render / rpms / edk2

Forked from rpms/edk2 3 months ago
Clone

Blame SOURCES/edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch

63d87e
From 58902877128851f628fe644a5c71600866317fac Mon Sep 17 00:00:00 2001
63d87e
From: Laszlo Ersek <lersek@redhat.com>
63d87e
Date: Fri, 31 Jan 2020 12:42:42 +0100
63d87e
Subject: [PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on
63d87e
 memalloc failure
63d87e
MIME-Version: 1.0
63d87e
Content-Type: text/plain; charset=UTF-8
63d87e
Content-Transfer-Encoding: 8bit
63d87e
63d87e
RH-Author: Laszlo Ersek <lersek@redhat.com>
63d87e
Message-id: <20200131124248.22369-7-lersek@redhat.com>
63d87e
Patchwork-id: 93616
63d87e
O-Subject: [RHEL-8.2.0 edk2 PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure
63d87e
Bugzilla: 1751993
63d87e
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
63d87e
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
63d87e
63d87e
A SECURITY2_FILE_AUTHENTICATION_HANDLER function is not expected to return
63d87e
EFI_OUT_OF_RESOURCES. We should only return EFI_SUCCESS,
63d87e
EFI_SECURITY_VIOLATION, or EFI_ACCESS_DENIED.
63d87e
63d87e
In case we run out of memory while preparing "SignatureList" for
63d87e
AddImageExeInfo(), we should simply stick with the EFI_ACCESS_DENIED value
63d87e
that is already in "Status" -- from just before the "Action" condition --,
63d87e
and not suppress it with EFI_OUT_OF_RESOURCES.
63d87e
63d87e
This patch does not change the control flow in the function, it only
63d87e
changes the "Status" outcome from API-incompatible error codes to
63d87e
EFI_ACCESS_DENIED, under some circumstances.
63d87e
63d87e
Cc: Chao Zhang <chao.b.zhang@intel.com>
63d87e
Cc: Jian J Wang <jian.j.wang@intel.com>
63d87e
Cc: Jiewen Yao <jiewen.yao@intel.com>
63d87e
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
63d87e
Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5
63d87e
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
63d87e
Message-Id: <20200116190705.18816-6-lersek@redhat.com>
63d87e
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
63d87e
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
63d87e
 Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
63d87e
 <d3fbb76dabed4e1987c512c328c82810@intel.com>]
63d87e
(cherry picked from commit f891b052c5ec13c1032fb9d340d5262ac1a7e7e1)
63d87e
63d87e
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
63d87e
---
63d87e
 SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 --
63d87e
 1 file changed, 2 deletions(-)
63d87e
63d87e
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e
index 5cc82c1..5f09a66 100644
63d87e
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
63d87e
@@ -1541,7 +1541,6 @@ Done:
63d87e
                                  and non-NULL FileBuffer did authenticate, and the platform
63d87e
                                  policy dictates that the DXE Foundation may execute the image in
63d87e
                                  FileBuffer.
63d87e
-  @retval EFI_OUT_RESOURCE       Fail to allocate memory.
63d87e
   @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and
63d87e
                                  the platform policy dictates that File should be placed
63d87e
                                  in the untrusted state. The image has been added to the file
63d87e
@@ -1862,7 +1861,6 @@ DxeImageVerificationHandler (
63d87e
     SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;
63d87e
     SignatureList     = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);
63d87e
     if (SignatureList == NULL) {
63d87e
-      Status = EFI_OUT_OF_RESOURCES;
63d87e
       goto Done;
63d87e
     }
63d87e
     SignatureList->SignatureHeaderSize  = 0;
63d87e
-- 
63d87e
1.8.3.1
63d87e