Accepting request 901235 from home:gary_lin:branches:devel:openSUSE:Factory

- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
  buffer overflow when copying data to the MOK config table
  (bsc#1185232)

OBS-URL: https://build.opensuse.org/request/show/901235
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=185

shim-bsc1185232-fix-config-table-copying.patch

@@ -0,0 +1,52 @@
+From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 21 Jun 2021 16:38:02 +0800
+Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
+ config table
+
+When calculating the size of the MOK config table, we skip the empty
+variables. However, when copying the data, we copied the zeroed config
+templates for those empty variables, and this could cause crash since we
+may write more data than the allocated pages. This commit skips the
+empty variables when copying the data so that the size of copied data
+matches config_sz.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..add21223 100644
+--- a/mok.c
++++ b/mok.c
+@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 	for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
+ 		struct mok_state_variable *v = &mok_state_variables[i];
+ 
+-		ZeroMem(&config_template, sizeof(config_template));
+-		strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+-		config_template.name[255] = '\0';
++		if (v->data && v->data_size) {
++			ZeroMem(&config_template, sizeof(config_template));
++			strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
++			config_template.name[255] = '\0';
+ 
+-		config_template.data_size = v->data_size;
++			config_template.data_size = v->data_size;
+ 
+-		CopyMem(p, &config_template, sizeof(config_template));
+-		p += sizeof(config_template);
+-		CopyMem(p, v->data, v->data_size);
+-		p += v->data_size;
++			CopyMem(p, &config_template, sizeof(config_template));
++			p += sizeof(config_template);
++			CopyMem(p, v->data, v->data_size);
++			p += v->data_size;
++		}
+ 	}
+ 	if (p) {
+ 		ZeroMem(&config_template, sizeof(config_template));
+-- 
+2.31.1
+

shim.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
 -------------------------------------------------------------------
 Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -91,6 +91,8 @@ Patch11:        shim-fix-aa64-relsz.patch
 Patch12:        shim-disable-export-vendor-dbx.patch
 # PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
 Patch13:        shim-bsc1187260-fix-efi-1.10-machines.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
+Patch14:        shim-bsc1185232-fix-config-table-copying.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -142,6 +144,7 @@ The source code of UEFI shim loader
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 # generate the vendor SBAT metadata