[PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)

Wang, Jian J

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1914=0D
AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded=0D
signed authenticode pkcs#7 data. when this successfully returns, a type=0D
check is done by calling PKCS7_type_is_signed() and then=0D
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1=
blob that successfully decodes and have d2i_PKCS7() return a valid pointer=
and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign=
be a NULL pointer.=0D
Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for=0D
pkcs7 structs it does the following:=0D
- call PKCS7_type_is_signed()=0D
- call PKCS7_get_detached()=0D
Looking into how PKCS7_get_detatched() is implemented, it checks to see if=
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.=0D
As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().=0D
- Add call to PKS7_get_detached() to existing error handling=0D
Cc: Xiaoyu Lu <xiaoyux.lu@...>=0D
Cc: Guomin Jiang <guomin.jiang@...>=0D
Cc: Jiewen Yao <jiewen.yao@...>=0D
Cc: Laszlo Ersek <lersek@...>
Signed-off-by: Jian J Wang <jian.j.wang@...>=0D
Reviewed-by: Laszlo Ersek <lersek@...>
CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/Crypto=
index 2772b1e2be..ae0ee61fb6 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -9,7 +9,7 @@
AuthenticodeVerify() will get PE/COFF Authenticode and will do basic che=
ck for=0D
data structure.=0D
-Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.<BR>=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
@@ -100,7 +100,7 @@ AuthenticodeVerify (
// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)=0D
- if (!PKCS7_type_is_signed (Pkcs7)) {=0D
+ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {=0D
goto _Exit;=0D

Join devel@edk2.groups.io to automatically receive all group messages.