There is an integer overflow vulnerability in the DxeImageVerificationHandler(..) function when parsing the PE files attribute certificate table. In cases where WinCertificate->dwLength is sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop. References: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
Note that the upstream bug report at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously under-specified. In the discussion linked at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c5>, we're now trying to figure out what the original bug reporter had in mind exactly.
Flaw summary: DxeImageVerificationHandler() in SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c, provides verification service for signed PE/COFF images. This flaw is an unsigned integer wrap bug where the OffSet UINT32 variable, which is used in a for loop exit condition, could continuously wrap to 0 or another UINT32 lower than SecDataDir->VirtualAddress and cause an infinite loop, which could result in denial of service. The patch: 1) Checks that Offset >= SecDataDir->VirtualAddress, and if not, exits the loop 2) #includes Library/SafeIntLib.h and uses SafeUint32Add() to prevent unsigned integer wrapping These steps are important because DxeImageVerificationHandler() may process untrusted PE/COFF inputs [1]. To exploit this flaw, an attacker would need to supply a specially crafted input file locally. 1. https://github.com/leadsama/edk2/blob/ba21bb0e0f0bf0fe977ccad91a40b79fd2b7320c/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c#L1599
Acknowledgments: Name: Laszlo Ersek Upstream: Jian J. Wang
Reproducer described in <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c6>.
Upstream commit range: 751355992635..0b143fa43e92.