L4TLauncher: buffer overrun / crash in ReadAndroidStyleKernelPartition with encrypted images and 2KB signatures

[SureshotM6]

Mostly caused by e6fd382 "fix: verify signature with alignment 4KB and 2KB" (first included in L4T R36.5.0) but originally sourced to 21ff46f "L4T Launcher: enable UEFI to load encrypted payloads from partition". These are the buggy lines:

edk2-nvidia/Silicon/NVIDIA/Application/L4TLauncher/L4TLauncher.c

Lines 2057 to 2059 in fd77fac

	SignatureOffset = ALIGN_VALUE (ImageBufferSize, SignatureSize);
	SignatureSize = DecryptedImageBufferSize - SignatureOffset;
	CopyMem (SignatureBuffer, ImageBuffer + SignatureOffset, SignatureSize);

1. SignatureOffset is aligned up to 4KB, which may be beyond DecryptedImageBufferSize when 2KB alignment was used to produce the image
2. SignatureSize underflows and becomes extremely large
3. CopyMem crashes due to a very large length parameter

There are also other issues here:

1. ImageBufferSize should ideally be checked to ensure it is not larger than DecryptedImageBufferSize before any of this code runs. That could cause a similar buffer overrun just with a corrupted image.
2. If there is even more than 4KB of padding at the end of the image, SignatureSize can become larger than the actual size of SignatureBuffer and cause a heap overrun.

Basically, SignatureSize should be clamped between 0 and the previous value of SignatureSize (4KB) on this line to resolve all issues.

The same issue exists in ReadAndroidStyleDtbPartition too, where SignatureSize can underflow:

edk2-nvidia/Silicon/NVIDIA/Application/L4TLauncher/L4TLauncher.c

Line 2314 in fd77fac

SignatureSize = DtbBufferSize - SignatureOffset;