import shim-unsigned-aarch64-15-6.el8

SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch

@@ -0,0 +1,28 @@
+From 1870bae796022f8bbf60465352eac329ff1d6ffd Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 5 Sep 2019 10:36:23 -0400
+Subject: [PATCH] Fix a use of strlen() instead of Strlen()
+
+Resolves: rhbz#1817882
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/shim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index 3f131f48572..38f1346da7f 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2053,7 +2053,7 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path)
+ 
+ 	dprint(L"dppath: %s\n", dppath);
+ 	dprint(L"path:   %s\n", path);
+-	if (StrnCaseCmp(dppath, PathName, strlen(dppath)))
++	if (StrnCaseCmp(dppath, PathName, StrLen(dppath)))
+ 		ret = 0;
+ 
+ done:
+-- 
+2.25.1
+

SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch

@@ -0,0 +1,139 @@
+From 9813e8bc8b3295f343809fac43298a73a93ffc97 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 28 Jan 2020 23:33:46 +0100
+Subject: [PATCH] translate_slashes(): don't write to string literals
+
+Currently, all three invocations of the translate_slashes() function may
+lead to writes to the string literal that is #defined with the
+DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined
+behavior ("If the program attempts to modify such an array, the behavior
+is undefined").
+
+This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data
+abort: Permission fault"), where the platform firmware maps the .text
+section (which contains the string literal) read-only.
+
+Modify translate_slashes() so that it copies and translates characters
+from an input array of "char" to an output array of "CHAR8".
+
+While at it, fix another bug. Before this patch, if translate_slashes()
+ever encountered a double backslash (translating it to a single forward
+slash), then the output would end up shorter than the input. However, the
+output was not NUL-terminated in-place, therefore the original string
+length (and according trailing garbage) would be preserved. After this
+patch, the NUL-termination on contraction is automatic, as the output
+array's contents are indeterminate when entering the function, and so we
+must NUL-terminate it anyway.
+
+Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98
+Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927
+Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ include/str.h  | 14 ++++++++------
+ httpboot.c |  4 ++--
+ netboot.c  | 16 +++++++++++-----
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/include/str.h b/include/str.h
+index 9a748366bd1..f73c6212cd9 100644
+--- a/include/str.h
++++ b/include/str.h
+@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src)
+ static inline
+ __attribute__((unused))
+ CHAR8 *
+-translate_slashes(char *str)
++translate_slashes(CHAR8 *out, const char *str)
+ {
+ 	int i;
+ 	int j;
+-	if (str == NULL)
+-		return (CHAR8 *)str;
++	if (str == NULL || out == NULL)
++		return NULL;
+ 
+ 	for (i = 0, j = 0; str[i] != '\0'; i++, j++) {
+ 		if (str[i] == '\\') {
+-			str[j] = '/';
++			out[j] = '/';
+ 			if (str[i+1] == '\\')
+ 				i++;
+-		}
++		} else
++			out[j] = str[i];
+ 	}
+-	return (CHAR8 *)str;
++	out[j] = '\0';
++	return out;
+ }
+ 
+ #endif /* SHIM_STR_H */
+diff --git a/httpboot.c b/httpboot.c
+index 3622e85867c..2d27e8ed993 100644
+--- a/httpboot.c
++++ b/httpboot.c
+@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size)
+ {
+ 	EFI_STATUS efi_status;
+ 	EFI_HANDLE nic;
+-	CHAR8 *next_loader = NULL;
++	CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR];
+ 	CHAR8 *next_uri = NULL;
+ 	CHAR8 *hostname = NULL;
+ 
+ 	if (!uri)
+ 		return EFI_NOT_READY;
+ 
+-	next_loader = translate_slashes(DEFAULT_LOADER_CHAR);
++	translate_slashes(next_loader, DEFAULT_LOADER_CHAR);
+ 
+ 	/* Create the URI for the next loader based on the original URI */
+ 	efi_status = generate_next_uri(uri, next_loader, &next_uri);
+diff --git a/netboot.c b/netboot.c
+index 583fe4bee71..6d293bca9dd 100644
+--- a/netboot.c
++++ b/netboot.c
+@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
+ 	CHAR8 *start, *end;
+ 	CHAR8 ip6str[40];
+ 	CHAR8 ip6inv[16];
+-	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
++	CHAR8 template[sizeof DEFAULT_LOADER_CHAR];
++
++	translate_slashes(template, DEFAULT_LOADER_CHAR);
+ 
+ 	// to check against str2ip6() errors
+ 	memset(ip6inv, 0, sizeof(ip6inv));
+@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6()
+ 
+ static EFI_STATUS parseDhcp4()
+ {
+-	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+-	INTN template_len = strlen(template) + 1;
++	CHAR8 template[sizeof DEFAULT_LOADER_CHAR];
++	INTN template_len;
++	UINTN template_ofs = 0;
+ 	EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4;
+ 
++	translate_slashes(template, DEFAULT_LOADER_CHAR);
++	template_len = strlen(template) + 1;
++
+ 	if(pxe->Mode->ProxyOfferReceived) {
+ 		/*
+ 		 * Proxy should not have precedence.  Check if DhcpAck
+@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4()
+ 			full_path[dir_len-1] = '\0';
+ 	}
+ 	if (dir_len == 0 && dir[0] != '/' && template[0] == '/')
+-		template++;
+-	strcata(full_path, template);
++		template_ofs++;
++	strcata(full_path, template + template_ofs);
+ 	memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4);
+ 
+ 	return EFI_SUCCESS;
+-- 
+2.26.2
+

SPECS/shim-unsigned-aarch64.spec

@@ -16,7 +16,7 @@
 
 Name:		shim-unsigned-aarch64
 Version:	15
-Release:	4%{?dist}
+Release:	6%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
@@ -37,6 +37,8 @@ Patch0005:	0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch
 Patch0006:	0006-Make-some-things-dprint-instead-of-console_print.patch
 Patch0007:	0007-shim-Properly-generate-absolute-paths-from-relative-.patch
 Patch0008:	0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
+Patch0009:	0009-Fix-a-use-of-strlen-instead-of-Strlen.patch
+Patch0010:	0010-translate_slashes-don-t-write-to-string-literals.patch
 
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
@@ -135,7 +137,15 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> 15-4
+* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
+- Fix a shim crash when attempting to netboot
+  Resolves: rhbz#1840036
+
+* Mon May 04 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-5
+- Fix firmware update bug in aarch64 caused by shim ignoring arguments
+  Resolves: rhbz#1817882
+
+* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-4
 - Add a gating.yaml file so the package can be properly gated
   Related: rhbz#1682749