edk2/SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch

From e2efec69c63703c324099b987204a38fdb0d9d6f Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 31 Jan 2020 12:42:46 +0100
Subject: [PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for
 (FileBuffer==NULL)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <20200131124248.22369-11-lersek@redhat.com>
Patchwork-id: 93613
O-Subject: [RHEL-8.2.0 edk2 PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL)
Bugzilla: 1751993
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

"FileBuffer" is a non-optional input (pointer) parameter to
DxeImageVerificationHandler(). Normally, when an edk2 function receives a
NULL argument for such a parameter, we return EFI_INVALID_PARAMETER or
RETURN_INVALID_PARAMETER. However, those don't conform to the
SECURITY2_FILE_AUTHENTICATION_HANDLER prototype.

Return EFI_ACCESS_DENIED when "FileBuffer" is NULL; it means that no image
has been loaded.

This patch does not change the control flow in the function, it only
changes the "Status" outcome from API-incompatible error codes to
EFI_ACCESS_DENIED, under some circumstances.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200116190705.18816-10-lersek@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
 Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
 <d3fbb76dabed4e1987c512c328c82810@intel.com>]
(cherry picked from commit 6d57592740cdd0b6868baeef7929d6e6fef7a8e3)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b49fe87..c98b9e4 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1655,7 +1655,7 @@ DxeImageVerificationHandler (
   // Read the Dos header.
   //
   if (FileBuffer == NULL) {
-    return EFI_INVALID_PARAMETER;
+    return EFI_ACCESS_DENIED;
   }
 
   mImageBase  = (UINT8 *) FileBuffer;
-- 
1.8.3.1
import edk2-20190829git37eef91017ad-9.el8 2020-04-28 08:50:06 +00:00			`From e2efec69c63703c324099b987204a38fdb0d9d6f Mon Sep 17 00:00:00 2001`
			`From: Laszlo Ersek <lersek@redhat.com>`
			`Date: Fri, 31 Jan 2020 12:42:46 +0100`
			`Subject: [PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for`
			`(FileBuffer==NULL)`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`RH-Author: Laszlo Ersek <lersek@redhat.com>`
			`Message-id: <20200131124248.22369-11-lersek@redhat.com>`
			`Patchwork-id: 93613`
			`O-Subject: [RHEL-8.2.0 edk2 PATCH 10/12] SecurityPkg/DxeImageVerificationHandler: fix retval for (FileBuffer==NULL)`
			`Bugzilla: 1751993`
			`RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>`
			`RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>`

			`"FileBuffer" is a non-optional input (pointer) parameter to`
			`DxeImageVerificationHandler(). Normally, when an edk2 function receives a`
			`NULL argument for such a parameter, we return EFI_INVALID_PARAMETER or`
			`RETURN_INVALID_PARAMETER. However, those don't conform to the`
			`SECURITY2_FILE_AUTHENTICATION_HANDLER prototype.`

			`Return EFI_ACCESS_DENIED when "FileBuffer" is NULL; it means that no image`
			`has been loaded.`

			`This patch does not change the control flow in the function, it only`
			`changes the "Status" outcome from API-incompatible error codes to`
			`EFI_ACCESS_DENIED, under some circumstances.`

			`Cc: Chao Zhang <chao.b.zhang@intel.com>`
			`Cc: Jian J Wang <jian.j.wang@intel.com>`
			`Cc: Jiewen Yao <jiewen.yao@intel.com>`
			`Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129`
			`Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5`
			`Signed-off-by: Laszlo Ersek <lersek@redhat.com>`
			`Message-Id: <20200116190705.18816-10-lersek@redhat.com>`
			`Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>`
			`[lersek@redhat.com: push with Mike's R-b due to Chinese New Year`
			`Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid`
			`<d3fbb76dabed4e1987c512c328c82810@intel.com>]`
			`(cherry picked from commit 6d57592740cdd0b6868baeef7929d6e6fef7a8e3)`

			`Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>`
			`---`
			`SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c`
			`index b49fe87..c98b9e4 100644`
			`--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c`
			`+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c`
			`@@ -1655,7 +1655,7 @@ DxeImageVerificationHandler (`
			`// Read the Dos header.`
			`//`
			`if (FileBuffer == NULL) {`
			`- return EFI_INVALID_PARAMETER;`
			`+ return EFI_ACCESS_DENIED;`
			`}`

			`mImageBase = (UINT8 *) FileBuffer;`
			`--`
			`1.8.3.1`