diff --git a/shim-bsc950569-fix-cryptlib-va-functions.patch b/shim-bsc950569-fix-cryptlib-va-functions.patch new file mode 100644 index 0000000..c37a401 --- /dev/null +++ b/shim-bsc950569-fix-cryptlib-va-functions.patch @@ -0,0 +1,283 @@ +From b74c635bfd5d131f2848ce2cd2ffc838dc616ee8 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 27 Oct 2015 12:00:13 +0800 +Subject: [PATCH] Cryptlib: Define the va functions for EFIAPI + +It turned out that my previous crash fix(*) was wrong. +We actually always used the gcc built-in va functions instead of +the "real" va functions for EFIAPI, and we are just lucky that +ERR_add_error_data didn't crash before. + +This commit copies the va functions from MdePkg/Include/Base.h +in edk2 and introdues NO_BUILTIN_VA_FUNCS for x86_64, so that all +the x86_64 build will adopt the new va functions. For safety, +I also added EFIAPI to all the functions which use va_* to avoid +the potential trouble. + +(*) a7f4b26cc35204165bd04e75c34e8e7aa2a87ecc + +Signed-off-by: Gary Ching-Pang Lin +--- + Cryptlib/Include/OpenSslSupport.h | 75 +++++++++++++++++++++++++++++++++++ + Cryptlib/Include/openssl/bio.h | 8 ++++ + Cryptlib/Include/openssl/err.h | 4 -- + Cryptlib/Makefile | 2 +- + Cryptlib/OpenSSL/Makefile | 3 +- + Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 ++++ + Cryptlib/OpenSSL/crypto/cryptlib.c | 4 ++ + Cryptlib/OpenSSL/crypto/cryptlib.h | 4 ++ + Cryptlib/OpenSSL/crypto/err/err.c | 4 -- + Makefile | 1 + + 10 files changed, 103 insertions(+), 10 deletions(-) + +diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h +index e5e1adc..004c3e8 100644 +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -47,6 +47,9 @@ typedef VOID *FILE; + #define va_arg VA_ARG + #define va_start VA_START + #define va_end VA_END ++ ++# if !defined(NO_BUILTIN_VA_FUNCS) ++ + typedef __builtin_va_list VA_LIST; + + #define VA_START(Marker, Parameter) __builtin_va_start (Marker, Parameter) +@@ -57,6 +60,78 @@ typedef __builtin_va_list VA_LIST; + + #define VA_COPY(Dest, Start) __builtin_va_copy (Dest, Start) + ++# else ++ ++#define _INT_SIZE_OF(n) ((sizeof (n) + sizeof (UINTN) - 1) &~(sizeof (UINTN) - 1)) ++/// ++/// Variable used to traverse the list of arguments. This type can vary by ++/// implementation and could be an array or structure. ++/// ++typedef CHAR8 *VA_LIST; ++ ++/** ++ Retrieves a pointer to the beginning of a variable argument list, based on ++ the name of the parameter that immediately precedes the variable argument list. ++ ++ This function initializes Marker to point to the beginning of the variable ++ argument list that immediately follows Parameter. The method for computing the ++ pointer to the next argument in the argument list is CPU-specific following the ++ EFIAPI ABI. ++ ++ @param Marker The VA_LIST used to traverse the list of arguments. ++ @param Parameter The name of the parameter that immediately precedes ++ the variable argument list. ++ ++ @return A pointer to the beginning of a variable argument list. ++ ++**/ ++#define VA_START(Marker, Parameter) (Marker = (VA_LIST) ((UINTN) & (Parameter) + _INT_SIZE_OF (Parameter))) ++ ++/** ++ Returns an argument of a specified type from a variable argument list and updates ++ the pointer to the variable argument list to point to the next argument. ++ ++ This function returns an argument of the type specified by TYPE from the beginning ++ of the variable argument list specified by Marker. Marker is then updated to point ++ to the next argument in the variable argument list. The method for computing the ++ pointer to the next argument in the argument list is CPU-specific following the EFIAPI ABI. ++ ++ @param Marker VA_LIST used to traverse the list of arguments. ++ @param TYPE The type of argument to retrieve from the beginning ++ of the variable argument list. ++ ++ @return An argument of the type specified by TYPE. ++ ++**/ ++#define VA_ARG(Marker, TYPE) (*(TYPE *) ((Marker += _INT_SIZE_OF (TYPE)) - _INT_SIZE_OF (TYPE))) ++ ++/** ++ Terminates the use of a variable argument list. ++ ++ This function initializes Marker so it can no longer be used with VA_ARG(). ++ After this macro is used, the only way to access the variable argument list is ++ by using VA_START() again. ++ ++ @param Marker VA_LIST used to traverse the list of arguments. ++ ++**/ ++#define VA_END(Marker) (Marker = (VA_LIST) 0) ++ ++/** ++ Initializes a VA_LIST as a copy of an existing VA_LIST. ++ ++ This macro initializes Dest as a copy of Start, as if the VA_START macro had been applied to Dest ++ followed by the same sequence of uses of the VA_ARG macro as had previously been used to reach ++ the present state of Start. ++ ++ @param Dest VA_LIST used to traverse the list of arguments. ++ @param Start VA_LIST used to traverse the list of arguments. ++ ++**/ ++#define VA_COPY(Dest, Start) ((void)((Dest) = (Start))) ++ ++# endif ++ + #else // __CC_ARM + #define va_start(Marker, Parameter) __va_start(Marker, Parameter) + #define va_arg(Marker, TYPE) __va_arg(Marker, TYPE) +diff --git a/Cryptlib/Include/openssl/bio.h b/Cryptlib/Include/openssl/bio.h +index 561ae2f..69bd48c 100644 +--- a/Cryptlib/Include/openssl/bio.h ++++ b/Cryptlib/Include/openssl/bio.h +@@ -787,11 +787,19 @@ void BIO_copy_next_retry(BIO *b); + # else + # define __bio_h__attr__(x) + # endif ++# if defined(OPENSSL_SYS_UEFI) ++int EFIAPI BIO_printf(BIO *bio, const char *format, ...) ++# else + int BIO_printf(BIO *bio, const char *format, ...) ++# endif + __bio_h__attr__((__format__(__printf__, 2, 3))); + int BIO_vprintf(BIO *bio, const char *format, va_list args) + __bio_h__attr__((__format__(__printf__, 2, 0))); ++# if defined(OPENSSL_SYS_UEFI) ++int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...) ++# else + int BIO_snprintf(char *buf, size_t n, const char *format, ...) ++# endif + __bio_h__attr__((__format__(__printf__, 3, 4))); + int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) + __bio_h__attr__((__format__(__printf__, 3, 0))); +diff --git a/Cryptlib/Include/openssl/err.h b/Cryptlib/Include/openssl/err.h +index da589f8..bbfdb95 100644 +--- a/Cryptlib/Include/openssl/err.h ++++ b/Cryptlib/Include/openssl/err.h +@@ -352,11 +352,7 @@ void EFIAPI ERR_add_error_data(int num, ...); + void ERR_add_error_data(int num, ...); + #endif + +-#if defined(OPENSSL_SYS_UEFI) +-void EFIAPI ERR_add_error_vdata(int num, va_list args); +-#else + void ERR_add_error_vdata(int num, va_list args); +-#endif + void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + void ERR_unload_strings(int lib, ERR_STRING_DATA str[]); + void ERR_load_ERR_strings(void); +diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile +index 9a92304..c9cf379 100644 +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -7,7 +7,7 @@ CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort- + + ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ +- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI ++ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS + endif + ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 +diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile +index ab6e7dd..f8055fd 100644 +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -7,7 +7,8 @@ CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-st + + ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ +- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG ++ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG \ ++ -DNO_BUILTIN_VA_FUNCS + endif + ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ +diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c +index 9091d56..4695827 100644 +--- a/Cryptlib/OpenSSL/crypto/bio/b_print.c ++++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c +@@ -751,7 +751,11 @@ doapr_outch(char **sbuffer, + + /***************************************************************************/ + ++#if defined(OPENSSL_SYS_UEFI) ++int EFIAPI BIO_printf(BIO *bio, const char *format, ...) ++#else + int BIO_printf(BIO *bio, const char *format, ...) ++#endif + { + va_list args; + int ret; +@@ -795,7 +799,11 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args) + * closely related to BIO_printf, and we need *some* name prefix ... (XXX the + * function should be renamed, but to what?) + */ ++#if defined(OPENSSL_SYS_UEFI) ++int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...) ++#else + int BIO_snprintf(char *buf, size_t n, const char *format, ...) ++#endif + { + va_list args; + int ret; +diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c +index ca0e3cc..0a59342 100644 +--- a/Cryptlib/OpenSSL/crypto/cryptlib.c ++++ b/Cryptlib/OpenSSL/crypto/cryptlib.c +@@ -962,7 +962,11 @@ void OPENSSL_showfatal(const char *fmta, ...) + MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP); + } + #else ++# if defined(OPENSSL_SYS_UEFI) ++void EFIAPI OPENSSL_showfatal(const char *fmta, ...) ++# else + void OPENSSL_showfatal(const char *fmta, ...) ++# endif + { + va_list ap; + +diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.h b/Cryptlib/OpenSSL/crypto/cryptlib.h +index fba180a..7ca4c99 100644 +--- a/Cryptlib/OpenSSL/crypto/cryptlib.h ++++ b/Cryptlib/OpenSSL/crypto/cryptlib.h +@@ -100,7 +100,11 @@ extern "C" { + + void OPENSSL_cpuid_setup(void); + extern unsigned int OPENSSL_ia32cap_P[]; ++# if defined(OPENSSL_SYS_UEFI) ++void EFIAPI OPENSSL_showfatal(const char *fmta, ...); ++# else + void OPENSSL_showfatal(const char *fmta, ...); ++# endif + void *OPENSSL_stderr(void); + extern int OPENSSL_NONPIC_relocated; + +diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c +index 108b83a..f98cce6 100644 +--- a/Cryptlib/OpenSSL/crypto/err/err.c ++++ b/Cryptlib/OpenSSL/crypto/err/err.c +@@ -1085,11 +1085,7 @@ void ERR_add_error_data(int num, ...) + va_end(args); + } + +-#if defined(OPENSSL_SYS_UEFI) +-void EFIAPI ERR_add_error_vdata(int num, va_list args) +-#else + void ERR_add_error_vdata(int num, va_list args) +-#endif + { + int i, n, s; + char *str, *p, *a; +diff --git a/Makefile b/Makefile +index 2449fe4..b36e2a3 100644 +--- a/Makefile ++++ b/Makefile +@@ -42,6 +42,7 @@ ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ ++ -DNO_BUILTIN_VA_FUNCS \ + "-DEFI_ARCH=L\"x64\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" + endif +-- +2.6.2 + diff --git a/shim-change-debug-file-path.patch b/shim-change-debug-file-path.patch index 8b210db..5d9d1ce 100644 --- a/shim-change-debug-file-path.patch +++ b/shim-change-debug-file-path.patch @@ -8,19 +8,16 @@ Signed-off-by: Gary Ching-Pang Lin Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/Makefile b/Makefile -index 48e2a7d..081c9a8 100644 ---- a/Makefile -+++ b/Makefile -@@ -43,7 +43,7 @@ ifeq ($(ARCH),x86_64) - -maccumulate-outgoing-args \ +Index: shim-0.9/Makefile +=================================================================== +--- shim-0.9.orig/Makefile ++++ shim-0.9/Makefile +@@ -44,7 +44,7 @@ ifeq ($(ARCH),x86_64) -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ + -DNO_BUILTIN_VA_FUNCS \ "-DEFI_ARCH=L\"x64\"" \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" + "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\"" endif ifeq ($(ARCH),ia32) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ --- -2.1.4 - diff --git a/shim-fix-mokmanager-sections.patch b/shim-fix-mokmanager-sections.patch deleted file mode 100644 index d35cf68..0000000 --- a/shim-fix-mokmanager-sections.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fa7e46558ebdafeb7b5f4a3b843f309a678d4365 Mon Sep 17 00:00:00 2001 -From: Gary Ching-Pang Lin -Date: Mon, 10 Nov 2014 17:19:58 +0800 -Subject: [PATCH] Fix objcopy parameters to include .rel and .rela - -This is a quick hack for the old objcopy. - -The asterisks support in objcopy was added in 2.24. For the distro -with the older objcopy, some sections would be ignored and this could -crash the program. - -Signed-off-by: Gary Ching-Pang Lin ---- - Makefile | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/Makefile b/Makefile -index 412496b..a791bcc 100644 ---- a/Makefile -+++ b/Makefile -@@ -9,7 +9,6 @@ LD = $(CROSS_COMPILE)ld - OBJCOPY = $(CROSS_COMPILE)objcopy - - ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) --OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24) - - SUBDIRS = Cryptlib lib - -@@ -142,17 +141,14 @@ endif - FORMAT ?= --target efi-app-$(ARCH) - - %.efi: %.so --ifneq ($(OBJCOPY_GTE224),1) -- $(error objcopy >= 2.24 is required) --endif - $(OBJCOPY) -j .text -j .sdata -j .data \ -- -j .dynamic -j .dynsym -j .rel* \ -- -j .rela* -j .reloc -j .eh_frame \ -+ -j .dynamic -j .dynsym -j .rel \ -+ -j .rela -j .reloc -j .eh_frame \ - -j .vendor_cert \ - $(FORMAT) $^ $@ - $(OBJCOPY) -j .text -j .sdata -j .data \ -- -j .dynamic -j .dynsym -j .rel* \ -- -j .rela* -j .reloc -j .eh_frame \ -+ -j .dynamic -j .dynsym -j .rel \ -+ -j .rela -j .reloc -j .eh_frame \ - -j .debug_info -j .debug_abbrev -j .debug_aranges \ - -j .debug_line -j .debug_str -j .debug_ranges \ - -j .note.gnu.build-id \ --- -2.1.4 - diff --git a/shim-opensuse-cert-prompt.patch b/shim-opensuse-cert-prompt.patch index 327dd86..b1fc267 100644 --- a/shim-opensuse-cert-prompt.patch +++ b/shim-opensuse-cert-prompt.patch @@ -1,7 +1,7 @@ -From 83b991190b82da422cff4e357e045ff993ecaa9d Mon Sep 17 00:00:00 2001 +From 6718680400c48e463aac6ceef2a3238f2a0e1d57 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 18 Feb 2014 17:29:19 +0800 -Subject: [PATCH 1/3] Show the build-in certificate prompt +Subject: [PATCH 1/4] Show the build-in certificate prompt This is an openSUSE-only patch. @@ -140,10 +140,10 @@ index 4c6bdc5..4e8ed3a 100644 2.1.4 -From bde21fc34f6c1293a4233e704d9890a14f4bff19 Mon Sep 17 00:00:00 2001 +From 60e38ea2418c8e77a5e85cb833de7a3967be1343 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 20 Feb 2014 16:57:08 +0800 -Subject: [PATCH 2/3] Support revoking the openSUSE cert +Subject: [PATCH 2/4] Support revoking the openSUSE cert This is an openSUSE-only patch. @@ -309,10 +309,10 @@ index 4e8ed3a..8848e6a 100644 2.1.4 -From 3d22ec8e64253ec7edc4133d6122539f006c792e Mon Sep 17 00:00:00 2001 +From fd62fb657674e9cb63f2bd814c6c8c50acf2c6aa Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 7 Mar 2014 16:17:20 +0800 -Subject: [PATCH 3/3] Delete openSUSE_Verify the right way +Subject: [PATCH 3/4] Delete openSUSE_Verify the right way This is an openSUSE-only patch. @@ -340,3 +340,35 @@ index 68d4099..c7f2b65 100644 -- 2.1.4 + +From 2014c6b629a4c5543d0531f59303dbd7bcdd4051 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 19 Oct 2015 16:36:14 +0800 +Subject: [PATCH 4/4] Don't pass NULL to set MokListRT + +This is an openSUSE-only patch. + +Signed-off-by: Gary Ching-Pang Lin +--- + shim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/shim.c b/shim.c +index 8848e6a..7a21bb2 100644 +--- a/shim.c ++++ b/shim.c +@@ -1768,6 +1768,11 @@ EFI_STATUS mirror_mok_list() + FullData = Data; + } + ++ if (FullDataSize == 0) { ++ /* openSUSE_Verify isn't set and no other MOK exists. */ ++ return EFI_SUCCESS; ++ } ++ + efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", + &shim_lock_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS +-- +2.1.4 + diff --git a/shim.changes b/shim.changes index 2b82402..f2a68f2 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com + +- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the + definition of va functions to avoid the potential crash + (bsc#950569) +- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to + MokListRT (bsc#950801) +- Drop shim-fix-mokmanager-sections.patch as we are using the + newer binutils now +- Refresh shim-change-debug-file-path.patch + ------------------------------------------------------------------- Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com diff --git a/shim.spec b/shim.spec index 2fb2d05..a00b7a1 100644 --- a/shim.spec +++ b/shim.spec @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -44,12 +44,12 @@ Source11: strip_signature.sh Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files -Patch3: shim-fix-mokmanager-sections.patch # PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch glin@suse.com -- Update openssl to 1.0.2d Patch4: shim-update-openssl-1.0.2d.patch # PATCH-FIX-UPSTREAM shim-gcc5.patch glin@suse.com -- Specify the gnu89 standard Patch5: shim-gcc5.patch +# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 glin@suse.com -- Fix the definition of the va functions to avoid the potential crash +Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -90,9 +90,9 @@ Authors: %prep %setup -q %patch1 -p1 -%patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch50 -p1 %patch100 -p1 %build