There is an integer overflow vulnerability in the DxeImageVerificationHandler(..) function when parsing the PE files attribute certificate table. In cases where WinCertificate->dwLength is sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop.
Note that the upstream bug report at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously under-specified. In the discussion linked at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c5>, we're now trying to figure out what the original bug reporter had in mind exactly.
DxeImageVerificationHandler() in SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c, provides verification service for signed PE/COFF images. This flaw is an unsigned integer wrap bug where the OffSet UINT32 variable, which is used in a for loop exit condition, could continuously wrap to 0 or another UINT32 lower than SecDataDir->VirtualAddress and cause an infinite loop, which could result in denial of service. The patch:
1) Checks that Offset >= SecDataDir->VirtualAddress, and if not, exits the loop
2) #includes Library/SafeIntLib.h and uses SafeUint32Add() to prevent unsigned integer wrapping
These steps are important because DxeImageVerificationHandler() may process untrusted PE/COFF inputs . To exploit this flaw, an attacker would need to supply a specially crafted input file locally.
Name: Laszlo Ersek
Upstream: Jian J. Wang
Reproducer described in <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c6>.
Upstream commit range: 751355992635..0b143fa43e92.