Version in base suite: 0~20181115.85588389-3 Base version: edk2_0~20181115.85588389-3 Target version: edk2_0~20181115.85588389-3+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/edk2/edk2_0~20181115.85588389-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/edk2/edk2_0~20181115.85588389-3+deb10u1.dsc changelog | 15 patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch | 156 +++++++ patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch | 51 ++ patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch | 80 +++ patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch | 58 ++ patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch | 52 ++ patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch | 101 ++++ patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch | 38 + patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch | 37 + patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch | 53 ++ patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch | 62 ++ patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch | 211 ++++++++++ patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch | 202 +++++++++ patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch | 63 ++ patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch | 37 + patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch | 203 +++++++++ patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch | 55 ++ patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch | 46 ++ patches/series | 17 19 files changed, 1537 insertions(+) diff: /srv/release.debian.org/tmp/XTtMVTNBDT/edk2-0~20181115.85588389/EmulatorPkg/Unix/Host/X11IncludeHack: No such file or directory diff: /srv/release.debian.org/tmp/ZKiezRFB2Z/edk2-0~20181115.85588389/EmulatorPkg/Unix/Host/X11IncludeHack: No such file or directory diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog --- edk2-0~20181115.85588389/debian/changelog 2019-03-16 00:37:44.000000000 +0000 +++ edk2-0~20181115.85588389/debian/changelog 2020-04-23 19:33:06.000000000 +0000 @@ -1,3 +1,18 @@ +edk2 (0~20181115.85588389-3+deb10u1) buster; urgency=medium + + * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563) + * Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586) + * Clear memory before free to avoid potential password leak. + (CVE-2019-14558) + * Fix double-unmap in SdMmcCreateTrb(). This did not impact any + of the images built from this package. (CVE-2019-14587) + * Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559) + * Fix issue that could allow an efi image with a blacklisted hash in the + dbx to be loaded. (CVE-2019-14575) (Closes: 952935) + * Fix a memory leak in the ARP handler. (CVE-2019-14559) (Closes: #952926) + + -- dann frazier Thu, 23 Apr 2020 13:33:06 -0600 + edk2 (0~20181115.85588389-3) unstable; urgency=medium * Security fixes (Closes: #924615): diff -Nru edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch --- edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch 2020-04-22 22:55:02.000000000 +0000 @@ -0,0 +1,156 @@ +From 322ac05f8bbc1bce066af1dabd1b70ccdbe28891 Mon Sep 17 00:00:00 2001 +From: Hao A Wu +Date: Fri, 28 Jun 2019 14:15:55 +0800 +Subject: [PATCH 01/17] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential + numeric truncation (CVE-2019-14563) + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001 + +For S3BootScriptLib APIs: + +S3BootScriptSaveIoWrite +S3BootScriptSaveMemWrite +S3BootScriptSavePciCfgWrite +S3BootScriptSavePciCfg2Write +S3BootScriptSaveSmbusExecute +S3BootScriptSaveInformation +S3BootScriptSaveInformationAsciiString +S3BootScriptLabel (happen in S3BootScriptLabelInternal()) + +possible numeric truncations will happen that may lead to S3 boot script +entry with improper size being returned to store the boot script data. +This commit will add checks to prevent this kind of issue. + +Please note that the remaining S3BootScriptLib APIs: + +S3BootScriptSaveIoReadWrite +S3BootScriptSaveMemReadWrite +S3BootScriptSavePciCfgReadWrite +S3BootScriptSavePciCfg2ReadWrite +S3BootScriptSaveStall +S3BootScriptSaveDispatch2 +S3BootScriptSaveDispatch +S3BootScriptSaveMemPoll +S3BootScriptSaveIoPoll +S3BootScriptSavePciPoll +S3BootScriptSavePci2Poll +S3BootScriptCloseTable +S3BootScriptExecute +S3BootScriptMoveLastOpcode +S3BootScriptCompare + +are not affected by such numeric truncation. + +Signed-off-by: Hao A Wu +Reviewed-by: Laszlo Ersek +Reviewed-by: Eric Dong +Acked-by: Jian J Wang + +Origin: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2001 +Bug-Debian: https://bugs.debian.org/952934 +Last-Update: 2020-03-16 + +Index: edk2-0~20181115.85588389/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +=================================================================== +--- edk2-0~20181115.85588389.orig/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c ++++ edk2-0~20181115.85588389/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +@@ -998,6 +998,14 @@ S3BootScriptSaveIoWrite ( + EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; + + WidthInByte = (UINT8) (0x01 << (Width & 0x03)); ++ ++ // ++ // Truncation check ++ // ++ if ((Count > MAX_UINT8) || ++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count)); + + Script = S3BootScriptGetEntryAddAddress (Length); +@@ -1094,6 +1102,14 @@ S3BootScriptSaveMemWrite ( + EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; + + WidthInByte = (UINT8) (0x01 << (Width & 0x03)); ++ ++ // ++ // Truncation check ++ // ++ if ((Count > MAX_UINT8) || ++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count)); + + Script = S3BootScriptGetEntryAddAddress (Length); +@@ -1198,6 +1214,14 @@ S3BootScriptSavePciCfgWrite ( + } + + WidthInByte = (UINT8) (0x01 << (Width & 0x03)); ++ ++ // ++ // Truncation check ++ // ++ if ((Count > MAX_UINT8) || ++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count)); + + Script = S3BootScriptGetEntryAddAddress (Length); +@@ -1316,6 +1340,14 @@ S3BootScriptSavePciCfg2Write ( + } + + WidthInByte = (UINT8) (0x01 << (Width & 0x03)); ++ ++ // ++ // Truncation check ++ // ++ if ((Count > MAX_UINT8) || ++ (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count)); + + Script = S3BootScriptGetEntryAddAddress (Length); +@@ -1541,6 +1573,12 @@ S3BootScriptSaveSmbusExecute ( + return Status; + } + ++ // ++ // Truncation check ++ // ++ if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength); + + Script = S3BootScriptGetEntryAddAddress (DataSize); +@@ -1728,6 +1766,12 @@ S3BootScriptSaveInformation ( + UINT8 *Script; + EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + ++ // ++ // Truncation check ++ // ++ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); + + Script = S3BootScriptGetEntryAddAddress (Length); +@@ -2187,6 +2231,12 @@ S3BootScriptLabelInternal ( + UINT8 *Script; + EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + ++ // ++ // Truncation check ++ // ++ if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { ++ return RETURN_OUT_OF_RESOURCES; ++ } + Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); + + Script = S3BootScriptGetEntryAddAddress (Length); diff -Nru edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch --- edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch 2020-04-22 22:55:52.000000000 +0000 @@ -0,0 +1,51 @@ +From c32be82e99ef272e7fa742c2f06ff9a4c3756613 Mon Sep 17 00:00:00 2001 +From: Dandan Bi +Date: Tue, 24 Sep 2019 11:17:52 +0800 +Subject: [PATCH 02/17] MdeModulePkg/HiiDB: Remove configuration table when + it's freed (CVE-2019-14586) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1995 + +Fix the corner case issue that the original configuration runtime +memory is freed, but it is still exposed to the OS runtime. +So this patch is to remove the configuration table to avoid being +used in OS runtime when the configuration runtime memory is freed. + +Cc: Liming Gao +Cc: Eric Dong +Cc: Jian J Wang +Signed-off-by: Dandan Bi +Reviewed-by: Eric Dong +Reviewed-by: Jian J Wang +[dannf: Minor context adjustments] + +Origin: https://github.com/tianocore/edk2/commit/c32be82e99ef272e7fa742c2f06ff9a4c3756613 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1995 +Last-Update: 2020-04-03 + +Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c +=================================================================== +--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c ++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/Database.c +@@ -3372,6 +3372,10 @@ HiiGetConfigRespInfo( + if (gRTConfigRespBuffer == NULL){ + FreePool(ConfigAltResp); + DEBUG ((DEBUG_ERROR, "Not enough memory resource to get the ConfigResp string.\n")); ++ // ++ // Remove from the System Table when the configuration runtime buffer is freed. ++ // ++ gBS->InstallConfigurationTable (&gEfiHiiConfigRoutingProtocolGuid, NULL); + return EFI_OUT_OF_RESOURCES; + } + } else { +@@ -3422,6 +3426,10 @@ HiiGetDatabaseInfo( + gRTDatabaseInfoBuffer = AllocateRuntimeZeroPool(DatabaseInfoSize); + if (gRTDatabaseInfoBuffer == NULL){ + DEBUG ((DEBUG_ERROR, "Not enough memory resource to get the HiiDatabase info.\n")); ++ // ++ // Remove from the System Table when the configuration runtime buffer is freed. ++ // ++ gBS->InstallConfigurationTable (&gEfiHiiDatabaseProtocolGuid, NULL); + return EFI_OUT_OF_RESOURCES; + } + } else { diff -Nru edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch --- edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch 2020-04-22 22:56:42.000000000 +0000 @@ -0,0 +1,80 @@ +From 764e8ba1389a617639d79d2c4f0d53f4ea4a7387 Mon Sep 17 00:00:00 2001 +From: Dandan Bi +Date: Fri, 22 Feb 2019 15:45:24 +0800 +Subject: [PATCH 03/17] MdeModulePkg/String.c: Zero memory before free + (CVE-2019-14558) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 + +Cc: Liming Gao +Cc: Eric Dong +Cc: Jian J Wang +Signed-off-by: Dandan Bi +Reviewed-by: Eric Dong +Reviewed-by: Jian J Wang +[dannf: dropped copyright year change due to conflict] + +Origin: https://github.com/tianocore/edk2/commit/764e8ba1389a617639d79d2c4f0d53f4ea4a7387 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 +Last-Update: 2020-04-03 + +Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/String.c +=================================================================== +--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/HiiDatabaseDxe/String.c ++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/HiiDatabaseDxe/String.c +@@ -1012,6 +1012,7 @@ SetStringWorker ( + TmpSize + ); + ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = Block; + StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); +@@ -1045,6 +1046,7 @@ SetStringWorker ( + OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize + ); + ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = Block; + StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); +@@ -1096,6 +1098,7 @@ SetStringWorker ( + + CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); + ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = Block; + StringPackage->StringPkgHdr->Header.Length += Ext2.Length; +@@ -1279,6 +1282,7 @@ HiiNewString ( + // Append a EFI_HII_SIBT_END block to the end. + // + *BlockPtr = EFI_HII_SIBT_END; ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = StringBlock; + StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; +@@ -1410,6 +1414,7 @@ HiiNewString ( + // Append a EFI_HII_SIBT_END block to the end. + // + *BlockPtr = EFI_HII_SIBT_END; ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = StringBlock; + StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; +@@ -1452,6 +1457,7 @@ HiiNewString ( + // Append a EFI_HII_SIBT_END block to the end. + // + *BlockPtr = EFI_HII_SIBT_END; ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = StringBlock; + StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize; +@@ -1513,6 +1519,7 @@ HiiNewString ( + // Append a EFI_HII_SIBT_END block to the end. + // + *BlockPtr = EFI_HII_SIBT_END; ++ ZeroMem (StringPackage->StringBlock, OldBlockSize); + FreePool (StringPackage->StringBlock); + StringPackage->StringBlock = StringBlock; + StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize; diff -Nru edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch --- edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch 2020-04-22 22:57:17.000000000 +0000 @@ -0,0 +1,58 @@ +From f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d Mon Sep 17 00:00:00 2001 +From: Dandan Bi +Date: Mon, 6 May 2019 16:43:34 +0800 +Subject: [PATCH 04/17] MdeModulePkg/DisplayEngine: Zero memory before free + (CVE-2019-14558) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 + +Cc: Liming Gao +Cc: Eric Dong +Cc: Jian J Wang +Signed-off-by: Dandan Bi +Reviewed-by: Eric Dong +Reviewed-by: Jian J Wang +[dannf: dropped copyright year change due to conflict] + +Origin: https://github.com/tianocore/edk2/commit/f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 +Last-Update: 2020-04-03 + +Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c +=================================================================== +--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c ++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c +@@ -829,6 +829,7 @@ PasswordProcess ( + // + Status = ReadString (MenuOption, gPromptForPassword, StringPtr); + if (EFI_ERROR (Status)) { ++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16)); + FreePool (StringPtr); + return Status; + } +@@ -846,7 +847,7 @@ PasswordProcess ( + } else { + Status = EFI_SUCCESS; + } +- ++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16)); + FreePool (StringPtr); + return Status; + } +@@ -862,6 +863,7 @@ PasswordProcess ( + // Reset state machine for password + // + Question->PasswordCheck (gFormData, Question, NULL); ++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16)); + FreePool (StringPtr); + return Status; + } +@@ -877,6 +879,8 @@ PasswordProcess ( + // Reset state machine for password + // + Question->PasswordCheck (gFormData, Question, NULL); ++ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16)); ++ ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16)); + FreePool (StringPtr); + FreePool (TempString); + return Status; diff -Nru edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch --- edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch 2020-04-22 22:58:10.000000000 +0000 @@ -0,0 +1,52 @@ +From e36d5ac7d10a6ff5becb0f52fdfd69a1752b0d14 Mon Sep 17 00:00:00 2001 +From: Hao A Wu +Date: Wed, 26 Jun 2019 15:23:29 +0800 +Subject: [PATCH 05/17] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo Unmap in + TRB creation (CVE-2019-14587) + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1989 + +The commit will avoid unmapping the same resource in error handling logic +for function BuildAdmaDescTable() and SdMmcCreateTrb(). + +For the error handling in BuildAdmaDescTable(): +The error is directly related with the corresponding Map() operation +(mapped address beyond 4G, which is not supported in ADMA), so the Unmap() +operation is done in the error handling logic, and then setting +'Trb->AdmaMap' to NULL to avoid double Unmap. + +For the error handling in SdMmcCreateTrb(): +The error is not directly related with the corresponding Map() operation, +so the commit will update the code to left SdMmcFreeTrb() for the Unmap +operation to avoid double Unmap. + +Cc: Jian J Wang +Cc: Ray Ni +Signed-off-by: Hao A Wu +Reviewed-by: Jian J Wang + +Origin: https://github.com/tianocore/edk2/commit/e36d5ac7d10a6ff5becb0f52fdfd69a1752b0d14 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1989 +Last-Update: 2020-04-03 + +Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c +=================================================================== +--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c ++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c +@@ -1253,6 +1253,8 @@ BuildAdmaDescTable ( + PciIo, + Trb->AdmaMap + ); ++ Trb->AdmaMap = NULL; ++ + PciIo->FreeBuffer ( + PciIo, + EFI_SIZE_TO_PAGES (TableSize), +@@ -1384,7 +1386,6 @@ SdMmcCreateTrb ( + Trb->Mode = SdMmcAdmaMode; + Status = BuildAdmaDescTable (Trb); + if (EFI_ERROR (Status)) { +- PciIo->Unmap (PciIo, Trb->DataMap); + goto Error; + } + } else if (Private->Capability[Slot].Sdma != 0) { diff -Nru edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch --- edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch 2020-04-22 22:59:37.000000000 +0000 @@ -0,0 +1,101 @@ +From 578bcdc2605e3438b9cbdac4e68339f90f5bf8af Mon Sep 17 00:00:00 2001 +From: Jiaxin Wu +Date: Mon, 29 Apr 2019 09:51:53 +0800 +Subject: [PATCH 06/17] NetworkPkg/Ip4Dxe: Check the received package length + (CVE-2019-14559). + +v3: correct the coding style. +v2: correct the commit message & add BZ number. + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 + +This patch is to check the received package length to make sure the package +has a valid length field. + +Cc: Fu Siyuan +Cc: Maciej Rabeda +Signed-off-by: Wu Jiaxin +Reviewed-by: Siyuan Fu +[dannf: Change modified file path; drop conflicting Copyright date change] + +Origin: https://github.com/tianocore/edk2/commit/578bcdc2605e3438b9cbdac4e68339f90f5bf8af +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 +Bug-Debian: https://bugs.debian.org/952926 +Last-Update: 2020-04-22 + +Index: edk2-0~20181115.85588389/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c +=================================================================== +--- edk2-0~20181115.85588389.orig/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c ++++ edk2-0~20181115.85588389/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c +@@ -717,10 +717,6 @@ Ip4PreProcessPacket ( + // + // Check if the IP4 header is correctly formatted. + // +- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { +- return EFI_INVALID_PARAMETER; +- } +- + HeadLen = (Head->HeadLen << 2); + TotalLen = NTOHS (Head->TotalLen); + +@@ -815,6 +811,30 @@ Ip4PreProcessPacket ( + } + + /** ++ This function checks the IPv4 packet length. ++ ++ @param[in] Packet Pointer to the IPv4 Packet to be checked. ++ ++ @retval TRUE The input IPv4 packet length is valid. ++ @retval FALSE The input IPv4 packet length is invalid. ++ ++**/ ++BOOLEAN ++Ip4IsValidPacketLength ( ++ IN NET_BUF *Packet ++ ) ++{ ++ // ++ // Check the IP4 packet length. ++ // ++ if (Packet->TotalSize < IP4_MIN_HEADLEN) { ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++/** + The IP4 input routine. It is called by the IP4_INTERFACE when a + IP4 fragment is received from MNP. + +@@ -850,6 +870,10 @@ Ip4AccpetFrame ( + goto DROP; + } + ++ if (!Ip4IsValidPacketLength (Packet)) { ++ goto RESTART; ++ } ++ + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); + ASSERT (Head != NULL); + OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN; +@@ -896,10 +920,14 @@ Ip4AccpetFrame ( + // + ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); + if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { +- // Packet may have been changed. Head, HeadLen, TotalLen, and +- // info must be reloaded bofore use. The ownership of the packet +- // is transfered to the packet process logic. +- // ++ // Packet may have been changed. Head, HeadLen, TotalLen, and ++ // info must be reloaded before use. The ownership of the packet ++ // is transferred to the packet process logic. ++ // ++ if (!Ip4IsValidPacketLength (Packet)) { ++ goto RESTART; ++ } ++ + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); + ASSERT (Head != NULL); + Status = Ip4PreProcessPacket ( diff -Nru edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch --- edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch 2020-04-22 23:00:14.000000000 +0000 @@ -0,0 +1,38 @@ +From fbb96072233b5eaecf4d229cbee47b13dcab39e1 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 11:06:53 +0800 +Subject: [PATCH 07/17] SecurityPkg/DxeImageVerificationLib: Fix memory leaks + (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside +the while-loop, if it will run more than once. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/fbb96072233b5eaecf4d229cbee47b13dcab39e1 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index dbfbfcb4fb..74dbffa122 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( + goto Done; + } + ++ FreePool (HashCtx); ++ HashCtx = NULL; ++ + SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize; + CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize); + CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize; +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch --- edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch 2020-04-22 23:00:54.000000000 +0000 @@ -0,0 +1,37 @@ +From c13742b180095e5181e41dffda954581ecbd9b9c Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 11:14:47 +0800 +Subject: [PATCH 08/17] SecurityPkg/DxeImageVerificationLib: reject + CertStack.CertNumber==0 per DBX (CVE-2019-14575) + +In case the signers' certificate stack, retrieved from the PE/COFF image's +Authenticode blob, has zero elements (=there are zero signer certificates), +then we should consider the image forbidden by DBX, not accepted by DBX. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Laszlo Ersek +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/c13742b180095e5181e41dffda954581ecbd9b9c +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 74dbffa122..5dcd6efed5 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1326,7 +1326,7 @@ IsForbiddenByDbx ( + // UINT8 Certn[]; + // + Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength); +- if ((BufferLength == 0) || (CertBuffer == NULL)) { ++ if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) { + IsForbidden = TRUE; + goto Done; + } +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch --- edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch 2020-04-22 23:01:14.000000000 +0000 @@ -0,0 +1,53 @@ +From 9e569700901857d0ba418ebdd30b8086b908688c Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 11:46:16 +0800 +Subject: [PATCH 09/17] SecurityPkg/DxeImageVerificationLib: fix wrong fetch + dbx in IsAllowedByDb (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +Normally two times of calling gRT->GetVariable() are needed to get +the data of a variable: get the variable size by passing zero variable +size, and then allocate enough memory and pass the correct variable size +and buffer. + +But in the inner loop in IsAllowedByDb(), the DbxDataSize was not +initialized to zero before calling gRT->GetVariable(). It won't cause +problem if dbx does not exist. But it will give wrong result if dbx +exists and the DbxDataSize happens to be a small enough value. In this +situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check +code followed will jump to 'Done', which is not correct because it's +actually the value expected. + + if (Status == EFI_BUFFER_TOO_SMALL) { + goto Done; + } + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/9e569700901857d0ba418ebdd30b8086b908688c +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 5dcd6efed5..1efb2f96cd 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1456,8 +1456,9 @@ IsAllowedByDb ( + // + // Here We still need to check if this RootCert's Hash is revoked + // ++ DbxDataSize = 0; + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); +- if (Status == EFI_BUFFER_TOO_SMALL) { ++ if (Status != EFI_BUFFER_TOO_SMALL) { + goto Done; + } + DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize); +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch --- edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch 2020-04-22 23:01:31.000000000 +0000 @@ -0,0 +1,62 @@ +From 929d1a24d12822942fd4f9fa83582e27f92de243 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 14:28:36 +0800 +Subject: [PATCH 10/17] SecurityPkg/DxeImageVerificationLib: avoid bypass in + fetching dbx (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +In timestamp check after the cert is found in db, the original code jumps +to 'Done' if any error happens in fetching dbx variable. At any of the +jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should +not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist), +because it could be used to bypass timestamp check. + +This patch add code to change VerifyStatus to FALSE in the case of memory +allocation failure and dbx fetching failure to avoid potential bypass +issue. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/929d1a24d12822942fd4f9fa83582e27f92de243 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 1efb2f96cd..ed5dbf26b0 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1459,15 +1459,26 @@ IsAllowedByDb ( + DbxDataSize = 0; + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); + if (Status != EFI_BUFFER_TOO_SMALL) { ++ if (Status != EFI_NOT_FOUND) { ++ VerifyStatus = FALSE; ++ } + goto Done; + } + DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize); + if (DbxData == NULL) { ++ // ++ // Force not-allowed-by-db to avoid bypass ++ // ++ VerifyStatus = FALSE; + goto Done; + } + + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); + if (EFI_ERROR (Status)) { ++ // ++ // Force not-allowed-by-db to avoid bypass ++ // ++ VerifyStatus = FALSE; + goto Done; + } + +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch --- edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch 2020-04-22 23:01:44.000000000 +0000 @@ -0,0 +1,211 @@ +From adc6898366298d1f64b91785e50095527f682758 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 15:49:55 +0800 +Subject: [PATCH 11/17] SecurityPkg/DxeImageVerificationLib: refactor db/dbx + fetching code (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +The dbx fetching code inside the while/for-loop causes code hard to +understand. Since there's no need to get dbx more than once, this patch +simplify the code logic by moving related code to be outside the while- +loop. db fetching code is also refined accordingly to reduce the indent +level of code. + +More comments are also added or refined to explain more details. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/adc6898366298d1f64b91785e50095527f682758 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index ed5dbf26b0..8739d1fa29 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1412,76 +1412,92 @@ IsAllowedByDb ( + RootCertSize = 0; + VerifyStatus = FALSE; + ++ // ++ // Fetch 'db' content. If 'db' doesn't exist or encounters problem to get the ++ // data, return not-allowed-by-db (FALSE). ++ // + DataSize = 0; + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); +- if (Status == EFI_BUFFER_TOO_SMALL) { +- Data = (UINT8 *) AllocateZeroPool (DataSize); +- if (Data == NULL) { +- return VerifyStatus; ++ ASSERT (EFI_ERROR (Status)); ++ if (Status != EFI_BUFFER_TOO_SMALL) { ++ return VerifyStatus; ++ } ++ ++ Data = (UINT8 *) AllocateZeroPool (DataSize); ++ if (Data == NULL) { ++ return VerifyStatus; ++ } ++ ++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data); ++ if (EFI_ERROR (Status)) { ++ goto Done; ++ } ++ ++ // ++ // Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'. ++ // If any other errors occured, no need to check 'db' but just return ++ // not-allowed-by-db (FALSE) to avoid bypass. ++ // ++ DbxDataSize = 0; ++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); ++ ASSERT (EFI_ERROR (Status)); ++ if (Status != EFI_BUFFER_TOO_SMALL) { ++ if (Status != EFI_NOT_FOUND) { ++ goto Done; ++ } ++ // ++ // 'dbx' does not exist. Continue to check 'db'. ++ // ++ } else { ++ // ++ // 'dbx' exists. Get its content. ++ // ++ DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize); ++ if (DbxData == NULL) { ++ goto Done; + } + +- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data); ++ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); + if (EFI_ERROR (Status)) { + goto Done; + } ++ } + +- // +- // Find X509 certificate in Signature List to verify the signature in pkcs7 signed data. +- // +- CertList = (EFI_SIGNATURE_LIST *) Data; +- while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) { +- if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { +- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); +- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; ++ // ++ // Find X509 certificate in Signature List to verify the signature in pkcs7 signed data. ++ // ++ CertList = (EFI_SIGNATURE_LIST *) Data; ++ while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) { ++ if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { ++ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); ++ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; + +- for (Index = 0; Index < CertCount; Index++) { +- // +- // Iterate each Signature Data Node within this CertList for verify. +- // +- RootCert = CertData->SignatureData; +- RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID); ++ for (Index = 0; Index < CertCount; Index++) { ++ // ++ // Iterate each Signature Data Node within this CertList for verify. ++ // ++ RootCert = CertData->SignatureData; ++ RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID); + ++ // ++ // Call AuthenticodeVerify library to Verify Authenticode struct. ++ // ++ VerifyStatus = AuthenticodeVerify ( ++ AuthData, ++ AuthDataSize, ++ RootCert, ++ RootCertSize, ++ mImageDigest, ++ mImageDigestSize ++ ); ++ if (VerifyStatus) { + // +- // Call AuthenticodeVerify library to Verify Authenticode struct. ++ // The image is signed and its signature is found in 'db'. + // +- VerifyStatus = AuthenticodeVerify ( +- AuthData, +- AuthDataSize, +- RootCert, +- RootCertSize, +- mImageDigest, +- mImageDigestSize +- ); +- if (VerifyStatus) { ++ if (DbxData != NULL) { + // + // Here We still need to check if this RootCert's Hash is revoked + // +- DbxDataSize = 0; +- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, NULL); +- if (Status != EFI_BUFFER_TOO_SMALL) { +- if (Status != EFI_NOT_FOUND) { +- VerifyStatus = FALSE; +- } +- goto Done; +- } +- DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize); +- if (DbxData == NULL) { +- // +- // Force not-allowed-by-db to avoid bypass +- // +- VerifyStatus = FALSE; +- goto Done; +- } +- +- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DbxDataSize, (VOID *) DbxData); +- if (EFI_ERROR (Status)) { +- // +- // Force not-allowed-by-db to avoid bypass +- // +- VerifyStatus = FALSE; +- goto Done; +- } +- + if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) { + // + // Check the timestamp signature and signing time to determine if the RootCert can be trusted. +@@ -1491,17 +1507,23 @@ IsAllowedByDb ( + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed and signature is accepted by DB, but its root cert failed the timestamp check.\n")); + } + } +- +- goto Done; + } + +- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList->SignatureSize); ++ // ++ // There's no 'dbx' to check revocation time against (must-be pass), ++ // or, there's revocation time found in 'dbx' and checked againt 'dbt' ++ // (maybe pass or fail, depending on timestamp compare result). Either ++ // way the verification job has been completed at this point. ++ // ++ goto Done; + } +- } + +- DataSize -= CertList->SignatureListSize; +- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); ++ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList->SignatureSize); ++ } + } ++ ++ DataSize -= CertList->SignatureListSize; ++ CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); + } + + Done: +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch --- edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 2020-04-22 23:01:58.000000000 +0000 @@ -0,0 +1,202 @@ +From a83dbf008cc73406cbdc0d5ac3164cc19fff6683 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Mon, 16 Sep 2019 16:52:58 +0800 +Subject: [PATCH 12/17] SecurityPkg/DxeImageVerificationLib: Differentiate + error/search result (1) (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +To avoid false-negative issue in check hash against dbx, both error +condition (as return value) and check result (as out parameter) of +IsCertHashFoundInDatabase() are added. So the caller of this function +will know exactly if a failure is caused by a black list hit or +other error happening, and enforce a more secure operation to prevent +secure boot from being bypassed. For a white list check (db), there's +no such necessity. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Signed-off-by: Laszlo Ersek +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/a83dbf008cc73406cbdc0d5ac3164cc19fff6683 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 8739d1fa29..85261ba7f2 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -822,22 +822,23 @@ AddImageExeInfo ( + @param[in] SignatureList Pointer to the Signature List in forbidden database. + @param[in] SignatureListSize Size of Signature List. + @param[out] RevocationTime Return the time that the certificate was revoked. ++ @param[out] IsFound Search result. Only valid if EFI_SUCCESS returned. + +- @return TRUE The certificate hash is found in the forbidden database. +- @return FALSE The certificate hash is not found in the forbidden database. ++ @retval EFI_SUCCESS Finished the search without any error. ++ @retval Others Error occurred in the search of database. + + **/ +-BOOLEAN ++EFI_STATUS + IsCertHashFoundInDatabase ( + IN UINT8 *Certificate, + IN UINTN CertSize, + IN EFI_SIGNATURE_LIST *SignatureList, + IN UINTN SignatureListSize, +- OUT EFI_TIME *RevocationTime ++ OUT EFI_TIME *RevocationTime, ++ OUT BOOLEAN *IsFound + ) + { +- BOOLEAN IsFound; +- BOOLEAN Status; ++ EFI_STATUS Status; + EFI_SIGNATURE_LIST *DbxList; + UINTN DbxSize; + EFI_SIGNATURE_DATA *CertHash; +@@ -851,21 +852,22 @@ IsCertHashFoundInDatabase ( + UINT8 *TBSCert; + UINTN TBSCertSize; + +- IsFound = FALSE; ++ Status = EFI_ABORTED; ++ *IsFound = FALSE; + DbxList = SignatureList; + DbxSize = SignatureListSize; + HashCtx = NULL; + HashAlg = HASHALG_MAX; + + if ((RevocationTime == NULL) || (DbxList == NULL)) { +- return FALSE; ++ return EFI_INVALID_PARAMETER; + } + + // + // Retrieve the TBSCertificate from the X.509 Certificate. + // + if (!X509GetTBSCert (Certificate, CertSize, &TBSCert, &TBSCertSize)) { +- return FALSE; ++ return Status; + } + + while ((DbxSize > 0) && (SignatureListSize >= DbxList->SignatureListSize)) { +@@ -895,16 +897,13 @@ IsCertHashFoundInDatabase ( + if (HashCtx == NULL) { + goto Done; + } +- Status = mHash[HashAlg].HashInit (HashCtx); +- if (!Status) { ++ if (!mHash[HashAlg].HashInit (HashCtx)) { + goto Done; + } +- Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize); +- if (!Status) { ++ if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) { + goto Done; + } +- Status = mHash[HashAlg].HashFinal (HashCtx, CertDigest); +- if (!Status) { ++ if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) { + goto Done; + } + +@@ -923,7 +922,8 @@ IsCertHashFoundInDatabase ( + // + // Hash of Certificate is found in forbidden database. + // +- IsFound = TRUE; ++ Status = EFI_SUCCESS; ++ *IsFound = TRUE; + + // + // Return the revocation time. +@@ -938,12 +938,14 @@ IsCertHashFoundInDatabase ( + DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize); + } + ++ Status = EFI_SUCCESS; ++ + Done: + if (HashCtx != NULL) { + FreePool (HashCtx); + } + +- return IsFound; ++ return Status; + } + + /** +@@ -1216,6 +1218,7 @@ IsForbiddenByDbx ( + { + EFI_STATUS Status; + BOOLEAN IsForbidden; ++ BOOLEAN IsFound; + UINT8 *Data; + UINTN DataSize; + EFI_SIGNATURE_LIST *CertList; +@@ -1344,20 +1347,29 @@ IsForbiddenByDbx ( + // + CertPtr = CertPtr + sizeof (UINT32) + CertSize; + +- if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime)) { ++ Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound); ++ if (EFI_ERROR (Status)) { + // +- // Check the timestamp signature and signing time to determine if the image can be trusted. ++ // Error in searching dbx. Consider it as 'found'. RevocationTime might ++ // not be valid in such situation. + // + IsForbidden = TRUE; ++ } else if (IsFound) { ++ // ++ // Found Cert in dbx successfully. Check the timestamp signature and ++ // signing time to determine if the image can be trusted. ++ // + if (PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime)) { + IsForbidden = FALSE; + // + // Pass DBT check. Continue to check other certs in image signer's cert list against DBX, DBT + // + continue; ++ } else { ++ IsForbidden = TRUE; ++ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature failed the timestamp check.\n")); ++ goto Done; + } +- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature failed the timestamp check.\n")); +- goto Done; + } + + } +@@ -1392,6 +1404,7 @@ IsAllowedByDb ( + { + EFI_STATUS Status; + BOOLEAN VerifyStatus; ++ BOOLEAN IsFound; + EFI_SIGNATURE_LIST *CertList; + EFI_SIGNATURE_DATA *CertData; + UINTN DataSize; +@@ -1498,7 +1511,14 @@ IsAllowedByDb ( + // + // Here We still need to check if this RootCert's Hash is revoked + // +- if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) { ++ Status = IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); ++ if (EFI_ERROR (Status)) { ++ // ++ // Error in searching dbx. Consider it as 'found'. RevocationTime might ++ // not be valid in such situation. ++ // ++ VerifyStatus = FALSE; ++ } else if (IsFound) { + // + // Check the timestamp signature and signing time to determine if the RootCert can be trusted. + // +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch --- edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch 2020-04-22 23:02:11.000000000 +0000 @@ -0,0 +1,63 @@ +From 5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Tue, 17 Sep 2019 11:04:33 +0800 +Subject: [PATCH 13/17] SecurityPkg/DxeImageVerificationLib: tighten default + result (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +All intermediate results inside this function will be checked and +returned immediately upon any failure or error, like out-of-resource, +hash calculation error or certificate retrieval failure. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Signed-off-by: Laszlo Ersek +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 85261ba7f2..470a0d20ef 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1240,7 +1240,7 @@ IsForbiddenByDbx ( + // + // Variable Initialization + // +- IsForbidden = FALSE; ++ IsForbidden = TRUE; + Data = NULL; + CertList = NULL; + CertData = NULL; +@@ -1257,7 +1257,14 @@ IsForbiddenByDbx ( + // + DataSize = 0; + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); ++ ASSERT (EFI_ERROR (Status)); + if (Status != EFI_BUFFER_TOO_SMALL) { ++ if (Status == EFI_NOT_FOUND) { ++ // ++ // Evidently not in dbx if the database doesn't exist. ++ // ++ IsForbidden = FALSE; ++ } + return IsForbidden; + } + Data = (UINT8 *) AllocateZeroPool (DataSize); +@@ -1374,6 +1381,8 @@ IsForbiddenByDbx ( + + } + ++ IsForbidden = FALSE; ++ + Done: + if (Data != NULL) { + FreePool (Data); +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch --- edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch 2020-04-22 23:02:27.000000000 +0000 @@ -0,0 +1,37 @@ +From cb30c8f25162e6d8142c6b098f14c1e4e7f125ce Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 25 Sep 2019 13:41:57 +0200 +Subject: [PATCH 14/17] SecurityPkg/DxeImageVerificationLib: plug Data leak in + IsForbiddenByDbx() (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(), +we have to free Data. Jump to "Done" for that. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Laszlo Ersek +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/cb30c8f25162e6d8142c6b098f14c1e4e7f125ce +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 470a0d20ef..f20640af68 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -1274,7 +1274,7 @@ IsForbiddenByDbx ( + + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data); + if (EFI_ERROR (Status)) { +- return IsForbidden; ++ goto Done; + } + + // +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch --- edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch 2020-04-22 23:02:41.000000000 +0000 @@ -0,0 +1,203 @@ +From b1c11470598416c89c67b75c991fd0773bcbab9d Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 10 Oct 2019 15:02:17 +0800 +Subject: [PATCH 15/17] SecurityPkg/DxeImageVerificationLib: Differentiate + error/search result (2) (CVE-2019-14575) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 + +To avoid false-negative issue in check hash against dbx, both error +condition (as return value) and check result (as out parameter) of +IsSignatureFoundInDatabase() are added. So the caller of this function +will know exactly if a failure is caused by a black list hit or +other error happening, and enforce a more secure operation to prevent +secure boot from being bypassed. For a white list check (db), there's +no such necessity. + +All intermediate results inside this function will be checked and +returned immediately upon any failure or error, like out-of-resource, +hash calculation error or certificate retrieval failure. + +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Laszlo Ersek +Reviewed-by: Jiewen Yao +[dannf: backported to stable-201911] + +Origin: https://github.com/tianocore/edk2/commit/b1c11470598416c89c67b75c991fd0773bcbab9d +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +Index: edk2-0~20190606.20d2e5a1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +=================================================================== +--- edk2-0~20190606.20d2e5a1.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ edk2-0~20190606.20d2e5a1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -954,17 +954,19 @@ Done: + @param[in] Signature Pointer to signature that is searched for. + @param[in] CertType Pointer to hash algrithom. + @param[in] SignatureSize Size of Signature. ++ @param[out] IsFound Search result. Only valid if EFI_SUCCESS returned + +- @return TRUE Found the signature in the variable database. +- @return FALSE Not found the signature in the variable database. ++ @retval EFI_SUCCESS Finished the search without any error. ++ @retval Others Error occurred in the search of database. + + **/ +-BOOLEAN ++EFI_STATUS + IsSignatureFoundInDatabase ( +- IN CHAR16 *VariableName, +- IN UINT8 *Signature, +- IN EFI_GUID *CertType, +- IN UINTN SignatureSize ++ IN CHAR16 *VariableName, ++ IN UINT8 *Signature, ++ IN EFI_GUID *CertType, ++ IN UINTN SignatureSize, ++ OUT BOOLEAN *IsFound + ) + { + EFI_STATUS Status; +@@ -974,22 +976,28 @@ IsSignatureFoundInDatabase ( + UINT8 *Data; + UINTN Index; + UINTN CertCount; +- BOOLEAN IsFound; + + // + // Read signature database variable. + // +- IsFound = FALSE; ++ *IsFound = FALSE; + Data = NULL; + DataSize = 0; + Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); + if (Status != EFI_BUFFER_TOO_SMALL) { +- return FALSE; ++ if (Status == EFI_NOT_FOUND) { ++ // ++ // No database, no need to search. ++ // ++ Status = EFI_SUCCESS; ++ } ++ ++ return Status; + } + + Data = (UINT8 *) AllocateZeroPool (DataSize); + if (Data == NULL) { +- return FALSE; ++ return EFI_OUT_OF_RESOURCES; + } + + Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data); +@@ -1009,7 +1017,7 @@ IsSignatureFoundInDatabase ( + // + // Find the signature in database. + // +- IsFound = TRUE; ++ *IsFound = TRUE; + // + // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured + // +@@ -1022,7 +1030,7 @@ IsSignatureFoundInDatabase ( + Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); + } + +- if (IsFound) { ++ if (*IsFound) { + break; + } + } +@@ -1036,7 +1044,7 @@ Done: + FreePool (Data); + } + +- return IsFound; ++ return Status; + } + + /** +@@ -1646,6 +1654,8 @@ DxeImageVerificationHandler ( + EFI_IMAGE_DATA_DIRECTORY *SecDataDir; + UINT32 OffSet; + CHAR16 *NameStr; ++ EFI_STATUS DbStatus; ++ BOOLEAN IsFound; + + SignatureList = NULL; + SignatureListSize = 0; +@@ -1655,7 +1665,7 @@ DxeImageVerificationHandler ( + Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED; + Status = EFI_ACCESS_DENIED; + VerifyStatus = EFI_ACCESS_DENIED; +- ++ IsFound = FALSE; + + // + // Check the image type and get policy setting. +@@ -1798,7 +1808,14 @@ DxeImageVerificationHandler ( + goto Done; + } + +- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) { ++ DbStatus = IsSignatureFoundInDatabase ( ++ EFI_IMAGE_SECURITY_DATABASE1, ++ mImageDigest, ++ &mCertType, ++ mImageDigestSize, ++ &IsFound ++ ); ++ if (EFI_ERROR (DbStatus) || IsFound) { + // + // Image Hash is in forbidden database (DBX). + // +@@ -1806,7 +1823,14 @@ DxeImageVerificationHandler ( + goto Done; + } + +- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { ++ DbStatus = IsSignatureFoundInDatabase ( ++ EFI_IMAGE_SECURITY_DATABASE, ++ mImageDigest, ++ &mCertType, ++ mImageDigestSize, ++ &IsFound ++ ); ++ if (!EFI_ERROR (DbStatus) && IsFound) { + // + // Image Hash is in allowed database (DB). + // +@@ -1894,13 +1918,27 @@ DxeImageVerificationHandler ( + // + // Check the image's hash value. + // +- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) { ++ DbStatus = IsSignatureFoundInDatabase ( ++ EFI_IMAGE_SECURITY_DATABASE1, ++ mImageDigest, ++ &mCertType, ++ mImageDigestSize, ++ &IsFound ++ ); ++ if (EFI_ERROR (DbStatus) || IsFound) { + Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr)); + VerifyStatus = EFI_ACCESS_DENIED; + break; + } else if (EFI_ERROR (VerifyStatus)) { +- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { ++ DbStatus = IsSignatureFoundInDatabase ( ++ EFI_IMAGE_SECURITY_DATABASE, ++ mImageDigest, ++ &mCertType, ++ mImageDigestSize, ++ &IsFound ++ ); ++ if (!EFI_ERROR (DbStatus) && IsFound) { + VerifyStatus = EFI_SUCCESS; + } else { + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr)); diff -Nru edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch --- edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch 2020-04-22 23:02:56.000000000 +0000 @@ -0,0 +1,55 @@ +From c230c002accc4281ccc57bba7153a9b2d9b9ccd3 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Fri, 14 Feb 2020 13:50:32 +0800 +Subject: [PATCH 16/17] SecurityPkg/DxeImageVerificationLib: change + IsCertHashFoundInDatabase name (CVE-2019-14575) + +IsCertHashFoundInDatabase() is actually used only for searching dbx, +according to the function logic, its comments and its use cases. Changing +it to IsCertHashFoundInDbx to avoid confusion. + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Cc: Jiewen Yao +Cc: Chao Zhang +Signed-off-by: Jian J Wang +Reviewed-by: Jiewen Yao + +Origin: https://github.com/tianocore/edk2/commit/c230c002accc4281ccc57bba7153a9b2d9b9ccd3 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 +Bug-Debian: https://bugs.debian.org/952935 +Last-Update: 2020-03-16 + +diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +index 0e1587bc3c..b7fa8ea8c5 100644 +--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c ++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +@@ -829,7 +829,7 @@ AddImageExeInfo ( + + **/ + EFI_STATUS +-IsCertHashFoundInDatabase ( ++IsCertHashFoundInDbx ( + IN UINT8 *Certificate, + IN UINTN CertSize, + IN EFI_SIGNATURE_LIST *SignatureList, +@@ -1362,7 +1362,7 @@ IsForbiddenByDbx ( + // + CertPtr = CertPtr + sizeof (UINT32) + CertSize; + +- Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound); ++ Status = IsCertHashFoundInDbx (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime, &IsFound); + if (EFI_ERROR (Status)) { + // + // Error in searching dbx. Consider it as 'found'. RevocationTime might +@@ -1528,7 +1528,7 @@ IsAllowedByDb ( + // + // Here We still need to check if this RootCert's Hash is revoked + // +- Status = IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); ++ Status = IsCertHashFoundInDbx (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound); + if (EFI_ERROR (Status)) { + // + // Error in searching dbx. Consider it as 'found'. RevocationTime might +-- +2.25.1 + diff -Nru edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch --- edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch 2020-04-22 23:03:16.000000000 +0000 @@ -0,0 +1,46 @@ +From 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8 Mon Sep 17 00:00:00 2001 +From: Siyuan Fu +Date: Fri, 21 Feb 2020 10:14:18 +0800 +Subject: [PATCH 17/17] NetworkPkg/ArpDxe: Recycle invalid ARP packets + (CVE-2019-14559) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 + +This patch triggers the RecycleEvent for invalid ARP packets. +Prior to this, we would just ignore invalid ARP packets, +and never free them. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Siyuan Fu +Signed-off-by: Nicholas Armour +Reviewed-by: Siyuan Fu +[dannf: Change modified file path; drop conflicting Copyright date change] + +Origin: https://github.com/tianocore/edk2/commit/1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 +Bug-Debian: https://bugs.debian.org/952926 +Last-Update: 2020-04-03 + +Index: edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +=================================================================== +--- edk2-0~20180205.c0d9813c.orig/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c ++++ edk2-0~20180205.c0d9813c/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +@@ -119,7 +119,7 @@ ArpOnFrameRcvdDpc ( + // + // Restart the receiving if packet size is not correct. + // +- goto RESTART_RECEIVE; ++ goto RECYCLE_RXDATA; + } + + // +@@ -131,7 +131,7 @@ ArpOnFrameRcvdDpc ( + Head->OpCode = NTOHS (Head->OpCode); + + if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) { +- goto RESTART_RECEIVE; ++ goto RECYCLE_RXDATA; + } + + if ((Head->HwType != ArpService->SnpMode.IfType) || diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series --- edk2-0~20181115.85588389/debian/patches/series 2019-03-16 00:37:44.000000000 +0000 +++ edk2-0~20181115.85588389/debian/patches/series 2020-04-22 23:03:10.000000000 +0000 @@ -7,3 +7,20 @@ NetworkPkg-DnsDxe-CVE-2018-12178-Check-the-received-.patch 0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch 0002-MdeModulePkg-HiiImage-Fix-stack-overflow-when-corrup.patch +0001-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch +0002-MdeModulePkg-HiiDB-Remove-configuration-table-when-i.patch +0003-MdeModulePkg-String.c-Zero-memory-before-free-CVE-20.patch +0004-MdeModulePkg-DisplayEngine-Zero-memory-before-free-C.patch +0005-MdeModulePkg-SdMmcPciHcDxe-Fix-double-PciIo-Unmap-in.patch +0006-NetworkPkg-Ip4Dxe-Check-the-received-package-length-.patch +0007-SecurityPkg-DxeImageVerificationLib-Fix-memory-leaks.patch +0008-SecurityPkg-DxeImageVerificationLib-reject-CertStack.patch +0009-SecurityPkg-DxeImageVerificationLib-fix-wrong-fetch-.patch +0010-SecurityPkg-DxeImageVerificationLib-avoid-bypass-in-.patch +0011-SecurityPkg-DxeImageVerificationLib-refactor-db-dbx-.patch +0012-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch +0013-SecurityPkg-DxeImageVerificationLib-tighten-default-.patch +0014-SecurityPkg-DxeImageVerificationLib-plug-Data-leak-i.patch +0015-SecurityPkg-DxeImageVerificationLib-Differentiate-er.patch +0016-SecurityPkg-DxeImageVerificationLib-change-IsCertHas.patch +0017-NetworkPkg-ArpDxe-Recycle-invalid-ARP-packets-CVE-20.patch