Attachment 1426574 Details for Bug 1570980 – Patch fixing UEFI Signature List iteration

[patch] Patch fixing UEFI Signature List iteration

0003-Fix-UEFI-Signature-List-iteration.patch (text/plain), 3.13 KB, created by Michal Růžička on 2018-04-25 10:13:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Michal Růžička

Created: 2018-04-25 10:13:21 UTC

Size: 3.13 KB

patch

obsolete

>From e7d132d66a20d9f1bff553e6fc8f18e2edf42cca Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Michal=20R=C5=AF=C5=BEi=C4=8Dka?= <michal.ruza@gmail.com>
>Date: Mon, 23 Apr 2018 01:18:50 +0200
>Subject: [PATCH] Fix UEFI Signature List iteration
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Signed-off-by: Michal RÅ¯Å¾iÄka <michal.ruza@gmail.com>
>---
> src/iter.c | 46 +++++++++++++++-------------------------------
> 1 file changed, 15 insertions(+), 31 deletions(-)
>
>diff --git a/src/iter.c b/src/iter.c
>index 45ee059..2e4519a 100644
>--- a/src/iter.c
>+++ b/src/iter.c
>@@ -220,33 +220,6 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type,
> 		iter->esl = (EFI_SIGNATURE_LIST *)iter->buf;
> 	} else {
> 		vprintf("Getting next EFI_SIGNATURE_LIST\n");
>-		efi_guid_t type;
>-		esl_get_type(iter, &type);
>-		if (iter->len - iter->offset > iter->esl->SignatureListSize) {
>-			warnx("EFI Signature List is malformed");
>-			errx(1, "list has %zd bytes left, element is %"PRIu32" bytes",
>-			     iter->len - iter->offset,
>-			     iter->esl->SignatureListSize);
>-		}
>-		if (!efi_guid_cmp(&type, &efi_guid_x509_cert)) {
>-			int32_t asn1size;
>-
>-			asn1size = GetASN1SequenceSize(
>-				((uint8_t *)*data) + sizeof (efi_guid_t),
>-				*len - sizeof (efi_guid_t));
>-			if (asn1size < 0) {
>-				warnx("iterator data claims to be an X.509 "
>-				      "Cert but is not valid ASN.1 DER");
>-			} else if ((uint32_t)asn1size != iter->esl->SignatureSize
>-							 - sizeof (efi_guid_t)) {
>-				warnx("X.509 Cert ASN.1 size does not match "
>-				      "SignatureList Size (%d vs %ld)",
>-				      asn1size, iter->esl->SignatureSize -
>-						sizeof (efi_guid_t));
>-			}
>-
>-		}
>-
> 		iter->offset += iter->esl->SignatureListSize;
> 		if ((uint32_t)iter->offset >= iter->len)
> 			return 0;
>@@ -254,6 +227,11 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type,
> 						+ iter->offset);
> 	}
> 
>+	/* if the EFI_SIGNATURE_LIST is too big for our data then it's
>+	 * malformed data and we're done. */
>+	if ((uint32_t)(iter->offset + sizeof (EFI_SIGNATURE_LIST)) > iter->len)
>+		return -EINVAL;
>+
> 	EFI_SIGNATURE_LIST esl;
> 	memset(&esl, '\0', sizeof (esl));
> 	/* if somehow we've gotten a buffer that's bigger than our
>@@ -263,14 +241,20 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type,
> 
> 	/* if this list size is too big for our data, then it's malformed
> 	 * data and we're done. */
>-	if (iter->esl->SignatureListSize > iter->len - iter->offset)
>+	if ((uint32_t)(iter->offset + iter->esl->SignatureListSize) > iter->len)
>+		return -EINVAL;
>+
>+	/* if the headers combined are bigger than the whole list then
>+	 * it's a malformed list and we're done. */
>+	if (sizeof (EFI_SIGNATURE_LIST) + iter->esl->SignatureHeaderSize >
>+			iter->esl->SignatureListSize)
> 		return -EINVAL;
> 
> 	*type = iter->esl->SignatureType;
>-	*data = (EFI_SIGNATURE_DATA *)((intptr_t)iter->esl
>-			+ sizeof (EFI_SIGNATURE_LIST)
>+	*data = (EFI_SIGNATURE_DATA *)((intptr_t)(iter->esl + 1)
> 			+ iter->esl->SignatureHeaderSize);
>-	*len = iter->esl->SignatureListSize - sizeof (EFI_SIGNATURE_LIST);
>+	*len = iter->esl->SignatureListSize - sizeof (EFI_SIGNATURE_LIST)
>+		- iter->esl->SignatureHeaderSize;
> 
> 	return 1;
> }
>-- 
>2.14.3
>

Actions: View | Diff

Attachments on bug 1570980: 1425753 | 1426574