* Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-5
- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743] - Resolves: bz#1861743 (CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
This commit is contained in:
Miroslav Rezanina
parent
dd3370bc1b
commit
99c925bbe3
109
edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
Normal file
109
edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From bb0f29580825e60a5dc5c67e260dd20258eb71b0 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Wed, 29 Mar 2023 11:52:52 -0400
|
||||
Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of
|
||||
GetEfiGlobalVariable2
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 22: SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
|
||||
RH-Bugzilla: 1861743
|
||||
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
RH-Commit: [1/1] 70e1ae5e2c7c148fc23160acdd360c044df5f4ff
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1861743
|
||||
Upstream: Merged
|
||||
CVE: CVE-2019-14560
|
||||
|
||||
commit 494127613b36e870250649b02cd4ce5f1969d9bd
|
||||
Author: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri Mar 3 18:35:53 2023 +0800
|
||||
|
||||
SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
|
||||
|
||||
Call gRT->GetVariable() directly to read the SecureBoot variable. It is
|
||||
one byte in size so we can easily place it on the stack instead of
|
||||
having GetEfiGlobalVariable2() allocate it for us, which avoids a few
|
||||
possible error cases.
|
||||
|
||||
Skip secure boot checks if (and only if):
|
||||
|
||||
(a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
|
||||
the return value, or
|
||||
(b) the SecureBoot variable was read successfully and is set to
|
||||
SECURE_BOOT_MODE_DISABLE.
|
||||
|
||||
Previously the code skipped the secure boot checks on *any*
|
||||
gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
|
||||
value to NULL in that case) and also on memory allocation failures.
|
||||
|
||||
Fixes: CVE-2019-14560
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Suggested-by: Marvin Häuser <mhaeuser@posteo.de>
|
||||
Reviewed-by: Min Xu <min.m.xu@intel.com>
|
||||
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
.../DxeImageVerificationLib.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
index c48861cd64..1252927664 100644
|
||||
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||
@@ -1650,7 +1650,8 @@ DxeImageVerificationHandler (
|
||||
EFI_IMAGE_EXECUTION_ACTION Action;
|
||||
WIN_CERTIFICATE *WinCertificate;
|
||||
UINT32 Policy;
|
||||
- UINT8 *SecureBoot;
|
||||
+ UINT8 SecureBoot;
|
||||
+ UINTN SecureBootSize;
|
||||
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
|
||||
UINT32 NumberOfRvaAndSizes;
|
||||
WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
|
||||
@@ -1665,6 +1666,8 @@ DxeImageVerificationHandler (
|
||||
RETURN_STATUS PeCoffStatus;
|
||||
EFI_STATUS HashStatus;
|
||||
EFI_STATUS DbStatus;
|
||||
+ EFI_STATUS VarStatus;
|
||||
+ UINT32 VarAttr;
|
||||
BOOLEAN IsFound;
|
||||
|
||||
SignatureList = NULL;
|
||||
@@ -1720,22 +1723,25 @@ DxeImageVerificationHandler (
|
||||
CpuDeadLoop ();
|
||||
}
|
||||
|
||||
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
|
||||
+ SecureBootSize = sizeof (SecureBoot);
|
||||
+ VarStatus = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot);
|
||||
//
|
||||
// Skip verification if SecureBoot variable doesn't exist.
|
||||
//
|
||||
- if (SecureBoot == NULL) {
|
||||
+ if (VarStatus == EFI_NOT_FOUND) {
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
//
|
||||
// Skip verification if SecureBoot is disabled but not AuditMode
|
||||
//
|
||||
- if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
|
||||
- FreePool (SecureBoot);
|
||||
+ if ((VarStatus == EFI_SUCCESS) &&
|
||||
+ (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
||||
+ EFI_VARIABLE_RUNTIME_ACCESS)) &&
|
||||
+ (SecureBoot == SECURE_BOOT_MODE_DISABLE))
|
||||
+ {
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
- FreePool (SecureBoot);
|
||||
|
||||
//
|
||||
// Read the Dos header.
|
||||
--
|
||||
2.39.1
|
||||
|
||||
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
|
||||
|
||||
Name: edk2
|
||||
Version: %{GITDATE}git%{GITCOMMIT}
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: UEFI firmware for 64-bit virtual machines
|
||||
Group: Applications/Emulators
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
@ -56,6 +56,8 @@ Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
|
||||
# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
|
||||
# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
|
||||
Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
|
||||
# For bz#1861743 - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8]
|
||||
Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
|
||||
|
||||
|
||||
# python3-devel and libuuid-devel are required for building tools.
|
||||
@ -500,6 +502,11 @@ true
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-5
|
||||
- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743]
|
||||
- Resolves: bz#1861743
|
||||
(CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
|
||||
|
||||
* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
|
||||
- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
||||
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
||||
|
||||
1
sources
1
sources
@ -1,3 +1,2 @@
|
||||
SHA512 (RedHatSecureBootPkKek1.pem) = 132ff758261b6626df74c2a21abee7d8586ca5a6e52be3926ee7a0db1d5c606257ec213c4623739d724f2bf6894babd75401504aa694e785818b5437ab36a32a
|
||||
SHA512 (edk2-bb1bba3d77.tar.xz) = 3e0deb750d3443f4a2c15a066842e35a05a6dc65ce1869c229a8328d3dba8375949ee3825e16c7fe01bd77516a6717ccbdda1d674a2a862453e5480094c49c4c
|
||||
SHA512 (openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz) = 4962a8d907f2913b80f72508cc688487cf0b38b1d3cd0c934f5307b236cb96d598af8e936d234de02c227795386045b5d19084a22ac447649a0f2b6c9fe753da
|
||||
|
||||
Loading…
Reference in New Issue
Block a user