From 99c925bbe38528234062fdd1d66fc9c34ae03a42 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 6 Apr 2023 03:16:43 -0400
Subject: [PATCH] * Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> -
 20220126gitbb1bba3d77-5

- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743]
- Resolves: bz#1861743
  (CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
---
 ...mageVerificationLib-Check-result-of-.patch | 109 ++++++++++++++++++
 edk2.spec                                     |   9 +-
 sources                                       |   1 -
 3 files changed, 117 insertions(+), 2 deletions(-)
 create mode 100644 edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch

diff --git a/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch b/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
new file mode 100644
index 0000000..e2d7ed3
--- /dev/null
+++ b/edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
@@ -0,0 +1,109 @@
+From bb0f29580825e60a5dc5c67e260dd20258eb71b0 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 29 Mar 2023 11:52:52 -0400
+Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of
+ GetEfiGlobalVariable2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 22: SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
+RH-Bugzilla: 1861743
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Commit: [1/1] 70e1ae5e2c7c148fc23160acdd360c044df5f4ff
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1861743
+Upstream: Merged
+CVE: CVE-2019-14560
+
+commit 494127613b36e870250649b02cd4ce5f1969d9bd
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date:   Fri Mar 3 18:35:53 2023 +0800
+
+    SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
+
+    Call gRT->GetVariable() directly to read the SecureBoot variable.  It is
+    one byte in size so we can easily place it on the stack instead of
+    having GetEfiGlobalVariable2() allocate it for us, which avoids a few
+    possible error cases.
+
+    Skip secure boot checks if (and only if):
+
+     (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
+         the return value, or
+     (b) the SecureBoot variable was read successfully and is set to
+         SECURE_BOOT_MODE_DISABLE.
+
+    Previously the code skipped the secure boot checks on *any*
+    gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
+    value to NULL in that case) and also on memory allocation failures.
+
+    Fixes: CVE-2019-14560
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+    Suggested-by: Marvin Häuser <mhaeuser@posteo.de>
+    Reviewed-by: Min Xu <min.m.xu@intel.com>
+    Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../DxeImageVerificationLib.c                  | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index c48861cd64..1252927664 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -1650,7 +1650,8 @@ DxeImageVerificationHandler (
+   EFI_IMAGE_EXECUTION_ACTION           Action;
+   WIN_CERTIFICATE                      *WinCertificate;
+   UINT32                               Policy;
+-  UINT8                                *SecureBoot;
++  UINT8                                SecureBoot;
++  UINTN                                SecureBootSize;
+   PE_COFF_LOADER_IMAGE_CONTEXT         ImageContext;
+   UINT32                               NumberOfRvaAndSizes;
+   WIN_CERTIFICATE_EFI_PKCS             *PkcsCertData;
+@@ -1665,6 +1666,8 @@ DxeImageVerificationHandler (
+   RETURN_STATUS                        PeCoffStatus;
+   EFI_STATUS                           HashStatus;
+   EFI_STATUS                           DbStatus;
++  EFI_STATUS                           VarStatus;
++  UINT32                               VarAttr;
+   BOOLEAN                              IsFound;
+ 
+   SignatureList     = NULL;
+@@ -1720,22 +1723,25 @@ DxeImageVerificationHandler (
+     CpuDeadLoop ();
+   }
+ 
+-  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
++  SecureBootSize = sizeof (SecureBoot);
++  VarStatus      = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot);
+   //
+   // Skip verification if SecureBoot variable doesn't exist.
+   //
+-  if (SecureBoot == NULL) {
++  if (VarStatus == EFI_NOT_FOUND) {
+     return EFI_SUCCESS;
+   }
+ 
+   //
+   // Skip verification if SecureBoot is disabled but not AuditMode
+   //
+-  if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+-    FreePool (SecureBoot);
++  if ((VarStatus == EFI_SUCCESS) &&
++      (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS |
++                   EFI_VARIABLE_RUNTIME_ACCESS)) &&
++      (SecureBoot == SECURE_BOOT_MODE_DISABLE))
++  {
+     return EFI_SUCCESS;
+   }
+-  FreePool (SecureBoot);
+ 
+   //
+   // Read the Dos header.
+-- 
+2.39.1
+
diff --git a/edk2.spec b/edk2.spec
index c430c1c..f352853 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    4%{?dist}
+Release:    5%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@@ -56,6 +56,8 @@ Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
 # For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
 # For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
 Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
+# For bz#1861743 - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8]
+Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
 
 
 # python3-devel and libuuid-devel are required for building tools.
@@ -500,6 +502,11 @@ true
 %endif
 
 %changelog
+* Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-5
+- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743]
+- Resolves: bz#1861743
+  (CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
+
 * Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
 - edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
 - edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
diff --git a/sources b/sources
index 98fe446..1f4d8b0 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,2 @@
-SHA512 (RedHatSecureBootPkKek1.pem) = 132ff758261b6626df74c2a21abee7d8586ca5a6e52be3926ee7a0db1d5c606257ec213c4623739d724f2bf6894babd75401504aa694e785818b5437ab36a32a
 SHA512 (edk2-bb1bba3d77.tar.xz) = 3e0deb750d3443f4a2c15a066842e35a05a6dc65ce1869c229a8328d3dba8375949ee3825e16c7fe01bd77516a6717ccbdda1d674a2a862453e5480094c49c4c
 SHA512 (openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz) = 4962a8d907f2913b80f72508cc688487cf0b38b1d3cd0c934f5307b236cb96d598af8e936d234de02c227795386045b5d19084a22ac447649a0f2b6c9fe753da