From 0dc3d4b5210dae158651d058f7ac68a9f178ae84 Mon Sep 17 00:00:00 2001 From: Steve McIntyre <93sam@debian.org> Date: Fri, 19 Apr 2019 23:14:46 +0100 Subject: [PATCH] Fix PE/COFF checksum calculation Only count the cert_table header once when performing the calculation and counting buffer sizes. The problem entered because of a mismerge of multiple signature support and "be1f3d8 Update the PE checksum field using the somewhat-underdocumented algorithm, so that we match the Microsoft implementation in our signature generation.". Originally image->cert_table held the full certificate table including the Microsoft _WINH_CERTIFICATE header and image->sigbuf pointed to the pkcs11 signature inside, so the two had to be checksummed separately. After multiple signature support, image->sigbuf points to the full certificate table because we now need the headers to decide where one signature ends and the next begins, so the correct checksum only needs to sum over the entire image->sigbuf. Signed-off-by: Steve McIntyre <93sam@debian.org> Signed-off-by: James Bottomley --- src/image.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/image.c b/src/image.c index 745191f..3ada37b 100644 --- a/src/image.c +++ b/src/image.c @@ -162,7 +162,6 @@ static void image_pecoff_update_checksum(struct image *image) { bool is_signed = image->sigsize && image->sigbuf; uint32_t checksum; - struct cert_table_header *cert_table = image->cert_table; /* We carefully only include the signature data in the checksum (and * in the file length) if we're outputting the signature. Otherwise, @@ -180,16 +179,13 @@ static void image_pecoff_update_checksum(struct image *image) (void *)(image->checksum + 1)); if (is_signed) { - checksum = csum_bytes(checksum, - cert_table, sizeof(*cert_table)); - checksum = csum_bytes(checksum, image->sigbuf, image->sigsize); } checksum += image->data_size; if (is_signed) - checksum += sizeof(*cert_table) + image->sigsize; + checksum += image->sigsize; *(image->checksum) = cpu_to_le32(checksum); }