import shim-unsigned-x64-15-9.el8

2020-11-03 06:52:53 -05:00 · 2020-11-03 06:52:53 -05:00 · 38ad50963b
commit 38ad50963b
parent 90b875047d
3 changed files with 166 additions and 1 deletions
--- a/SOURCES/0064-Fix-some-mokmanager-deletion-paths.patch
+++ b/SOURCES/0064-Fix-some-mokmanager-deletion-paths.patch
@ -0,0 +1,122 @@
+From 18843127dc0eace16d43d479bd091e221e8785c4 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 17 Aug 2020 15:47:19 -0400
+Subject: [PATCH] Fix some mokmanager deletion paths
+
+This fixes several codepaths where MokList and MokListX are supposed to
+be deleted, but are not.  It also adds debug logging to much of the
+deletion codepath.
+
+---
+ MokManager.c | 24 +++++++++++++++++++++++-
+ Makefile     |  2 +-
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index c9949e33bcf..9bae3414fe7 100644
+--- a/MokManager.c
+++ b/MokManager.c
+@@ -9,6 +9,8 @@
+ 
+ #include "shim.h"
+ 
+#include "hexdump.h"
+
+ #define PASSWORD_MAX 256
+ #define PASSWORD_MIN 1
+ #define SB_PASSWORD_LEN 16
+@@ -1050,9 +1052,11 @@ static EFI_STATUS mok_reset_prompt(BOOLEAN MokX)
+ 	if (MokX) {
+ 		LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID);
+ 		LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
+		LibDeleteVariable(L"MokListX", &SHIM_LOCK_GUID);
+ 	} else {
+ 		LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID);
+ 		LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
+		LibDeleteVariable(L"MokList", &SHIM_LOCK_GUID);
+ 	}
+ 
+ 	return EFI_SUCCESS;
+@@ -1075,6 +1079,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 	else
+ 		db_name = L"MokList";
+ 
+	dprint(L"Writing back %s (%d entries)\n", db_name, key_num);
+ 	for (i = 0; i < key_num; i++) {
+ 		if (list[i].Mok == NULL)
+ 			continue;
+@@ -1085,8 +1090,15 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 			DataSize += sizeof(EFI_GUID);
+ 		DataSize += list[i].MokSize;
+ 	}
+-	if (DataSize == 0)
+	if (DataSize == 0) {
+		dprint(L"DataSize = 0; deleting variable %s\n", db_name);
+		efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID,
+					      EFI_VARIABLE_NON_VOLATILE |
+					      EFI_VARIABLE_BOOTSERVICE_ACCESS,
+					      DataSize, Data);
+		dprint(L"efi_status:%llu\n", efi_status);
+ 		return EFI_SUCCESS;
+	}
+ 
+ 	Data = AllocatePool(DataSize);
+ 	if (Data == NULL)
+@@ -1291,11 +1303,15 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 	}
+ 
+ 	if (auth_size == PASSWORD_CRYPT_SIZE) {
+		dprint(L"matching password with CRYPT");
+ 		efi_status = match_password((PASSWORD_CRYPT *) auth, NULL, 0,
+ 					    NULL, NULL);
+		dprint(L"match_password(0x%llx, NULL, 0, NULL, NULL) = %lu\n", auth, efi_status);
+ 	} else {
+		dprint(L"matching password as sha256sum");
+ 		efi_status =
+ 		    match_password(NULL, MokDel, MokDelSize, auth, NULL);
+		dprint(L"match_password(NULL, 0x%llx, %llu, 0x%llx, NULL) = %lu\n", MokDel, MokDelSize, auth, efi_status);
+ 	}
+ 	if (EFI_ERROR(efi_status))
+ 		return EFI_ACCESS_DENIED;
+@@ -1365,12 +1381,17 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 	}
+ 
+ 	/* Search and destroy */
+	dprint(L"deleting certs from %a\n", MokX ? "MokListX" : "MokList");
+ 	for (i = 0; i < del_num; i++) {
+ 		type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */
+ 		if (CompareGuid(&type, &X509_GUID) == 0) {
+			dprint(L"deleting key %d (total %d):\n", i, mok_num);
+			dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
+ 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ 				    mok, mok_num);
+ 		} else if (is_sha2_hash(del_key[i].Type)) {
+			dprint(L"deleting hash %d (total %d):\n", i, mok_num);
+			dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
+ 			delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ 					 del_key[i].MokSize, mok, mok_num);
+ 		}
+@@ -2564,6 +2585,7 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE * systab)
+ 
+ 	InitializeLib(image_handle, systab);
+ 
+	setup_verbosity();
+ 	setup_rand();
+ 
+ 	console_mode_handle();
+diff --git a/Makefile b/Makefile
+index 49e14a26521..a17fa2bef14 100644
+--- a/Makefile
+++ b/Makefile
+@@ -36,7 +36,7 @@ endif
+ OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
+-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+ FALLBACK_OBJS = fallback.o tpm.o errlog.o
+ ORIG_FALLBACK_SRCS = fallback.c
+-- 
+2.26.2
+
--- a/SOURCES/0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
+++ b/SOURCES/0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
@ -0,0 +1,37 @@
+From ac610fe45491deccaab2c4ee689cbbdac117930a Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 8 Sep 2020 12:26:45 +0200
+Subject: [PATCH] Fix buffer overrun due DEFAULT_LOADER length miscalculation
+
+The DEFAULT_LOADER is a UCS-2 string and the StrLen() function returns the
+number of UCS-2 encoded characters in the string. But the allocated memory
+is in bytes, so only half of the needed memory to store it is allocated.
+
+This leads to a buffer overrun when the StrCpy() function attempts to copy
+the DEFAULT_LOADER to the allocated buffer.
+
+Fixes: 354bd9b1931 ("Actually check for errors from set_second_stage()")
+Reported-by: Stuart Hayes <stuart_hayes@dell.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ shim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index 34dce25c330..82913c934f6 100644
+--- a/shim.c
+++ b/shim.c
+@@ -2096,8 +2096,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
+ 	unsigned int i;
+ 	UINTN second_stage_len;
+ 
+-	second_stage_len = StrLen(DEFAULT_LOADER) + 1;
+	second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
+ 	second_stage = AllocatePool(second_stage_len);
+
+ 	if (!second_stage) {
+ 		perror(L"Could not allocate %lu bytes\n", second_stage_len);
+ 		return EFI_OUT_OF_RESOURCES;
+-- 
+2.28.0
+
--- a/SPECS/shim-unsigned-x64.spec
+++ b/SPECS/shim-unsigned-x64.spec
@ -18,7 +18,7 @@

 Name:		shim-unsigned-%{efiarch}
 Version:	15
-Release:	8.el8
+Release:	9.el8
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
@ -94,6 +94,8 @@ Patch0060: 0060-Improve-debug-output-some.patch
 Patch0061: 0061-Also-use-a-config-table-to-mirror-mok-variables.patch
 Patch0062: 0062-Implement-lennysz-s-suggestions-for-MokListRT.patch
 Patch0063: 0063-hexdump.h-fix-arithmetic-error.patch
+Patch0064: 0064-Fix-some-mokmanager-deletion-paths.patch
+Patch0065: 0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch

 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
@ -231,6 +233,10 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
+* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
+- Fix an incorrect allocation size.
+  Related: rhbz#1877253
+
 * Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
 - Fix a load-address-dependent forever loop.
  Resolves: rhbz#1861977