SecurityPkg: Out of bound read in HashPeImageByType()

In HashPeImageByType(), the hash of PE/COFF image is calculated. This function may get untrusted input. Inside this function, the following code verifies the loaded image has the correct format, by reading the second byte of the buffer. ```c if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { ... } ``` The input image is not trusted and that may not have the second byte to read. So this poses an out of bound read error. With below fix we are assuring that we don't do out of bound read. i.e, we make sure that AuthDataSize is greater than 1. ```c if (AuthDataSize > 1 && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){ ... } ``` AuthDataSize size is verified before reading the second byte. So if AuthDataSize is less than 2, the second byte will not be read, and the out of bound read situation won't occur. Tested the patch on real platform with and without TPM connected and verified image is booting fine. Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com> Signed-off-by: Doug Flick <DougFlick@microsoft.com>
2024-10-03 09:37:18 -07:00 · 2024-10-03 09:37:18 -07:00 · 5f08635ee7
parent e4140a5701
commit 5f08635ee7
1 changed files with 1 additions and 1 deletions
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@ -642,7 +642,7 @@ HashPeImageByType (
    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.
    //    Fixed offset (+32) is calculated based on two bytes of length encoding.
    //
-    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
      //
      // Only support two bytes of Long Form of Length Encoding.
      //