Accepting request 901237 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/901237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=98

shim-bsc1185232-fix-config-table-copying.patch

@@ -0,0 +1,52 @@
+From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 21 Jun 2021 16:38:02 +0800
+Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
+ config table
+
+When calculating the size of the MOK config table, we skip the empty
+variables. However, when copying the data, we copied the zeroed config
+templates for those empty variables, and this could cause crash since we
+may write more data than the allocated pages. This commit skips the
+empty variables when copying the data so that the size of copied data
+matches config_sz.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..add21223 100644
+--- a/mok.c
++++ b/mok.c
+@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 	for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
+ 		struct mok_state_variable *v = &mok_state_variables[i];
+ 
+-		ZeroMem(&config_template, sizeof(config_template));
+-		strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+-		config_template.name[255] = '\0';
++		if (v->data && v->data_size) {
++			ZeroMem(&config_template, sizeof(config_template));
++			strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
++			config_template.name[255] = '\0';
+ 
+-		config_template.data_size = v->data_size;
++			config_template.data_size = v->data_size;
+ 
+-		CopyMem(p, &config_template, sizeof(config_template));
+-		p += sizeof(config_template);
+-		CopyMem(p, v->data, v->data_size);
+-		p += v->data_size;
++			CopyMem(p, &config_template, sizeof(config_template));
++			p += sizeof(config_template);
++			CopyMem(p, v->data, v->data_size);
++			p += v->data_size;
++		}
+ 	}
+ 	if (p) {
+ 		ZeroMem(&config_template, sizeof(config_template));
+-- 
+2.31.1
+

shim-bsc1187260-fix-efi-1.10-machines.patch

@@ -0,0 +1,62 @@
+From 493bd940e5c6e28e673034687de7adef9529efff Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sat, 10 Apr 2021 16:05:23 -0400
+Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines
+
+The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
+RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
+memory appears to be initialized randomly.
+
+This patch changes it to not call RT->QueryVariableInfo() if the
+EFI_RUNTIME_SERVICES table's major revision is less than two, and
+assumes our maximum variable size is 1024 in that case.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ mok.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 9b8fc2bc..beac0ff6 100644
+--- a/mok.c
++++ b/mok.c
+@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, };
+ 
+ typedef UINTN SIZE_T;
+ 
++#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful))
++#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful))
++
+ static EFI_STATUS
+ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
+ {
+@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
+ 	uint64_t max_var_sz = 0;
+ 
+ 	*max_var_szp = 0;
+-	efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
+-					    &remaining_sz, &max_var_sz);
+-	if (EFI_ERROR(efi_status)) {
+-		perror(L"Could not get variable storage info: %r\n", efi_status);
+-		return efi_status;
++	if (EFI_MAJOR_VERSION(gRT) < 2) {
++		dprint(L"EFI %d.%d; no RT->QueryVariableInfo().  Using 1024!\n",
++		       EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT));
++		max_var_sz = remaining_sz = max_storage_sz = 1024;
++		efi_status = EFI_SUCCESS;
++	} else {
++		dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n",
++		       gRT->QueryVariableInfo);
++		efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
++						    &remaining_sz, &max_var_sz);
++		if (EFI_ERROR(efi_status)) {
++			perror(L"Could not get variable storage info: %r\n",
++			       efi_status);
++			return efi_status;
++		}
+ 	}
+ 
+ 	/*
+-- 
+2.31.1
+

shim-disable-export-vendor-dbx.patch

@@ -0,0 +1,36 @@
+From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 18 Jun 2021 17:54:46 +0800
+Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT
+
+As the vendor-dbx grows, it caused some problems when writing such
+a large variable. Some firmwares lie the avaiable space(*1) , and
+some even crash(*2) for no good reason after the writing of
+MokListXRT. Both shim and kernel don't rely on MokListXRT to block
+anything, so we just stop exporting vendor-dbx to MokListXRT to
+avoid the potential hassles.
+
+(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261
+(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..a687a92b 100644
+--- a/mok.c
++++ b/mok.c
+@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = {
+ 		     EFI_VARIABLE_NON_VOLATILE,
+ 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+ 	 .categorize_addend = categorize_deauthorized,
+-	 .addend = &vendor_deauthorized,
+-	 .addend_size = &vendor_deauthorized_size,
+ 	 .flags = MOK_MIRROR_KEYDB |
+ 		  MOK_MIRROR_DELETE_FIRST |
+ 		  MOK_VARIABLE_LOG,
+-- 
+2.31.1
+

shim-fix-aa64-relsz.patch

@@ -0,0 +1,132 @@
+From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 16 Jun 2021 16:13:32 +0800
+Subject: [PATCH] arm/aa64: fix the size of .rela* sections
+
+The previous commit(*) merged .rel* and .dyn* into .rodata, and this
+made ld to generate the wrong size for .rela* sections that covered
+other unrelated sections. When the EFI image was loaded, _relocate()
+went through the unexpected data and may cause unexpected crash.
+This commit moves .rel* and .dyn* out of .rodata in the ld script but
+also moves the related variables, such as _evrodata, _rodata_size,
+and _rodata_vsize, to the end of the new .dyn section, so that the
+crafted pe-coff section header for .rodata still covers our new
+.rela and .dyn sections.
+
+(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
+
+Fix issue: https://github.com/rhboot/shim/issues/371
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ Makefile            |  4 ++--
+ elf_aarch64_efi.lds | 24 ++++++++++++++++--------
+ elf_arm_efi.lds     | 24 ++++++++++++++++--------
+ 3 files changed, 34 insertions(+), 18 deletions(-)
+
+Index: shim-15.4/Makefile
+===================================================================
+--- shim-15.4.orig/Makefile
++++ shim-15.4/Makefile
+@@ -243,7 +243,7 @@ ifneq ($(OBJCOPY_GTE224),1)
+ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ 		-j .dynamic -j .rodata -j .rel* \
+-		-j .rela* -j .reloc -j .eh_frame \
++		-j .rela* -j .dyn -j .reloc -j .eh_frame \
+ 		-j .vendor_cert -j .sbat \
+ 		$(FORMAT) $< $@
+ 	# I am tired of wasting my time fighting binutils timestamp code.
+@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1)
+ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
+ 		-j .dynamic -j .rodata -j .rel* \
+-		-j .rela* -j .reloc -j .eh_frame -j .sbat \
++		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
+ 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		-j .note.gnu.build-id \
+Index: shim-15.4/elf_aarch64_efi.lds
+===================================================================
+--- shim-15.4.orig/elf_aarch64_efi.lds
++++ shim-15.4/elf_aarch64_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rela.dyn)
+-    *(.rela.plt)
+-    *(.rela.got)
+-    *(.rela.data)
+-    *(.rela.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }
+Index: shim-15.4/elf_arm_efi.lds
+===================================================================
+--- shim-15.4.orig/elf_arm_efi.lds
++++ shim-15.4/elf_arm_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rel.dyn)
+-    *(.rel.plt)
+-    *(.rel.got)
+-    *(.rel.data)
+-    *(.rel.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }

shim.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
+-------------------------------------------------------------------
+Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-disable-export-vendor-dbx.patch to disable exporting
+  vendor-dbx to MokListXRT since writing a large RT variable
+  could crash some machines (bsc#1185261)
+- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
+  potential crash when calling QueryVariableInfo in EFI 1.10
+  machines (bsc#1187260)
+
+-------------------------------------------------------------------
+Thu Jun 17 03:03:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
+  for AArch64
+  Fix: https://github.com/rhboot/shim/issues/371 
+
 -------------------------------------------------------------------
 Fri Jun  4 09:22:51 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -85,6 +85,14 @@ Patch8:         shim-bsc1185621-relax-max-var-sz-check.patch
 Patch9:         shim-bsc1185261-relax-import_mok_state-check.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length
 Patch10:        shim-bsc1185232-relax-loadoptions-length-check.patch
+# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64
+Patch11:        shim-fix-aa64-relsz.patch
+# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
+Patch12:        shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
+Patch13:        shim-bsc1187260-fix-efi-1.10-machines.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
+Patch14:        shim-bsc1185232-fix-config-table-copying.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -133,6 +141,10 @@ The source code of UEFI shim loader
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 # generate the vendor SBAT metadata