From 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 24 Oct 2018 21:03:42 +0200 Subject: [PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE Message-id: <20181024190345.15288-2-lersek@redhat.com> Patchwork-id: 82887 O-Subject: [RHEL8 edk2 PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE Bugzilla: 1641436 Acked-by: Vitaly Kuznetsov Acked-by: Thomas Huth From: Star Zeng --v-- RHEL8 note start --v-- Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641436 This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line does not include the CVE number. I've decided to stick with the upstream subject verbatim in the backport, so we can more easily drop this patch at the next rebase. On the upstream list, I did complain loudly, so there's hope the next CVE fix will advertise the CVE number in the subject. In practice, the vulnerability is difficult to exploit. Please refer to the following messages in the upstream discussion: https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html --^-- RHEL8 note end --^-- REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415 When SetVariable() to a time based auth variable with APPEND_WRITE attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in the input Data is earlier than current value, it will cause timestamp zeroing. This issue may bring time based auth variable downgrade problem. For example: A vendor released three certs at 2014, 2015, and 2016, and system integrated the 2016 cert. User can SetVariable() with 2015 cert and APPEND_WRITE attribute to cause timestamp zeroing first, then SetVariable() with 2014 cert to downgrade the cert. This patch fixes this issue. Cc: Jiewen Yao Cc: Chao Zhang Cc: Jian J Wang Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao (cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619) Signed-off-by: Laszlo Ersek --- MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c index 6caf603..60439b5 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c @@ -2460,6 +2460,8 @@ UpdateVariable ( if (Variable->CurrPtr != NULL) { if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) { CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME)); + } else { + CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME)); } } } -- 1.8.3.1