Skip to content

Commit

Permalink
SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 p…
Browse files Browse the repository at this point in the history 
…er DBX (CVE-2019-14575)

In case the signers' certificate stack, retrieved from the PE/COFF image's
Authenticode blob, has zero elements (=there are zero signer certificates),
then we should consider the image forbidden by DBX, not accepted by DBX.

Cc: Jiewen Yao <[email protected]>
Cc: Chao Zhang <[email protected]>
Signed-off-by: Jian J Wang <[email protected]>
Reviewed-by: Laszlo Ersek <[email protected]>
Reviewed-by: Jiewen Yao <[email protected]>
  • Loading branch information
@mergify
Jian J Wang authored and mergify[bot] committed Feb 19, 2020
1 parent fbb9607 commit c13742b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
// UINT8 Certn[];
//
Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength);
if ((BufferLength == 0) || (CertBuffer == NULL)) {
if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
IsForbidden = TRUE;
goto Done;
}
Expand Down

0 comments on commit c13742b

Please sign in to comment.