From 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Wed, 24 Oct 2018 21:03:42 +0200

Subject: [PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing issue on

 APPEND_WRITE

Message-id: <20181024190345.15288-2-lersek@redhat.com>

Patchwork-id: 82887

O-Subject:  [RHEL8 edk2 PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing

	issue on APPEND_WRITE

Bugzilla: 1641436

Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

Acked-by: Thomas Huth <thuth@redhat.com>

From: Star Zeng <star.zeng@intel.com>

--v-- RHEL8 note start --v--

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641436

This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line

does not include the CVE number. I've decided to stick with the upstream

subject verbatim in the backport, so we can more easily drop this patch at

the next rebase. On the upstream list, I did complain loudly, so there's

hope the next CVE fix will advertise the CVE number in the subject.

In practice, the vulnerability is difficult to exploit. Please refer to

the following messages in the upstream discussion:

  https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html

  https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html

--^-- RHEL8 note end --^--

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415

When SetVariable() to a time based auth variable with APPEND_WRITE

attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in

the input Data is earlier than current value, it will cause timestamp

zeroing.

This issue may bring time based auth variable downgrade problem.

For example:

A vendor released three certs at 2014, 2015, and 2016, and system

integrated the 2016 cert. User can SetVariable() with 2015 cert and

APPEND_WRITE attribute to cause timestamp zeroing first, then

SetVariable() with 2014 cert to downgrade the cert.

This patch fixes this issue.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Cc: Chao Zhang <chao.b.zhang@intel.com>

Cc: Jian J Wang <jian.j.wang@intel.com>

Contributed-under: TianoCore Contribution Agreement 1.1

Signed-off-by: Star Zeng <star.zeng@intel.com>

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619)

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

---

 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c

index 6caf603..60439b5 100644

--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c

+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c

@@ -2460,6 +2460,8 @@ UpdateVariable (

         if (Variable->CurrPtr != NULL) {

           if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {

             CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));

+          } else {

+            CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));

           }

         }

       }

-- 

1.8.3.1