SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX (CVE-2019-14575)

Jian J Wang · mergify[bot] · commit c13742b18009 · 2020-02-19T14:08:23.000Z
In case the signers' certificate stack, retrieved from the PE/COFF image's
Authenticode blob, has zero elements (=there are zero signer certificates),
then we should consider the image forbidden by DBX, not accepted by DBX.

Cc: Jiewen Yao &lt;jiewen.yao@intel.com&gt;
Cc: Chao Zhang &lt;chao.b.zhang@intel.com&gt;
Signed-off-by: Jian J Wang &lt;jian.j.wang@intel.com&gt;
Reviewed-by: Laszlo Ersek &lt;lersek@redhat.com&gt;
Reviewed-by: Jiewen Yao &lt;jiewen.yao@intel.com&gt;
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
   //       UINT8  Certn[];
   //
   Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength);
-  if ((BufferLength == 0) || (CertBuffer == NULL)) {
+  if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
     IsForbidden = TRUE;
     goto Done;
   }

Original file line number	Diff line number	Diff line change
`@@ -1326,7 +1326,7 @@ IsForbiddenByDbx (`
`1326`	`1326`	`// UINT8 Certn[];`
`1327`	`1327`	`//`
`1328`	`1328`	`Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength);`
`1329`		`- if ((BufferLength == 0) \|\| (CertBuffer == NULL)) {`
	`1329`	`+ if ((BufferLength == 0) \|\| (CertBuffer == NULL) \|\| (*CertBuffer) == 0) {`
`1330`	`1330`	`IsForbidden = TRUE;`
`1331`	`1331`	`goto Done;`
`1332`	`1332`	`}`