Bug 1869245 (CVE-2019-14562)

Summary: CVE-2019-14562 edk2: DxeImageVerificationHandler integer overflow leads to endless loop
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, crobinso, kraxel, pbonzini, virt-maint, virt-maint, xuwei
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1869246, 1869247, 1870390, 1910519    
Bug Blocks: 1869249    

Description Dhananjay Arunesh 2020-08-17 11:18:19 UTC 
There is an integer overflow vulnerability in the DxeImageVerificationHandler(..) function when parsing the PE files attribute certificate table. In cases where WinCertificate->dwLength is sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop.

References:
https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Comment 1 Laszlo Ersek 2020-08-17 18:18:10 UTC 
Note that the upstream bug report at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously under-specified. In the discussion linked at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c5>, we're now trying to figure out what the original bug reporter had in mind exactly.
Comment 2 Todd Cullum 2020-08-19 23:31:42 UTC 
Flaw summary:

DxeImageVerificationHandler() in SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c, provides verification service for signed PE/COFF images. This flaw is an unsigned integer wrap bug where the OffSet UINT32 variable, which is used in a for loop exit condition, could continuously wrap to 0 or another UINT32 lower than SecDataDir->VirtualAddress and cause an infinite loop, which could result in denial of service. The patch:

1) Checks that Offset >= SecDataDir->VirtualAddress, and if not, exits the loop
2) #includes Library/SafeIntLib.h and uses SafeUint32Add() to prevent unsigned integer wrapping

These steps are important because DxeImageVerificationHandler() may process untrusted PE/COFF inputs [1]. To exploit this flaw, an attacker would need to supply a specially crafted input file locally.

1. https://github.com/leadsama/edk2/blob/ba21bb0e0f0bf0fe977ccad91a40b79fd2b7320c/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c#L1599
Comment 6 Todd Cullum 2020-08-19 23:43:39 UTC 
Acknowledgments:

Name: Laszlo Ersek
Upstream: Jian J. Wang
Comment 8 Laszlo Ersek 2020-09-01 08:55:00 UTC 
Reproducer described in <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c6>.
Comment 9 Laszlo Ersek 2020-09-02 10:35:16 UTC 
Upstream commit range: 751355992635..0b143fa43e92.