File ovmf-bsc1177789-cryptopkg-fix-null-dereference.patch of Package ovmf.19611

From c7311c794c593745b852ee6c0bcdb8a5e71d6ace Mon Sep 17 00:00:00 2001
From: Jian J Wang <>
Date: Thu, 25 Apr 2019 23:42:16 +0800
Subject: [PATCH 1/1] CryptoPkg/BaseCryptLib: fix NULL dereference


AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
signed authenticode pkcs#7 data. when this successfully returns, a type
check is done by calling PKCS7_type_is_signed() and then
Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
blob that successfully decodes and have d2i_PKCS7() return a valid pointer
and have PKCS7_type_is_signed() also return success  but have Pkcs7->d.sign
be a NULL pointer.

Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
pkcs7 structs it does the following:
- call PKCS7_type_is_signed()
- call PKCS7_get_detached()
Looking into how PKCS7_get_detatched() is implemented, it checks to see if
p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.

As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
- Add call to PKS7_get_detached() to existing error handling

Cc: Xiaoyu Lu <>
Cc: Guomin Jiang <>
Cc: Jiewen Yao <>
Cc: Laszlo Ersek <>
Signed-off-by: Jian J Wang <>
Reviewed-by: Laszlo Ersek <>
Reviewed-by: Jiewen Yao <>
(cherry picked from commit 26442d11e620a9e81c019a24a4ff38441c64ba10)
 CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
index 2772b1e2be3c..3c2d14a88bce 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -9,7 +9,7 @@
   AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
   data structure.
-Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -100,7 +100,7 @@ AuthenticodeVerify (
   // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
-  if (!PKCS7_type_is_signed (Pkcs7)) {
+  if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
     goto _Exit;
openSUSE Build Service is sponsored by