From 58902877128851f628fe644a5c71600866317fac Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Fri, 31 Jan 2020 12:42:42 +0100 Subject: [PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Laszlo Ersek Message-id: <20200131124248.22369-7-lersek@redhat.com> Patchwork-id: 93616 O-Subject: [RHEL-8.2.0 edk2 PATCH 06/12] SecurityPkg/DxeImageVerificationHandler: fix retval on memalloc failure Bugzilla: 1751993 RH-Acked-by: Philippe Mathieu-Daudé RH-Acked-by: Vitaly Kuznetsov A SECURITY2_FILE_AUTHENTICATION_HANDLER function is not expected to return EFI_OUT_OF_RESOURCES. We should only return EFI_SUCCESS, EFI_SECURITY_VIOLATION, or EFI_ACCESS_DENIED. In case we run out of memory while preparing "SignatureList" for AddImageExeInfo(), we should simply stick with the EFI_ACCESS_DENIED value that is already in "Status" -- from just before the "Action" condition --, and not suppress it with EFI_OUT_OF_RESOURCES. This patch does not change the control flow in the function, it only changes the "Status" outcome from API-incompatible error codes to EFI_ACCESS_DENIED, under some circumstances. Cc: Chao Zhang Cc: Jian J Wang Cc: Jiewen Yao Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129 Fixes: 570b3d1a7278df29878da87990e8366bd42d0ec5 Signed-off-by: Laszlo Ersek Message-Id: <20200116190705.18816-6-lersek@redhat.com> Reviewed-by: Michael D Kinney [lersek@redhat.com: push with Mike's R-b due to Chinese New Year Holiday: ; msgid ] (cherry picked from commit f891b052c5ec13c1032fb9d340d5262ac1a7e7e1) Signed-off-by: Miroslav Rezanina --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 5cc82c1..5f09a66 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1541,7 +1541,6 @@ Done: and non-NULL FileBuffer did authenticate, and the platform policy dictates that the DXE Foundation may execute the image in FileBuffer. - @retval EFI_OUT_RESOURCE Fail to allocate memory. @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and the platform policy dictates that File should be placed in the untrusted state. The image has been added to the file @@ -1862,7 +1861,6 @@ DxeImageVerificationHandler ( SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize; SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize); if (SignatureList == NULL) { - Status = EFI_OUT_OF_RESOURCES; goto Done; } SignatureList->SignatureHeaderSize = 0; -- 1.8.3.1