From 1dae37b163e1e08e719ac06fa86b3414b4ddfb2b Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Mon, 30 Oct 2023 11:56:48 +0000 Subject: automatic import of edk2 --- ...-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch (limited to '0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch') diff --git a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch new file mode 100644 index 0000000..e670922 --- /dev/null +++ b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch @@ -0,0 +1,102 @@ +From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001 +From: chenhuiying +Date: Sat, 25 Feb 2023 17:54:23 +0800 +Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 + +reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920 +Signed-off-by: chenhuiying +--- + .../openssl/crypto/x509v3/v3_genn.c | 45 +++++++++++++++++-- + 1 file changed, 42 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +index 23e3bc4..23778e2 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; +-- +2.27.0 + -- cgit v1.2.3