Accepting request 834242 from home:gary_lin:branches:devel:openSUSE:Factory

- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix VLogError crash in AArch64 (jsc#SLE-15824) - Add shim-fix-verify-eku.patch to fix the potential crash at verify_eku() (jsc#SLE-15824) - Add shim-do-not-write-string-literals.patch to fix the potential crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824) OBS-URL: https://build.opensuse.org/request/show/834242 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=166
2020-09-14 08:23:32 +00:00 · 2020-09-14 08:23:32 +00:00 · 6cefe7b10f
commit 6cefe7b10f
parent 0e2b985c49
5 changed files with 256 additions and 0 deletions
--- a/shim-VLogError-Avoid-Null-pointer-dereferences.patch
+++ b/shim-VLogError-Avoid-Null-pointer-dereferences.patch
@ -0,0 +1,65 @@
+From 20e731f423a438f53738de73af9ef3d67c4cba2f Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 12 Feb 2019 18:04:49 -0500
+Subject: [PATCH] VLogError(): Avoid NULL pointer dereferences in (V)Sprint
+ calls
+
+VLogError() calculates the size of format strings by using calls to
+SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
+Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
+of "0" is special-cased to mean "there is no limit". So, we end up
+writing our string to address 0x0. This was discovered because it
+causes a crash on ARM where, unlike x86, it does not necessarily
+have memory mapped at 0x0.
+
+Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
+handles the size calculation and allocation for us.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
+[dannf: commit message ]
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+---
+ errlog.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/errlog.c b/errlog.c
+index 18be482..eebb266 100644
+--- a/errlog.c
+++ b/errlog.c
+@@ -14,29 +14,20 @@ EFI_STATUS
+ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
+ {
+ 	va_list args2;
+-	UINTN size = 0, size2;
+ 	CHAR16 **newerrs;
+ 
+-	size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	size2 = VSPrint(NULL, 0, fmt, args2);
+-	va_end(args2);
+-
+ 	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
+ 				       (nerrs + 3) * sizeof(*errs));
+ 	if (!newerrs)
+ 		return EFI_OUT_OF_RESOURCES;
+ 
+-	newerrs[nerrs] = AllocatePool(size*2+2);
+	newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
+ 	if (!newerrs[nerrs])
+ 		return EFI_OUT_OF_RESOURCES;
+-	newerrs[nerrs+1] = AllocatePool(size2*2+2);
+	va_copy(args2, args);
+	newerrs[nerrs+1] = VPoolPrint(fmt, args2);
+ 	if (!newerrs[nerrs+1])
+ 		return EFI_OUT_OF_RESOURCES;
+-
+-	SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
+ 	va_end(args2);
+ 
+ 	nerrs += 2;
+-- 
+2.28.0
+
--- a/shim-do-not-write-string-literals.patch
+++ b/shim-do-not-write-string-literals.patch
@ -0,0 +1,140 @@
+From c6bedd5b83529925c3ec08f96a3bf61c81bff0ae Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 28 Jan 2020 23:33:46 +0100
+Subject: [PATCH] translate_slashes(): don't write to string literals
+
+Currently, all three invocations of the translate_slashes() function may
+lead to writes to the string literal that is #defined with the
+DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined
+behavior ("If the program attempts to modify such an array, the behavior
+is undefined").
+
+This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data
+abort: Permission fault"), where the platform firmware maps the .text
+section (which contains the string literal) read-only.
+
+Modify translate_slashes() so that it copies and translates characters
+from an input array of "char" to an output array of "CHAR8".
+
+While at it, fix another bug. Before this patch, if translate_slashes()
+ever encountered a double backslash (translating it to a single forward
+slash), then the output would end up shorter than the input. However, the
+output was not NUL-terminated in-place, therefore the original string
+length (and according trailing garbage) would be preserved. After this
+patch, the NUL-termination on contraction is automatic, as the output
+array's contents are indeterminate when entering the function, and so we
+must NUL-terminate it anyway.
+
+Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98
+Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927
+Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Upstream-commit-id: 9813e8bc8b3
+---
+ httpboot.c    |  4 ++--
+ include/str.h | 14 ++++++++------
+ netboot.c     | 16 +++++++++++-----
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/httpboot.c b/httpboot.c
+index 3622e85..2d27e8e 100644
+--- a/httpboot.c
+++ b/httpboot.c
+@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size)
+ {
+ 	EFI_STATUS efi_status;
+ 	EFI_HANDLE nic;
+-	CHAR8 *next_loader = NULL;
+	CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR];
+ 	CHAR8 *next_uri = NULL;
+ 	CHAR8 *hostname = NULL;
+ 
+ 	if (!uri)
+ 		return EFI_NOT_READY;
+ 
+-	next_loader = translate_slashes(DEFAULT_LOADER_CHAR);
+	translate_slashes(next_loader, DEFAULT_LOADER_CHAR);
+ 
+ 	/* Create the URI for the next loader based on the original URI */
+ 	efi_status = generate_next_uri(uri, next_loader, &next_uri);
+diff --git a/include/str.h b/include/str.h
+index 9a74836..f73c621 100644
+--- a/include/str.h
+++ b/include/str.h
+@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src)
+ static inline
+ __attribute__((unused))
+ CHAR8 *
+-translate_slashes(char *str)
+translate_slashes(CHAR8 *out, const char *str)
+ {
+ 	int i;
+ 	int j;
+-	if (str == NULL)
+-		return (CHAR8 *)str;
+	if (str == NULL || out == NULL)
+		return NULL;
+ 
+ 	for (i = 0, j = 0; str[i] != '\0'; i++, j++) {
+ 		if (str[i] == '\\') {
+-			str[j] = '/';
+			out[j] = '/';
+ 			if (str[i+1] == '\\')
+ 				i++;
+-		}
+		} else
+			out[j] = str[i];
+ 	}
+-	return (CHAR8 *)str;
+	out[j] = '\0';
+	return out;
+ }
+ 
+ #endif /* SHIM_STR_H */
+diff --git a/netboot.c b/netboot.c
+index 58babfb..4922ef2 100644
+--- a/netboot.c
+++ b/netboot.c
+@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
+ 	CHAR8 *start, *end;
+ 	CHAR8 ip6str[40];
+ 	CHAR8 ip6inv[16];
+-	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+	CHAR8 template[sizeof DEFAULT_LOADER_CHAR];
+
+	translate_slashes(template, DEFAULT_LOADER_CHAR);
+ 
+ 	// to check against str2ip6() errors
+ 	memset(ip6inv, 0, sizeof(ip6inv));
+@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6()
+ 
+ static EFI_STATUS parseDhcp4()
+ {
+-	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+-	INTN template_len = strlen(template) + 1;
+	CHAR8 template[sizeof DEFAULT_LOADER_CHAR];
+	INTN template_len;
+	UINTN template_ofs = 0;
+ 	EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4;
+ 
+	translate_slashes(template, DEFAULT_LOADER_CHAR);
+	template_len = strlen(template) + 1;
+
+ 	if(pxe->Mode->ProxyOfferReceived) {
+ 		/*
+ 		 * Proxy should not have precedence.  Check if DhcpAck
+@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4()
+ 			full_path[dir_len-1] = '\0';
+ 	}
+ 	if (dir_len == 0 && dir[0] != '/' && template[0] == '/')
+-		template++;
+-	strcata(full_path, template);
+		template_ofs++;
+	strcata(full_path, template + template_ofs);
+ 	memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4);
+ 
+ 	return EFI_SUCCESS;
+-- 
+2.28.0
+
--- a/shim-fix-verify-eku.patch
+++ b/shim-fix-verify-eku.patch
@ -0,0 +1,32 @@
+From 44b211bcf7ad58ff29e6495e1c3978e4660cb7d1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 Jan 2019 18:04:34 -0500
+Subject: [PATCH] OpenSSL: always provide OBJ_create() with name strings.
+
+Some versions of OpenSSL seem to go back and forth as to whether NULL
+for these names are okay.  Don't risk it.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Upstream-commit-id: 46b76a01717
+---
+ shim.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index a0eb19b..d7ee2b6 100644
+--- a/shim.c
+++ b/shim.c
+@@ -388,7 +388,9 @@ static BOOLEAN verify_eku(UINT8 *Cert, UINTN CertSize)
+ 	EXTENDED_KEY_USAGE *eku;
+ 	ASN1_OBJECT *module_signing;
+ 
+-	module_signing = OBJ_nid2obj(OBJ_create(OID_EKU_MODSIGN, NULL, NULL));
+        module_signing = OBJ_nid2obj(OBJ_create(OID_EKU_MODSIGN,
+                                                "modsign-eku",
+                                                "modsign-eku"));
+ 
+ 	x509 = d2i_X509 (NULL, &Temp, (long) CertSize);
+ 	if (x509 != NULL) {
+-- 
+2.28.0
+
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Sep 14 08:06:27 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix
+  VLogError crash in AArch64 (jsc#SLE-15824)
+- Add shim-fix-verify-eku.patch to fix the potential crash at
+  verify_eku() (jsc#SLE-15824)
+- Add shim-do-not-write-string-literals.patch to fix the potential
+  crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)
+
 -------------------------------------------------------------------
 Fri Sep  4 15:08:19 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

--- a/shim.spec
+++ b/shim.spec
@ -81,6 +81,12 @@ Patch7:         shim-fix-gnu-efi-3.0.11.patch
 Patch8:         shim-bsc1173411-only-check-efi-var-on-sb.patch
 # PATCH-FIX-UPSTREAM shim-bsc1175509-tpm2-fixes.patch bsc#1175509 glin@suse.com -- Upstream fixes for the TPM2 measurement
 Patch9:         shim-bsc1175509-tpm2-fixes.patch
+# PATCH-FIX-UPSTREAM shim-VLogError-Avoid-Null-pointer-dereferences.patch glin@suse.com -- Fix VlogError crash in AArch64
+Patch10:        shim-VLogError-Avoid-Null-pointer-dereferences.patch
+# PATCH-FIX-UPSTREAM shim-fix-verify-eku.patch glin@suse.com -- Fix the potential crash at verify_eku()
+Patch11:        shim-fix-verify-eku.patch
+# PATCH-FIX-UPSTREAM shim-do-not-write-string-literals.patch -- Fix the potential crash when accessing the DEFAULT_LOADER string
+Patch12:        shim-do-not-write-string-literals.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0.3
@ -131,6 +137,9 @@ The source code of UEFI shim loader
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 %if 0%{?is_opensuse} == 1
 %patch100 -p1
 %endif