From 2bc33c675da07c276e1c5ee35fd5446c3ed17a1c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:51:55 -0500 Subject: [PATCH] import shim-unsigned-aarch64-15-6.el8 --- ...ix-a-use-of-strlen-instead-of-Strlen.patch | 28 ++++ ...ashes-don-t-write-to-string-literals.patch | 139 ++++++++++++++++++ SPECS/shim-unsigned-aarch64.spec | 14 +- 3 files changed, 179 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch create mode 100644 SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch diff --git a/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch new file mode 100644 index 0000000..dc9d880 --- /dev/null +++ b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch @@ -0,0 +1,28 @@ +From 1870bae796022f8bbf60465352eac329ff1d6ffd Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 5 Sep 2019 10:36:23 -0400 +Subject: [PATCH] Fix a use of strlen() instead of Strlen() + +Resolves: rhbz#1817882 + +Signed-off-by: Peter Jones +--- + src/shim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shim.c b/shim.c +index 3f131f48572..38f1346da7f 100644 +--- a/shim.c ++++ b/shim.c +@@ -2053,7 +2053,7 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) + + dprint(L"dppath: %s\n", dppath); + dprint(L"path: %s\n", path); +- if (StrnCaseCmp(dppath, PathName, strlen(dppath))) ++ if (StrnCaseCmp(dppath, PathName, StrLen(dppath))) + ret = 0; + + done: +-- +2.25.1 + diff --git a/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch new file mode 100644 index 0000000..edb03aa --- /dev/null +++ b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch @@ -0,0 +1,139 @@ +From 9813e8bc8b3295f343809fac43298a73a93ffc97 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 28 Jan 2020 23:33:46 +0100 +Subject: [PATCH] translate_slashes(): don't write to string literals + +Currently, all three invocations of the translate_slashes() function may +lead to writes to the string literal that is #defined with the +DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined +behavior ("If the program attempts to modify such an array, the behavior +is undefined"). + +This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data +abort: Permission fault"), where the platform firmware maps the .text +section (which contains the string literal) read-only. + +Modify translate_slashes() so that it copies and translates characters +from an input array of "char" to an output array of "CHAR8". + +While at it, fix another bug. Before this patch, if translate_slashes() +ever encountered a double backslash (translating it to a single forward +slash), then the output would end up shorter than the input. However, the +output was not NUL-terminated in-place, therefore the original string +length (and according trailing garbage) would be preserved. After this +patch, the NUL-termination on contraction is automatic, as the output +array's contents are indeterminate when entering the function, and so we +must NUL-terminate it anyway. + +Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98 +Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927 +Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654 +Signed-off-by: Laszlo Ersek +--- + include/str.h | 14 ++++++++------ + httpboot.c | 4 ++-- + netboot.c | 16 +++++++++++----- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 9a748366bd1..f73c6212cd9 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src) + static inline + __attribute__((unused)) + CHAR8 * +-translate_slashes(char *str) ++translate_slashes(CHAR8 *out, const char *str) + { + int i; + int j; +- if (str == NULL) +- return (CHAR8 *)str; ++ if (str == NULL || out == NULL) ++ return NULL; + + for (i = 0, j = 0; str[i] != '\0'; i++, j++) { + if (str[i] == '\\') { +- str[j] = '/'; ++ out[j] = '/'; + if (str[i+1] == '\\') + i++; +- } ++ } else ++ out[j] = str[i]; + } +- return (CHAR8 *)str; ++ out[j] = '\0'; ++ return out; + } + + #endif /* SHIM_STR_H */ +diff --git a/httpboot.c b/httpboot.c +index 3622e85867c..2d27e8ed993 100644 +--- a/httpboot.c ++++ b/httpboot.c +@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size) + { + EFI_STATUS efi_status; + EFI_HANDLE nic; +- CHAR8 *next_loader = NULL; ++ CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR]; + CHAR8 *next_uri = NULL; + CHAR8 *hostname = NULL; + + if (!uri) + return EFI_NOT_READY; + +- next_loader = translate_slashes(DEFAULT_LOADER_CHAR); ++ translate_slashes(next_loader, DEFAULT_LOADER_CHAR); + + /* Create the URI for the next loader based on the original URI */ + efi_status = generate_next_uri(uri, next_loader, &next_uri); +diff --git a/netboot.c b/netboot.c +index 583fe4bee71..6d293bca9dd 100644 +--- a/netboot.c ++++ b/netboot.c +@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) + CHAR8 *start, *end; + CHAR8 ip6str[40]; + CHAR8 ip6inv[16]; +- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); ++ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; ++ ++ translate_slashes(template, DEFAULT_LOADER_CHAR); + + // to check against str2ip6() errors + memset(ip6inv, 0, sizeof(ip6inv)); +@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6() + + static EFI_STATUS parseDhcp4() + { +- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); +- INTN template_len = strlen(template) + 1; ++ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; ++ INTN template_len; ++ UINTN template_ofs = 0; + EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4; + ++ translate_slashes(template, DEFAULT_LOADER_CHAR); ++ template_len = strlen(template) + 1; ++ + if(pxe->Mode->ProxyOfferReceived) { + /* + * Proxy should not have precedence. Check if DhcpAck +@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4() + full_path[dir_len-1] = '\0'; + } + if (dir_len == 0 && dir[0] != '/' && template[0] == '/') +- template++; +- strcata(full_path, template); ++ template_ofs++; ++ strcata(full_path, template + template_ofs); + memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4); + + return EFI_SUCCESS; +-- +2.26.2 + diff --git a/SPECS/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64.spec index 368600e..f0290b1 100644 --- a/SPECS/shim-unsigned-aarch64.spec +++ b/SPECS/shim-unsigned-aarch64.spec @@ -16,7 +16,7 @@ Name: shim-unsigned-aarch64 Version: 15 -Release: 4%{?dist} +Release: 6%{?dist} Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 License: BSD @@ -37,6 +37,8 @@ Patch0005: 0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch Patch0006: 0006-Make-some-things-dprint-instead-of-console_print.patch Patch0007: 0007-shim-Properly-generate-absolute-paths-from-relative-.patch Patch0008: 0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch +Patch0009: 0009-Fix-a-use-of-strlen-instead-of-Strlen.patch +Patch0010: 0010-translate_slashes-don-t-write-to-string-literals.patch BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl @@ -135,7 +137,15 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Fri Jun 07 2019 Javier Martinez Canillas 15-4 +* Tue May 26 2020 Javier Martinez Canillas - 15-6 +- Fix a shim crash when attempting to netboot + Resolves: rhbz#1840036 + +* Mon May 04 2020 Javier Martinez Canillas - 15-5 +- Fix firmware update bug in aarch64 caused by shim ignoring arguments + Resolves: rhbz#1817882 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-4 - Add a gating.yaml file so the package can be properly gated Related: rhbz#1682749