80 lines
3.1 KiB
Diff
80 lines
3.1 KiB
Diff
From 73de814a5f30c2c6d82736082c1114a028d12115 Mon Sep 17 00:00:00 2001
|
|
From: Laszlo Ersek <lersek@redhat.com>
|
|
Date: Fri, 31 Jan 2020 12:42:41 +0100
|
|
Subject: [PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down
|
|
PE/COFF hash status
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
|
Message-id: <20200131124248.22369-6-lersek@redhat.com>
|
|
Patchwork-id: 93615
|
|
O-Subject: [RHEL-8.2.0 edk2 PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status
|
|
Bugzilla: 1751993
|
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
|
Inside the "for" loop that scans the signatures of the image, we call
|
|
HashPeImageByType(), and assign its return value to "Status".
|
|
|
|
Beyond the immediate retval check, this assignment is useless (never
|
|
consumed). That's because a subsequent access to "Status" may only be one
|
|
of the following:
|
|
|
|
- the "Status" assignment when we call HashPeImageByType() in the next
|
|
iteration of the loop,
|
|
|
|
- the "Status = EFI_ACCESS_DENIED" assignment right after the final
|
|
"IsVerified" check.
|
|
|
|
To make it clear that the assignment is only useful for the immediate
|
|
HashPeImageByType() retval check, introduce a specific helper variable,
|
|
called "HashStatus".
|
|
|
|
This patch is a no-op, functionally.
|
|
|
|
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
|
Cc: Jian J Wang <jian.j.wang@intel.com>
|
|
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
|
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
Message-Id: <20200116190705.18816-5-lersek@redhat.com>
|
|
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
|
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
|
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
|
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
|
(cherry picked from commit 47650a5cab608e07c31d66bdb9b4cc6e58bdf22f)
|
|
|
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
---
|
|
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
index e6c8a54..5cc82c1 100644
|
|
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
@@ -1581,6 +1581,7 @@ DxeImageVerificationHandler (
|
|
UINT32 OffSet;
|
|
CHAR16 *NameStr;
|
|
RETURN_STATUS PeCoffStatus;
|
|
+ EFI_STATUS HashStatus;
|
|
|
|
SignatureList = NULL;
|
|
SignatureListSize = 0;
|
|
@@ -1802,8 +1803,8 @@ DxeImageVerificationHandler (
|
|
continue;
|
|
}
|
|
|
|
- Status = HashPeImageByType (AuthData, AuthDataSize);
|
|
- if (EFI_ERROR (Status)) {
|
|
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
|
|
+ if (EFI_ERROR (HashStatus)) {
|
|
continue;
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|