org>
Date: Thu, 17 Sep 2020 14:17:20 -0600
Message-id: <[🔎] 160037384099.294238.4644826025402193769.reportbug@xps13.dannf>
Reply-to: dann frazier <dannf@dannf.org>, 970518@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
I'd like to fix CVE-2019-14562 in edk2 for buster.

[ Impact ]
Vulnerability to an integer overflow when parsing signatures of a specially
crafted PE file.

[ Tests ]
Regression tested only using the autopkgtests from the unstable version
of the package.

[ Risks ]
A regression could break the booting of QEMU-emulated machines.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Cherry-picks from upstream to resolve CVE-2019-14562.

[ Other info ]
N/A

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog	2020-04-23 13:33:06.000000000 -0600
+++ edk2-0~20181115.85588389/debian/changelog	2020-09-17 13:45:52.000000000 -0600
@@ -1,3 +1,13 @@
+edk2 (0~20181115.85588389-3+deb10u2) buster; urgency=medium
+
+  * Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
+    (Closes: #968819)
+     - d/p/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
+     - d/p/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
+     - d/p/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
+
+ -- dann frazier <dannf@debian.org>  Thu, 17 Sep 2020 13:45:52 -0600
+
 edk2 (0~20181115.85588389-3+deb10u1) buster; urgency=medium
 
   * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
diff -Nru edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
--- edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,87 @@
+From 503248ccdf45c14d4040ce44163facdc212e4991 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:19 +0200
+Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
+ SecDataDirEnd, SecDataDirLeft
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The following two quantities:
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+  SecDataDir->VirtualAddress + SecDataDir->Size - OffSet
+
+are used multiple times in DxeImageVerificationHandler(). Introduce helper
+variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
+This saves us multiple calculations and significantly simplifies the code.
+
+Note that all three summands above have type UINT32, therefore the new
+variables are also of type UINT32.
+
+This patch does not change behavior.
+
+(Note that the code already handles the case when the
+
+  SecDataDir->VirtualAddress + SecDataDir->Size
+
+UINT32 addition overflows -- namely, in that case, the certificate loop is
+never entered, and the corruption check right after the loop fires.)
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-2-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/503248ccdf45c14d4040ce44163facdc212e4991
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1658,6 +1658,8 @@ DxeImageVerificationHandler (
+   UINT8                                *AuthData;
+   UINTN                                AuthDataSize;
+   EFI_IMAGE_DATA_DIRECTORY             *SecDataDir;
++  UINT32                               SecDataDirEnd;
++  UINT32                               SecDataDirLeft;
+   UINT32                               OffSet;
+   CHAR16                               *NameStr;
+   EFI_STATUS                           DbStatus;

+@@ -1855,12 +1857,14 @@ DxeImageVerificationHandler (
+   // "Attribute Certificate Table".
+   // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.
+   //
++  SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
+   for (OffSet = SecDataDir->VirtualAddress;
+-       OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
++       OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||
+-        (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {
++    SecDataDirLeft = SecDataDirEnd - OffSet;
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
++        SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
+@@ -1952,7 +1956,7 @@ DxeImageVerificationHandler (
+     }
+   }
+ 
+-  if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
++  if (OffSet != SecDataDirEnd) {
+     //
+     // The Size in Certificate Table or the attribute certicate table is corrupted.
+     //
diff -Nru edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
--- edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,58 @@
+From a7632e913c1c106f436aefd5e76c394249c383a8 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:20 +0200
+Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
+ WinCertificate after size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only
+guards the de-referencing of the "WinCertificate" pointer. It does not
+guard the calculation of the pointer itself:
+
+  WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+
+This is wrong; if we don't know for sure that we have enough room for a
+WIN_CERTIFICATE, then even creating such a pointer, not just
+de-referencing it, may invoke undefined behavior.
+
+Move the pointer calculation after the size check.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-3-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/a7632e913c1c106f436aefd5e76c394249c383a8
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1861,10 +1861,12 @@ DxeImageVerificationHandler (
+   for (OffSet = SecDataDir->VirtualAddress;
+        OffSet < SecDataDirEnd;
+        OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
+-    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+     SecDataDirLeft = SecDataDirEnd - OffSet;
+-    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
+-        SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
++      break;
++    }
++    WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
++    if (SecDataDirLeft < WinCertificate->dwLength) {
+       break;
+     }
+ 
diff -Nru edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
--- edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch	2020-09-17 13:45:52.000000000 -0600
@@ -0,0 +1,50 @@
+From 0b143fa43e92be15d11e22f80773bcb1b2b0608f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 1 Sep 2020 11:12:21 +0200
+Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment
+ overflow (CVE-2019-14562)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The DxeImageVerificationHandler() function currently checks whether
+"SecDataDir" has enough room for "WinCertificate->dwLength". However, for
+advancing "OffSet", "WinCertificate->dwLength" is aligned to the next
+multiple of 8. If "WinCertificate->dwLength" is large enough, the
+alignment will return 0, and "OffSet" will be stuck at the same value.
+
+Check whether "SecDataDir" has room left for both
+"WinCertificate->dwLength" and the alignment.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Wenyi Xie <xiewenyi2@huawei.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200901091221.20948-4-lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Wenyi Xie <xiewenyi2@huawei.com>
+Reviewed-by: Min M Xu <min.m.xu@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Origin: https://github.com/tianocore/edk2/commit/0b143fa43e92be15d11e22f80773bcb1b2b0608f
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
+Bug-Debian: https://bugs.debian.org/968819
+Last-Update: 2020-09-17
+
+Index: edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+===================================================================
+--- edk2.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ edk2/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1866,7 +1866,9 @@ DxeImageVerificationHandler (
+       break;
+     }
+     WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+-    if (SecDataDirLeft < WinCertificate->dwLength) {
++    if (SecDataDirLeft < WinCertificate->dwLength ||
++        (SecDataDirLeft - WinCertificate->dwLength <
++         ALIGN_SIZE (WinCertificate->dwLength))) {
+       break;
+     }
+ 
diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series	2020-04-22 17:03:10.000000000 -0600
+++ edk2-0~20181115.85588389/debian/patches/series	2020-09-17 13:45:52.000000000 -0600
@@ -24,3 +24,6 @@
 0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch
 0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch
 0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch
+0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
+0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
+0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch

Reply to:

Follow-Ups:
- Bug#970518: buster-pu: package edk2/0~20181115.85588389-3+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#970518: buster-pu: package edk2/0~20181115.85588389-3+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Bug#968296: buster-pu: calamares-settings-debian 10.0.20-1+deb10u4
Next by Date: Re: Bug#968296: buster-pu: calamares-settings-debian 10.0.20-1+deb10u4
Previous by thread: Re: Bug#968296: buster-pu: calamares-settings-debian 10.0.20-1+deb10u4
Next by thread: Bug#970518: buster-pu: package edk2/0~20181115.85588389-3+deb10u1
Index(es):
- Date
- Thread