diff options
| author | hhuan13 <hhuan13@6f19259b-4bc3-4df7-8a09-765794883524> | 2011-09-21 05:17:50 +0000 |
|---|---|---|
| committer | hhuan13 <hhuan13@6f19259b-4bc3-4df7-8a09-765794883524> | 2011-09-21 05:17:50 +0000 |
| commit | 648f98d15b5811ff9cf649bda8b762d50b735798 (patch) | |
| tree | 07f5dd7fd3eb14ea8703581ccd22c55b52922091 /SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c | |
| parent | 378175d2584ab0d52922308f6a18e710a36152ef (diff) | |
| download | edk2-platforms-648f98d15b5811ff9cf649bda8b762d50b735798.tar.xz | |
1. Enhance AuthVar driver to avoid process corrupted certificate input.
Signed-off-by: hhuan13
Reviewed-by: ftian
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12398 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c')
| -rw-r--r-- | SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index cf94182612..fc23bb5212 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -1046,19 +1046,37 @@ VerifyTimeBasedPayload ( //
return EFI_SECURITY_VIOLATION;
}
-
+
//
// Find out Pkcs7 SignedData which follows the EFI_VARIABLE_AUTHENTICATION_2 descriptor.
// AuthInfo.Hdr.dwLength is the length of the entire certificate, including the length of the header.
//
- SigData = (UINT8*) ((UINTN)Data + (UINTN)(((EFI_VARIABLE_AUTHENTICATION_2 *) 0)->AuthInfo.CertData));
- SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32)(UINTN)(((WIN_CERTIFICATE_UEFI_GUID *) 0)->CertData);
+ SigData = (UINT8*) ((UINTN)Data + OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
+
+ //
+ // Sanity check to avoid corrupted certificate input.
+ //
+ if (CertData->AuthInfo.Hdr.dwLength < (UINT32)(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData))) {
+ return EFI_SECURITY_VIOLATION;
+ }
+
+
+
+ SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32)(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
//
// Find out the new data payload which follows Pkcs7 SignedData directly.
//
PayLoadPtr = (UINT8*) ((UINTN) SigData + (UINTN) SigDataSize);
- PayLoadSize = DataSize - (UINTN)(((EFI_VARIABLE_AUTHENTICATION_2 *) 0)->AuthInfo.CertData) - (UINTN) SigDataSize;
+
+ //
+ // Sanity check to avoid corrupted certificate input.
+ //
+ if (DataSize < (OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)+ (UINTN) SigDataSize)) {
+ return EFI_SECURITY_VIOLATION;
+ }
+
+ PayLoadSize = DataSize - OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) - OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData) - (UINTN) SigDataSize;
//
|