attest/internal: skip SignatureHeaderSize vendor bytes in parseEfiSignatureList

Per UEFI specification section 31.4.1, an EFI_SIGNATURE_LIST contains
SignatureHeaderSize bytes of vendor-specific data between the fixed
28-byte header and the actual signature entries.

parseEfiSignatureList() did not advance the buffer past these vendor
bytes before reading entries. For hashSHA256SigGUID lists, this allowed
attacker-controlled vendor header bytes to be appended to the trusted
SHA256 hash list. A crafted TPM event log could inject arbitrary SHA256
hashes into the verifier's trusted measurement database, enabling a
remote attestation verifier to accept a compromised boot state.

Fix:
- Validate: SignatureHeaderSize must not exceed remaining list space
- Skip SignatureHeaderSize vendor bytes via binary.Read before entry loops
- Fix both certX509SigGUID and hashSHA256SigGUID loop start offsets
- Add regression test confirming vendor bytes are not trusted as hashes

Reported via Google OSS VRP issue #513787653.

Author: prasanna8585

attest/internal/events.go

@@ -381,11 +381,27 @@ func parseEfiSignatureList(b []byte) ([]x509.Certificate, [][]byte, error) {
 		if signatures.Header.SignatureSize > remainingListSize {
 			return nil, nil, fmt.Errorf("SignatureSize %d exceeds remaining signature list space %d", signatures.Header.SignatureSize, remainingListSize)
 		}
+		// Guard against hash injection via oversized SignatureHeaderSize.
+		// Per UEFI spec section 31.4.1, SignatureHeaderSize bytes of vendor data
+		// appear between the fixed header and the actual signature entries.
+		// SignatureHeaderSize must not consume the entire remaining list space.
+		if signatures.Header.SignatureHeaderSize >= remainingListSize {
+			return nil, nil, fmt.Errorf("SignatureHeaderSize %d exceeds remaining signature list space %d", signatures.Header.SignatureHeaderSize, remainingListSize)
+		}
+		// Skip the vendor-specific SignatureHeader bytes per UEFI spec section 31.4.1.
+		// Without this, vendor bytes are misread as signature entries, allowing a
+		// crafted event log to inject arbitrary hashes into the trusted hash list.
+		if signatures.Header.SignatureHeaderSize > 0 {
+			vendorHeader := make([]byte, signatures.Header.SignatureHeaderSize)
+			if err := binary.Read(buf, binary.LittleEndian, &vendorHeader); err != nil {
+				return nil, nil, fmt.Errorf("reading signature vendor header: %w", err)
+			}
+		}
 
 		signatureType := signatures.Header.SignatureType
 		switch signatureType {
 		case certX509SigGUID: // X509 certificate
-			for sigOffset := 0; uint32(sigOffset) < signatures.Header.SignatureListSize-efiSignatureListHeaderSize; {
+			for sigOffset := int(signatures.Header.SignatureHeaderSize); uint32(sigOffset) < signatures.Header.SignatureListSize-efiSignatureListHeaderSize; {
 				signature := efiSignatureData{}
 				signature.SignatureData = make([]byte, signatures.Header.SignatureSize-efiGUIDSize)
 				err := binary.Read(buf, binary.LittleEndian, &signature.SignatureOwner)
@@ -404,7 +420,7 @@ func parseEfiSignatureList(b []byte) ([]x509.Certificate, [][]byte, error) {
 				certificates = append(certificates, *cert)
 			}
 		case hashSHA256SigGUID: // SHA256
-			for sigOffset := 0; uint32(sigOffset) < signatures.Header.SignatureListSize-efiSignatureListHeaderSize; {
+			for sigOffset := int(signatures.Header.SignatureHeaderSize); uint32(sigOffset) < signatures.Header.SignatureListSize-efiSignatureListHeaderSize; {
 				signature := efiSignatureData{}
 				signature.SignatureData = make([]byte, signatures.Header.SignatureSize-efiGUIDSize)
 				err := binary.Read(buf, binary.LittleEndian, &signature.SignatureOwner)

attest/internal/events_test.go

@@ -65,3 +65,60 @@ func TestParseUEFIVariableData(t *testing.T) {
 		t.Errorf("ParseUEFIVariableData() mismatch (-want +got):\n%s", diff)
 	}
 }
+
+func TestParseEfiSignatureListNonZeroSignatureHeaderSize(t *testing.T) {
+	// Regression test: parseEfiSignatureList() must skip SignatureHeaderSize
+	// vendor bytes before reading signature entries (UEFI spec section 31.4.1).
+	//
+	// Without the fix, a crafted EFI_SIGNATURE_LIST with SignatureHeaderSize=48
+	// causes attacker-controlled vendor header bytes to be returned as trusted
+	// SHA256 hashes, allowing arbitrary hash injection into the trusted list.
+
+	// hashSHA256SigGUID bytes (little-endian)
+	sigType := [16]byte{
+		0x26, 0x16, 0xc4, 0xc1, 0x4c, 0x50, 0x92, 0x40,
+		0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28,
+	}
+
+	const (
+		sigSize       = 48 // 16-byte GUID + 32-byte SHA256
+		sigHeaderSize = 48 // vendor header exactly one entry worth
+	)
+
+	// Vendor header: zero GUID + attacker-chosen hash (0xAA * 32)
+	attackerHash := bytes.Repeat([]byte{0xAA}, 32)
+	vendorHeader := make([]byte, sigHeaderSize)
+	copy(vendorHeader[16:], attackerHash)
+
+	// One legitimate entry: zero GUID + 0xBB * 32
+	legitHash := bytes.Repeat([]byte{0xBB}, 32)
+	legitEntry := make([]byte, sigSize)
+	copy(legitEntry[16:], legitHash)
+
+	sigListSize := uint32(28 + sigHeaderSize + len(legitEntry)) // 124 bytes
+
+	writeU32 := func(buf *bytes.Buffer, v uint32) {
+		b := []byte{byte(v), byte(v >> 8), byte(v >> 16), byte(v >> 24)}
+		buf.Write(b)
+	}
+	var buf bytes.Buffer
+	buf.Write(sigType[:])
+	writeU32(&buf, sigListSize)
+	writeU32(&buf, uint32(sigHeaderSize))
+	writeU32(&buf, uint32(sigSize))
+	buf.Write(vendorHeader)
+	buf.Write(legitEntry)
+
+	_, hashes, err := parseEfiSignatureList(buf.Bytes())
+	if err != nil {
+		// Acceptable: the bound check rejects the oversized SignatureHeaderSize.
+		return
+	}
+
+	// Attacker hash must NOT appear in the trusted list.
+	for _, h := range hashes {
+		if bytes.Equal(h, attackerHash) {
+			t.Error("attacker-controlled vendor header bytes returned as trusted SHA256 hash")
+		}
+	}
+}