Accepting request 901235 from home:gary_lin:branches:devel:openSUSE:Factory

- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232) OBS-URL: https://build.opensuse.org/request/show/901235 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=185
2021-06-22 02:03:16 +00:00 · 2021-06-22 02:03:16 +00:00 · 4e7f70bc3a
commit 4e7f70bc3a
parent 32f6f1f55a
3 changed files with 62 additions and 0 deletions
--- a/shim-bsc1185232-fix-config-table-copying.patch
+++ b/shim-bsc1185232-fix-config-table-copying.patch
@ -0,0 +1,52 @@
+From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 21 Jun 2021 16:38:02 +0800
+Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
+ config table
+
+When calculating the size of the MOK config table, we skip the empty
+variables. However, when copying the data, we copied the zeroed config
+templates for those empty variables, and this could cause crash since we
+may write more data than the allocated pages. This commit skips the
+empty variables when copying the data so that the size of copied data
+matches config_sz.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..add21223 100644
+--- a/mok.c
+++ b/mok.c
+@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 	for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
+ 		struct mok_state_variable *v = &mok_state_variables[i];
+ 
+-		ZeroMem(&config_template, sizeof(config_template));
+-		strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+-		config_template.name[255] = '\0';
+		if (v->data && v->data_size) {
+			ZeroMem(&config_template, sizeof(config_template));
+			strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+			config_template.name[255] = '\0';
+ 
+-		config_template.data_size = v->data_size;
+			config_template.data_size = v->data_size;
+ 
+-		CopyMem(p, &config_template, sizeof(config_template));
+-		p += sizeof(config_template);
+-		CopyMem(p, v->data, v->data_size);
+-		p += v->data_size;
+			CopyMem(p, &config_template, sizeof(config_template));
+			p += sizeof(config_template);
+			CopyMem(p, v->data, v->data_size);
+			p += v->data_size;
+		}
+ 	}
+ 	if (p) {
+ 		ZeroMem(&config_template, sizeof(config_template));
+-- 
+2.31.1
+
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
 -------------------------------------------------------------------
 Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -91,6 +91,8 @@ Patch11:        shim-fix-aa64-relsz.patch
 Patch12:        shim-disable-export-vendor-dbx.patch
 # PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
 Patch13:        shim-bsc1187260-fix-efi-1.10-machines.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
+Patch14:        shim-bsc1185232-fix-config-table-copying.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@ -142,6 +144,7 @@ The source code of UEFI shim loader
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1

 %build
 # generate the vendor SBAT metadata