mirror of https://github.com/acidanthera/audk.git
SecurityPkg SecureBootConfigDxe: Add check for the external PE/COFF image.
Use BasePeCoffLib PeCoffLoaderGetImageInfo() to check the PE/COFF image. In V2, add specific ImageRead() to make sure the PE/COFF image content read is within the image buffer. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
This commit is contained in:
parent
04147690b5
commit
5e9dfc6782
|
@ -34,6 +34,8 @@
|
|||
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
|
||||
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
|
||||
PerformanceLib|MdePkg/Library/BasePerformanceLibNull/BasePerformanceLibNull.inf
|
||||
PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
|
||||
PeCoffExtraActionLib|MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf
|
||||
|
||||
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
|
||||
UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
|
||||
|
|
|
@ -58,6 +58,7 @@
|
|||
PlatformSecureLib
|
||||
DevicePathLib
|
||||
FileExplorerLib
|
||||
PeCoffLib
|
||||
|
||||
[Guids]
|
||||
## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
|
||||
|
|
|
@ -1609,6 +1609,54 @@ ON_EXIT:
|
|||
return IsFound;
|
||||
}
|
||||
|
||||
/**
|
||||
Reads contents of a PE/COFF image in memory buffer.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
PE/COFF image is external input, so this function will make sure the PE/COFF image content
|
||||
read is within the image buffer.
|
||||
|
||||
@param FileHandle Pointer to the file handle to read the PE/COFF image.
|
||||
@param FileOffset Offset into the PE/COFF image to begin the read operation.
|
||||
@param ReadSize On input, the size in bytes of the requested read operation.
|
||||
On output, the number of bytes actually read.
|
||||
@param Buffer Output buffer that contains the data read from the PE/COFF image.
|
||||
|
||||
@retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
SecureBootConfigImageRead (
|
||||
IN VOID *FileHandle,
|
||||
IN UINTN FileOffset,
|
||||
IN OUT UINTN *ReadSize,
|
||||
OUT VOID *Buffer
|
||||
)
|
||||
{
|
||||
UINTN EndPosition;
|
||||
|
||||
if (FileHandle == NULL || ReadSize == NULL || Buffer == NULL) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if (MAX_ADDRESS - FileOffset < *ReadSize) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
EndPosition = FileOffset + *ReadSize;
|
||||
if (EndPosition > mImageSize) {
|
||||
*ReadSize = (UINT32)(mImageSize - FileOffset);
|
||||
}
|
||||
|
||||
if (FileOffset >= mImageSize) {
|
||||
*ReadSize = 0;
|
||||
}
|
||||
|
||||
CopyMem (Buffer, (UINT8 *)((UINTN) FileHandle + FileOffset), *ReadSize);
|
||||
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
Load PE/COFF image information into internal buffer and check its validity.
|
||||
|
||||
|
@ -1625,9 +1673,28 @@ LoadPeImage (
|
|||
EFI_IMAGE_DOS_HEADER *DosHdr;
|
||||
EFI_IMAGE_NT_HEADERS32 *NtHeader32;
|
||||
EFI_IMAGE_NT_HEADERS64 *NtHeader64;
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
|
||||
EFI_STATUS Status;
|
||||
|
||||
NtHeader32 = NULL;
|
||||
NtHeader64 = NULL;
|
||||
|
||||
ZeroMem (&ImageContext, sizeof (ImageContext));
|
||||
ImageContext.Handle = (VOID *) mImageBase;
|
||||
ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE) SecureBootConfigImageRead;
|
||||
|
||||
//
|
||||
// Get information about the image being loaded
|
||||
//
|
||||
Status = PeCoffLoaderGetImageInfo (&ImageContext);
|
||||
if (EFI_ERROR (Status)) {
|
||||
//
|
||||
// The information can't be got from the invalid PeImage
|
||||
//
|
||||
DEBUG ((DEBUG_INFO, "SecureBootConfigDxe: PeImage invalid. \n"));
|
||||
return Status;
|
||||
}
|
||||
|
||||
//
|
||||
// Read the Dos header
|
||||
//
|
||||
|
@ -1689,6 +1756,9 @@ LoadPeImage (
|
|||
Calculate hash of Pe/Coff image based on the authenticode image hashing in
|
||||
PE/COFF Specification 8.0 Appendix A
|
||||
|
||||
Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in
|
||||
the function LoadPeImage ().
|
||||
|
||||
@param[in] HashAlg Hash algorithm type.
|
||||
|
||||
@retval TRUE Successfully hash image.
|
||||
|
|
|
@ -40,6 +40,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|||
#include <Library/PlatformSecureLib.h>
|
||||
#include <Library/BaseCryptLib.h>
|
||||
#include <Library/FileExplorerLib.h>
|
||||
#include <Library/PeCoffLib.h>
|
||||
|
||||
#include <Guid/MdeModuleHii.h>
|
||||
#include <Guid/AuthenticatedVariableFormat.h>
|
||||
|
|
Loading…
Reference in New Issue