diff options
| author | Jian J Wang <jian.j.wang@intel.com> | 2019-04-25 23:42:16 +0800 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-11-15 13:07:29 -0500 |
| commit | 53509eaf2253e23bfb552e9386fd0877abe592b4 (patch) | |
| tree | b4ab686ea095ab76a1c16c13b7d57c0eab327fc1 /Cryptlib/Cryptlib.diff | |
| parent | aa1b289a1a16774afc3143b8948d97261f0872d0 (diff) | |
| download | efi-boot-shim-53509eaf2253e23bfb552e9386fd0877abe592b4.tar.gz efi-boot-shim-53509eaf2253e23bfb552e9386fd0877abe592b4.zip | |
CryptoPkg/BaseCryptLib: fix NULL dereference
AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
signed authenticode pkcs#7 data. when this successfully returns, a type
check is done by calling PKCS7_type_is_signed() and then
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
blob that successfully decodes and have d2i_PKCS7() return a valid pointer
and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
be a NULL pointer.
Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
pkcs7 structs it does the following:
- call PKCS7_type_is_signed()
- call PKCS7_get_detached()
Looking into how PKCS7_get_detatched() is implemented, it checks to see if
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
- Add call to PKS7_get_detached() to existing error handling
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Cherry-picked-from: https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
Diffstat (limited to 'Cryptlib/Cryptlib.diff')
0 files changed, 0 insertions, 0 deletions