Bug 1869245 (CVE-2019-14562) - CVE-2019-14562 edk2: DxeImageVerificationHandler integer overflow leads to endless loop
Summary: CVE-2019-14562 edk2: DxeImageVerificationHandler integer overflow leads to en...
Status: NEW
Alias: CVE-2019-14562
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1869247 1869246 1870390 1910519
Blocks: 1869249
TreeView+ depends on / blocked
Reported: 2020-08-17 11:18 UTC by Dhananjay Arunesh
Modified: 2022-04-17 21:00 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
TianoCore 2215 0 None None None 2020-08-17 18:18:09 UTC

Description Dhananjay Arunesh 2020-08-17 11:18:19 UTC
There is an integer overflow vulnerability in the DxeImageVerificationHandler(..) function when parsing the PE files attribute certificate table. In cases where WinCertificate->dwLength is sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop.


Comment 1 Laszlo Ersek 2020-08-17 18:18:10 UTC
Note that the upstream bug report at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously under-specified. In the discussion linked at <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c5>, we're now trying to figure out what the original bug reporter had in mind exactly.

Comment 2 Todd Cullum 2020-08-19 23:31:42 UTC
Flaw summary:

DxeImageVerificationHandler() in SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c, provides verification service for signed PE/COFF images. This flaw is an unsigned integer wrap bug where the OffSet UINT32 variable, which is used in a for loop exit condition, could continuously wrap to 0 or another UINT32 lower than SecDataDir->VirtualAddress and cause an infinite loop, which could result in denial of service. The patch:

1) Checks that Offset >= SecDataDir->VirtualAddress, and if not, exits the loop
2) #includes Library/SafeIntLib.h and uses SafeUint32Add() to prevent unsigned integer wrapping

These steps are important because DxeImageVerificationHandler() may process untrusted PE/COFF inputs [1]. To exploit this flaw, an attacker would need to supply a specially crafted input file locally.

1. https://github.com/leadsama/edk2/blob/ba21bb0e0f0bf0fe977ccad91a40b79fd2b7320c/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c#L1599

Comment 6 Todd Cullum 2020-08-19 23:43:39 UTC

Name: Laszlo Ersek
Upstream: Jian J. Wang

Comment 8 Laszlo Ersek 2020-09-01 08:55:00 UTC
Reproducer described in <https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c6>.

Comment 9 Laszlo Ersek 2020-09-02 10:35:16 UTC
Upstream commit range: 751355992635..0b143fa43e92.

Note You need to log in before you can comment on or make changes to this bug.