SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx() (CVE-2019-14575)

Laszlo Ersek · mergify[bot] · commit cb30c8f25162 · 2020-02-19T14:08:23.000Z
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(), we have to free Data. Jump to "Done" for that. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
 
   Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);
   if (EFI_ERROR (Status)) {
-    return IsForbidden;
+    goto Done;
   }
 
   //

Original file line number	Diff line number	Diff line change
`@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (`
`1274`	`1274`
`1275`	`1275`	`Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);`
`1276`	`1276`	`if (EFI_ERROR (Status)) {`
`1277`		`- return IsForbidden;`
	`1277`	`+ goto Done;`
`1278`	`1278`	`}`
`1279`	`1279`
`1280`	`1280`	`//`