|
 |
6009e6 |
From 73de814a5f30c2c6d82736082c1114a028d12115 Mon Sep 17 00:00:00 2001
|
|
|
6009e6 |
From: Laszlo Ersek <lersek@redhat.com>
|
|
|
6009e6 |
Date: Fri, 31 Jan 2020 12:42:41 +0100
|
|
|
6009e6 |
Subject: [PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down
|
|
|
6009e6 |
PE/COFF hash status
|
|
|
6009e6 |
MIME-Version: 1.0
|
|
|
6009e6 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6009e6 |
Content-Transfer-Encoding: 8bit
|
|
|
6009e6 |
|
|
|
6009e6 |
RH-Author: Laszlo Ersek <lersek@redhat.com>
|
|
|
6009e6 |
Message-id: <20200131124248.22369-6-lersek@redhat.com>
|
|
|
6009e6 |
Patchwork-id: 93615
|
|
|
6009e6 |
O-Subject: [RHEL-8.2.0 edk2 PATCH 05/12] SecurityPkg/DxeImageVerificationHandler: narrow down PE/COFF hash status
|
|
|
6009e6 |
Bugzilla: 1751993
|
|
|
6009e6 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
6009e6 |
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
|
6009e6 |
|
|
|
6009e6 |
Inside the "for" loop that scans the signatures of the image, we call
|
|
|
6009e6 |
HashPeImageByType(), and assign its return value to "Status".
|
|
|
6009e6 |
|
|
|
6009e6 |
Beyond the immediate retval check, this assignment is useless (never
|
|
|
6009e6 |
consumed). That's because a subsequent access to "Status" may only be one
|
|
|
6009e6 |
of the following:
|
|
|
6009e6 |
|
|
|
6009e6 |
- the "Status" assignment when we call HashPeImageByType() in the next
|
|
|
6009e6 |
iteration of the loop,
|
|
|
6009e6 |
|
|
|
6009e6 |
- the "Status = EFI_ACCESS_DENIED" assignment right after the final
|
|
|
6009e6 |
"IsVerified" check.
|
|
|
6009e6 |
|
|
|
6009e6 |
To make it clear that the assignment is only useful for the immediate
|
|
|
6009e6 |
HashPeImageByType() retval check, introduce a specific helper variable,
|
|
|
6009e6 |
called "HashStatus".
|
|
|
6009e6 |
|
|
|
6009e6 |
This patch is a no-op, functionally.
|
|
|
6009e6 |
|
|
|
6009e6 |
Cc: Chao Zhang <chao.b.zhang@intel.com>
|
|
|
6009e6 |
Cc: Jian J Wang <jian.j.wang@intel.com>
|
|
|
6009e6 |
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
|
|
6009e6 |
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
|
|
|
6009e6 |
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
6009e6 |
Message-Id: <20200116190705.18816-5-lersek@redhat.com>
|
|
|
6009e6 |
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
|
|
|
6009e6 |
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
|
|
|
6009e6 |
Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
|
|
|
6009e6 |
<d3fbb76dabed4e1987c512c328c82810@intel.com>]
|
|
|
6009e6 |
(cherry picked from commit 47650a5cab608e07c31d66bdb9b4cc6e58bdf22f)
|
|
|
6009e6 |
|
|
|
6009e6 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
6009e6 |
---
|
|
|
6009e6 |
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 5 +++--
|
|
|
6009e6 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
6009e6 |
|
|
|
6009e6 |
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
|
6009e6 |
index e6c8a54..5cc82c1 100644
|
|
|
6009e6 |
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
|
6009e6 |
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
|
|
6009e6 |
@@ -1581,6 +1581,7 @@ DxeImageVerificationHandler (
|
|
|
6009e6 |
UINT32 OffSet;
|
|
|
6009e6 |
CHAR16 *NameStr;
|
|
|
6009e6 |
RETURN_STATUS PeCoffStatus;
|
|
|
6009e6 |
+ EFI_STATUS HashStatus;
|
|
|
6009e6 |
|
|
|
6009e6 |
SignatureList = NULL;
|
|
|
6009e6 |
SignatureListSize = 0;
|
|
|
6009e6 |
@@ -1802,8 +1803,8 @@ DxeImageVerificationHandler (
|
|
|
6009e6 |
continue;
|
|
|
6009e6 |
}
|
|
|
6009e6 |
|
|
|
6009e6 |
- Status = HashPeImageByType (AuthData, AuthDataSize);
|
|
|
6009e6 |
- if (EFI_ERROR (Status)) {
|
|
|
6009e6 |
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
|
|
|
6009e6 |
+ if (EFI_ERROR (HashStatus)) {
|
|
|
6009e6 |
continue;
|
|
|
6009e6 |
}
|
|
|
6009e6 |
|
|
|
6009e6 |
--
|
|
|
6009e6 |
1.8.3.1
|
|
|
6009e6 |
|