Tree - rpms/ovmf - CentOS Git server

rpms / ovmf

Files

Blob Blame History Raw
From 0afba771bf42a9793e86bc565f23a8ca99d53dbb Mon Sep 17 00:00:00 2001
From: Philippe Mathieu-Daude <philmd@redhat.com>
Date: Wed, 13 Feb 2019 09:50:44 +0100
Subject: [PATCH 01/13] MdeModulePkg Variable: Fix Timestamp zeroing issue on
 APPEND_WRITE

Message-id: <20190213085050.20766-2-philmd@redhat.com>
Patchwork-id: 84478
O-Subject:  [RHEL-7.7 ovmf PATCH v3 1/7] MdeModulePkg Variable: Fix Timestamp
	zeroing issue on APPEND_WRITE
Bugzilla: 1666586
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

From: Laszlo Ersek <lersek@redhat.com>

From: Star Zeng <star.zeng@intel.com>

--v-- RHEL7 note start --v--

This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line
does not include the CVE number. I've decided to stick with the upstream
subject verbatim in the backport, so we can more easily drop this patch at
the next rebase. On the upstream list, I did complain loudly, so there's
hope the next CVE fix will advertise the CVE number in the subject.

In practice, the vulnerability is difficult to exploit. Please refer to
the following messages in the upstream discussion:

  https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html
  https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html

--^-- RHEL7 note end --^--

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415

When SetVariable() to a time based auth variable with APPEND_WRITE
attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
the input Data is earlier than current value, it will cause timestamp
zeroing.

This issue may bring time based auth variable downgrade problem.
For example:
A vendor released three certs at 2014, 2015, and 2016, and system
integrated the 2016 cert. User can SetVariable() with 2015 cert and
APPEND_WRITE attribute to cause timestamp zeroing first, then
SetVariable() with 2014 cert to downgrade the cert.

This patch fixes this issue.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef)
Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
index 6caf603..60439b5 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -2460,6 +2460,8 @@ UpdateVariable (
         if (Variable->CurrPtr != NULL) {
           if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
             CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
+          } else {
+            CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
           }
         }
       }
-- 
1.8.3.1
rpms / ovmf

Source Code

Files
