parent
2bf9c79899
commit
5b016140b7
@ -1,2 +1,2 @@
|
||||
ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
|
||||
df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
||||
85388ae6525650667302c6b553894430197d9e0d SOURCES/openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
SOURCES/edk2-bb1bba3d77.tar.xz
|
||||
SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
||||
SOURCES/openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
|
||||
|
@ -0,0 +1,47 @@
|
||||
From 2dbfc91269fd944aeb82e0f9178e0ab278ccf0da Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 9 Jan 2024 12:29:01 +0100
|
||||
Subject: [PATCH 1/2] OvmfPkg/VirtNorFlashDxe: stop accepting gEfiVariableGuid
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Gerd Hoffmann <None>
|
||||
RH-MergeRequest: 41: OvmfPkg/VirtNorFlashDxe: sanity-check variables
|
||||
RH-Jira: RHEL-20351
|
||||
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-Commit: [1/2] c39aca9d2933518dff4216f585fdfcc492f08673
|
||||
|
||||
Only accept gEfiAuthenticatedVariableGuid when checking the variable
|
||||
store header in ValidateFvHeader().
|
||||
|
||||
The edk2 code base has been switched to use the authenticated varstore
|
||||
format unconditionally (even in case secure boot is not used or
|
||||
supported) a few years ago.
|
||||
|
||||
Suggested-by: László Érsek <lersek@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Message-Id: <20240109112902.30002-3-kraxel@redhat.com>
|
||||
(cherry picked from commit ae22b2f136bcbd27135a5f4dd76d3a68a172d00e)
|
||||
---
|
||||
ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
index db8eb595f4..904605cbbc 100644
|
||||
--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
@@ -210,8 +210,7 @@ ValidateFvHeader (
|
||||
VariableStoreHeader = (VARIABLE_STORE_HEADER*)((UINTN)FwVolHeader + FwVolHeader->HeaderLength);
|
||||
|
||||
// Check the Variable Store Guid
|
||||
- if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiVariableGuid) &&
|
||||
- !CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) {
|
||||
+ if (!CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid)) {
|
||||
DEBUG ((EFI_D_INFO, "%a: Variable Store Guid non-compatible\n",
|
||||
__FUNCTION__));
|
||||
return EFI_NOT_FOUND;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,216 @@
|
||||
From bfdee279c563129ad1847a081e9b675e322e0788 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 9 Jan 2024 12:29:02 +0100
|
||||
Subject: [PATCH 2/2] OvmfPkg/VirtNorFlashDxe: sanity-check variables
|
||||
|
||||
RH-Author: Gerd Hoffmann <None>
|
||||
RH-MergeRequest: 41: OvmfPkg/VirtNorFlashDxe: sanity-check variables
|
||||
RH-Jira: RHEL-20351
|
||||
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-Commit: [2/2] da1ecd33775421c2cd77e3b0c1bea94de3aca22d
|
||||
|
||||
Extend the ValidateFvHeader function, additionally to the header checks
|
||||
walk over the list of variables and sanity check them.
|
||||
|
||||
In case we find inconsistencies indicating variable store corruption
|
||||
return EFI_NOT_FOUND so the variable store will be re-initialized.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-Id: <20240109112902.30002-4-kraxel@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
[lersek@redhat.com: fix StartId initialization/assignment coding style]
|
||||
(cherry picked from commit 4a443f73fd67ca8caaf0a3e1a01f8231b330d2e0)
|
||||
---
|
||||
.../Drivers/NorFlashDxe/NorFlashDxe.inf | 1 +
|
||||
.../Drivers/NorFlashDxe/NorFlashFvb.c | 149 +++++++++++++++++-
|
||||
2 files changed, 145 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
|
||||
index f8d4c27031..10388880a1 100644
|
||||
--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
|
||||
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashDxe.inf
|
||||
@@ -35,6 +35,7 @@
|
||||
DebugLib
|
||||
HobLib
|
||||
NorFlashPlatformLib
|
||||
+ SafeIntLib
|
||||
UefiLib
|
||||
UefiDriverEntryPoint
|
||||
UefiBootServicesTableLib
|
||||
diff --git a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
index 904605cbbc..2a166c94a6 100644
|
||||
--- a/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
+++ b/ArmPlatformPkg/Drivers/NorFlashDxe/NorFlashFvb.c
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <Library/UefiLib.h>
|
||||
#include <Library/BaseMemoryLib.h>
|
||||
#include <Library/MemoryAllocationLib.h>
|
||||
+#include <Library/SafeIntLib.h>
|
||||
|
||||
#include <Guid/VariableFormat.h>
|
||||
#include <Guid/SystemNvDataGuid.h>
|
||||
@@ -166,11 +167,12 @@ ValidateFvHeader (
|
||||
IN NOR_FLASH_INSTANCE *Instance
|
||||
)
|
||||
{
|
||||
- UINT16 Checksum;
|
||||
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
|
||||
- VARIABLE_STORE_HEADER *VariableStoreHeader;
|
||||
- UINTN VariableStoreLength;
|
||||
- UINTN FvLength;
|
||||
+ UINT16 Checksum;
|
||||
+ CONST EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
|
||||
+ CONST VARIABLE_STORE_HEADER *VariableStoreHeader;
|
||||
+ UINTN VarOffset;
|
||||
+ UINTN VariableStoreLength;
|
||||
+ UINTN FvLength;
|
||||
|
||||
FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER*)Instance->RegionBaseAddress;
|
||||
|
||||
@@ -223,6 +225,143 @@ ValidateFvHeader (
|
||||
return EFI_NOT_FOUND;
|
||||
}
|
||||
|
||||
+ //
|
||||
+ // check variables
|
||||
+ //
|
||||
+ DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__));
|
||||
+ VarOffset = sizeof (*VariableStoreHeader);
|
||||
+ for ( ; ;) {
|
||||
+ UINTN VarHeaderEnd;
|
||||
+ UINTN VarNameEnd;
|
||||
+ UINTN VarEnd;
|
||||
+ UINTN VarPadding;
|
||||
+ CONST AUTHENTICATED_VARIABLE_HEADER *VarHeader;
|
||||
+ CONST CHAR16 *VarName;
|
||||
+ CONST CHAR8 *VarState;
|
||||
+ RETURN_STATUS Status;
|
||||
+
|
||||
+ Status = SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderEnd);
|
||||
+ if (RETURN_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (VarHeaderEnd >= VariableStoreHeader->Size) {
|
||||
+ if (VarOffset <= VariableStoreHeader->Size - sizeof (UINT16)) {
|
||||
+ CONST UINT16 *StartId;
|
||||
+
|
||||
+ StartId = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
|
||||
+ if (*StartId == 0x55aa) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __func__));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ VarHeader = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
|
||||
+ if (VarHeader->StartId != 0x55aa) {
|
||||
+ DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ VarName = NULL;
|
||||
+ switch (VarHeader->State) {
|
||||
+ // usage: State = VAR_HEADER_VALID_ONLY
|
||||
+ case VAR_HEADER_VALID_ONLY:
|
||||
+ VarState = "header-ok";
|
||||
+ VarName = L"<unknown>";
|
||||
+ break;
|
||||
+
|
||||
+ // usage: State = VAR_ADDED
|
||||
+ case VAR_ADDED:
|
||||
+ VarState = "ok";
|
||||
+ break;
|
||||
+
|
||||
+ // usage: State &= VAR_IN_DELETED_TRANSITION
|
||||
+ case VAR_ADDED &VAR_IN_DELETED_TRANSITION:
|
||||
+ VarState = "del-in-transition";
|
||||
+ break;
|
||||
+
|
||||
+ // usage: State &= VAR_DELETED
|
||||
+ case VAR_ADDED &VAR_DELETED:
|
||||
+ case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION:
|
||||
+ VarState = "deleted";
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ DEBUG ((
|
||||
+ DEBUG_ERROR,
|
||||
+ "%a: invalid variable state: 0x%x\n",
|
||||
+ __func__,
|
||||
+ VarHeader->State
|
||||
+ ));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ Status = SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarNameEnd);
|
||||
+ if (RETURN_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ Status = SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd);
|
||||
+ if (RETURN_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (VarEnd > VariableStoreHeader->Size) {
|
||||
+ DEBUG ((
|
||||
+ DEBUG_ERROR,
|
||||
+ "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n",
|
||||
+ __func__,
|
||||
+ (UINT64)VarOffset,
|
||||
+ (UINT64)(sizeof (*VarHeader)),
|
||||
+ VarHeader->NameSize,
|
||||
+ VarHeader->DataSize,
|
||||
+ VariableStoreHeader->Size
|
||||
+ ));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (((VarHeader->NameSize & 1) != 0) ||
|
||||
+ (VarHeader->NameSize < 4))
|
||||
+ {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+
|
||||
+ if (VarName == NULL) {
|
||||
+ VarName = (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd);
|
||||
+ if (VarName[VarHeader->NameSize / 2 - 1] != L'\0') {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DEBUG ((
|
||||
+ DEBUG_VERBOSE,
|
||||
+ "%a: +0x%04Lx: name=0x%x data=0x%x guid=%g '%s' (%a)\n",
|
||||
+ __func__,
|
||||
+ (UINT64)VarOffset,
|
||||
+ VarHeader->NameSize,
|
||||
+ VarHeader->DataSize,
|
||||
+ &VarHeader->VendorGuid,
|
||||
+ VarName,
|
||||
+ VarState
|
||||
+ ));
|
||||
+
|
||||
+ VarPadding = (4 - (VarEnd & 3)) & 3;
|
||||
+ Status = SafeUintnAdd (VarEnd, VarPadding, &VarOffset);
|
||||
+ if (RETURN_ERROR (Status)) {
|
||||
+ DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
Loading…
Reference in new issue