!121 fix CVE-2023-0286

From: @huiyingc Reviewed-by: @yezengruan Signed-off-by: @yezengruan
2023-02-26 07:23:07 +00:00 · 2023-02-26 07:23:07 +00:00 · 4f1df06310
commit 4f1df06310
parent 36448b1372 4515de537b
3 changed files with 149 additions and 1 deletions
--- a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
+++ b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
@ -0,0 +1,102 @@
+From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 17:54:23 +0800
+Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp()
+
+If a GENERAL_NAME field contained EdiPartyName data then it was
+incorrectly being handled as type "other". This could lead to a
+segmentation fault.
+
+Many thanks to David Benjamin from Google for reporting this issue.
+
+CVE-2020-1971
+
+reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../openssl/crypto/x509v3/v3_genn.c           | 45 +++++++++++++++++--
+ 1 file changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+index 23e3bc4..23778e2 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
+                                     (char *)a);
+ }
+ 
+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
+{
+    int res;
+
+    if (a == NULL || b == NULL) {
+        /*
+         * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
+         * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
+         */
+        return -1;
+    }
+    if (a->nameAssigner == NULL && b->nameAssigner != NULL)
+        return -1;
+    if (a->nameAssigner != NULL && b->nameAssigner == NULL)
+        return 1;
+    /* If we get here then both have nameAssigner set, or both unset */
+    if (a->nameAssigner != NULL) {
+        res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
+        if (res != 0)
+            return res;
+    }
+    /*
+     * partyName is required, so these should never be NULL. We treat it in
+     * the same way as the a == NULL || b == NULL case above
+     */
+    if (a->partyName == NULL || b->partyName == NULL)
+        return -1;
+
+    return ASN1_STRING_cmp(a->partyName, b->partyName);
+}
+
+ /* Returns 0 if they are equal, != 0 otherwise. */
+ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ {
+@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        break;
+
+     case GEN_EDIPARTY:
+-        result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+        result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
+         break;
+ 
+     case GEN_OTHERNAME:
+@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
+ {
+     switch (type) {
+     case GEN_X400:
+        a->d.x400Address = value;
+        break;
+
+     case GEN_EDIPARTY:
+-        a->d.other = value;
+        a->d.ediPartyName = value;
+         break;
+ 
+     case GEN_OTHERNAME:
+@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
+         *ptype = a->type;
+     switch (a->type) {
+     case GEN_X400:
+        return a->d.x400Address;
+
+     case GEN_EDIPARTY:
+-        return a->d.other;
+        return a->d.ediPartyName;
+ 
+     case GEN_OTHERNAME:
+         return a->d.otherName;
+-- 
+2.27.0
+
--- a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
+++ b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
@ -0,0 +1,41 @@
+From 7553d2119f3c899f779eaacafff63feaa843814a Mon Sep 17 00:00:00 2001
+From: s00803682 <shaodenghui@huawei.com>
+Date: Sat, 25 Feb 2023 18:22:13 +0800
+Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+REF: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c  | 2 +-
+ CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+index 23778e2..12ce733 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+@@ -97,7 +97,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
+index 6c6eca3..b80438d 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
+++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+-- 
+2.27.0
+
--- a/edk2.spec
+++ b/edk2.spec
@ -5,7 +5,7 @@

 Name: edk2
 Version: %{stable_date}
-Release: 10
+Release: 11
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@ -47,6 +47,8 @@ Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
 Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
 Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
 Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
+Patch0027: 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
+Patch0028: 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch

 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command

@ -248,6 +250,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif

 %changelog
+* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-11
+- fix CVE-2023-0286
+
 * Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-10
 - fix CVE-2023-0215