SecurityPkg: Out of bound read in HashPeImageByType() by Flickdm · Pull Request #10928 · tianocore/edk2

Flickdm · 2025-04-07T17:15:51Z

Description

CVE: CVE-2024-38797

In HashPeImageByType(), the hash of a PE/COFF image is calculated. This function may get untrusted input.

Inside this function, the following code verifies the loaded image has the correct format, by reading the second byte of the buffer.

  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
  	...
  }

Since the input image is not trusted, it may not have a second byte present to read. So this poses a potential out of bounds read error.

With the below fix, we are ensuring that we don't perform an out of bound read. i.e, we make sure that AuthDataSize is greater than 1.

  if (AuthDataSize > 1 && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
    ...
  }

AuthDataSize size is verified before reading the second byte. So, if AuthDataSize is less than 2, the second byte will not be read, and the out of bound read will be prevented.

The logic of the function was cleaned up to provide an early exit if the untrusted data does not have enough bytes to check for a TWO_BYTE_ENCODE or if the TWO_BYTE_ENCODE is not present.

This is slightly more efficient than checking this condition in the for loop.

Additionally, when the hash algorithm selected by Index has such a large OID that the OID Comparison couldn't be performed - this would lead to an early break rather than a OID Mismatch. This has been changed to a continue instead.

Breaking change?
Impacts security?
- Corrects out of bound read in HashPeImageByType ()
Includes tests?

How This Was Tested

Tested the patch on real platform with and without TPM connected and verified image is booting fine.

Integration Instructions

N/A

In HashPeImageByType(), the hash of PE/COFF image is calculated. This function may get untrusted input. Inside this function, the following code verifies the loaded image has the correct format, by reading the second byte of the buffer. ```c if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { ... } ``` The input image is not trusted and that may not have the second byte to read. So this poses an out of bound read error. With below fix we are assuring that we don't do out of bound read. i.e, we make sure that AuthDataSize is greater than 1. ```c if (AuthDataSize > 1 && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){ ... } ``` AuthDataSize size is verified before reading the second byte. So if AuthDataSize is less than 2, the second byte will not be read, and the out of bound read situation won't occur. Tested the patch on real platform with and without TPM connected and verified image is booting fine. Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com> Signed-off-by: Doug Flick <DougFlick@microsoft.com>

Namely: (1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes to TRUE for Index==0, then it will evaluate to TRUE for all other Index values as well. As a result, the (Index == HASHALG_MAX) condition will fire after the loop, and we'll return EFI_UNSUPPORTED. While this is correct, functionally speaking, it is wasteful to keep re-checking TWO_BYTE_ENCODE in the loop body. The check should be made at the top of the function, and EFI_UNSUPPORTED should be returned at once, if appropriate. (2) If the hash algorithm selected by Index has such a large OID that the OID comparison cannot even be performed (because AuthDataSize is not large enough for containing the OID in question, starting at offset 32), then the function returns EFI_UNSUPPORTED at once. This is bogus; this case should simply be treated as an OID mismatch, and the loop should advance to the next Index value / hash algorithm candidate. A remaining hash algo may have a shorter OID and yield an OID match. Signed-off-by: Doug Flick <DougFlick@microsoft.com>

This commit updates the SecurityFixes.yaml file to include information about the CVE-2024-38797 vulnerability. Signed-off-by: Doug Flick <DougFlick@microsoft.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: 3c77d61fc52eb1861ba68bfe916a71c987b9cd57) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: c6d1f54942abd7a231cd33221eecc5620eda59fe) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: c809f0fa07105343d21e1975d9e03cbcd7ba0fd4) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: fe0257e5e93e4d744484ac46df4c322017874c64) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: 866fc8ba96a72d3dd18838e6d8e77acb320a48d8) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: fe0257e5e93e4d744484ac46df4c322017874c64) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: 34c7941508d2bfc3ac271bdc6d5c0d1a652c2989) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: fe0257e5e93e4d744484ac46df4c322017874c64) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: 12f8445ef4f0e816a8ace86ac90d58069431615a) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: 34c7941508d2bfc3ac271bdc6d5c0d1a652c2989) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 (From OE-Core rev: a94550098d821e0055020a7d866648a761efcade) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Issue: LIN1024-8438 (LOCAL REV: NOT UPSTREAM) -- Sent to oe-core on 20250613 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

According to [1]: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability. Backport fixes from upstream edk2 [2][3] [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38797 [2] GHSA-4wjw-6xmf-44xf [3] tianocore/edk2#10928 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

github-actions Bot added the impact:security This change has a direct security impact such as changing a crypto algorithm. label Apr 7, 2025

tianocore-assign-reviewers Bot requested review from jyao1 and mxu9 April 7, 2025 17:16

Flickdm force-pushed the security-advisory/cve-2024-38797/advisory branch 3 times, most recently from bb1717f to 7ef3efe Compare April 7, 2025 20:36

jyao1 approved these changes Apr 8, 2025

View reviewed changes

Flickdm added 4 commits April 8, 2025 08:03

SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797

519366f

This commit updates the SecurityFixes.yaml file to include information about the CVE-2024-38797 vulnerability. Signed-off-by: Doug Flick <DougFlick@microsoft.com>

Flickdm force-pushed the security-advisory/cve-2024-38797/advisory branch from 7ef3efe to 519366f Compare April 8, 2025 15:03

makubacki added the push Auto push patch series in PR if all checks pass label Apr 9, 2025

mergify Bot merged commit d79d8d6 into master Apr 9, 2025

Flickdm mentioned this pull request Apr 17, 2025

[CHERRY PICK] Security Patch for CVE-2024-38797 microsoft/mu_tiano_plus#395

Merged

3 tasks

Flickdm mentioned this pull request May 2, 2025

[CHERRY PICK][dev/202502] Security Patch for CVE-2024-38797 microsoft/mu_tiano_plus#406

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SecurityPkg: Out of bound read in HashPeImageByType()#10928

SecurityPkg: Out of bound read in HashPeImageByType()#10928
mergify[bot] merged 4 commits into
masterfrom
security-advisory/cve-2024-38797/advisory

Flickdm commented Apr 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Flickdm commented Apr 7, 2025

Description

How This Was Tested

Integration Instructions

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants