From ec51ada56b5bedae0400a4de0c53613e9ceb50cb Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 29 2020 07:09:29 +0000
Subject: import shim-15-9.el7


---

diff --git a/SOURCES/0064-Fix-some-mokmanager-stuff.patch b/SOURCES/0064-Fix-some-mokmanager-stuff.patch
new file mode 100644
index 0000000..901f439
--- /dev/null
+++ b/SOURCES/0064-Fix-some-mokmanager-stuff.patch
@@ -0,0 +1,118 @@
+From 18843127dc0eace16d43d479bd091e221e8785c4 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 17 Aug 2020 15:47:19 -0400
+Subject: [PATCH] Fix some mokmanager stuff
+
+---
+ MokManager.c | 24 +++++++++++++++++++++++-
+ Makefile     |  2 +-
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index c9949e33bcf..9bae3414fe7 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -9,6 +9,8 @@
+ 
+ #include "shim.h"
+ 
++#include "hexdump.h"
++
+ #define PASSWORD_MAX 256
+ #define PASSWORD_MIN 1
+ #define SB_PASSWORD_LEN 16
+@@ -1050,9 +1052,11 @@ static EFI_STATUS mok_reset_prompt(BOOLEAN MokX)
+ 	if (MokX) {
+ 		LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID);
+ 		LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
++		LibDeleteVariable(L"MokListX", &SHIM_LOCK_GUID);
+ 	} else {
+ 		LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID);
+ 		LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
++		LibDeleteVariable(L"MokList", &SHIM_LOCK_GUID);
+ 	}
+ 
+ 	return EFI_SUCCESS;
+@@ -1075,6 +1079,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 	else
+ 		db_name = L"MokList";
+ 
++	dprint(L"Writing back %s (%d entries)\n", db_name, key_num);
+ 	for (i = 0; i < key_num; i++) {
+ 		if (list[i].Mok == NULL)
+ 			continue;
+@@ -1085,8 +1090,15 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 			DataSize += sizeof(EFI_GUID);
+ 		DataSize += list[i].MokSize;
+ 	}
+-	if (DataSize == 0)
++	if (DataSize == 0) {
++		dprint(L"DataSize = 0; deleting variable %s\n", db_name);
++		efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID,
++					      EFI_VARIABLE_NON_VOLATILE |
++					      EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					      DataSize, Data);
++		dprint(L"efi_status:%llu\n", efi_status);
+ 		return EFI_SUCCESS;
++	}
+ 
+ 	Data = AllocatePool(DataSize);
+ 	if (Data == NULL)
+@@ -1291,11 +1303,15 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 	}
+ 
+ 	if (auth_size == PASSWORD_CRYPT_SIZE) {
++		dprint(L"matching password with CRYPT");
+ 		efi_status = match_password((PASSWORD_CRYPT *) auth, NULL, 0,
+ 					    NULL, NULL);
++		dprint(L"match_password(0x%llx, NULL, 0, NULL, NULL) = %lu\n", auth, efi_status);
+ 	} else {
++		dprint(L"matching password as sha256sum");
+ 		efi_status =
+ 		    match_password(NULL, MokDel, MokDelSize, auth, NULL);
++		dprint(L"match_password(NULL, 0x%llx, %llu, 0x%llx, NULL) = %lu\n", MokDel, MokDelSize, auth, efi_status);
+ 	}
+ 	if (EFI_ERROR(efi_status))
+ 		return EFI_ACCESS_DENIED;
+@@ -1365,12 +1381,17 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 	}
+ 
+ 	/* Search and destroy */
++	dprint(L"deleting certs from %a\n", MokX ? "MokListX" : "MokList");
+ 	for (i = 0; i < del_num; i++) {
+ 		type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */
+ 		if (CompareGuid(&type, &X509_GUID) == 0) {
++			dprint(L"deleting key %d (total %d):\n", i, mok_num);
++			dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
+ 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ 				    mok, mok_num);
+ 		} else if (is_sha2_hash(del_key[i].Type)) {
++			dprint(L"deleting hash %d (total %d):\n", i, mok_num);
++			dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
+ 			delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ 					 del_key[i].MokSize, mok, mok_num);
+ 		}
+@@ -2564,6 +2585,7 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE * systab)
+ 
+ 	InitializeLib(image_handle, systab);
+ 
++	setup_verbosity();
+ 	setup_rand();
+ 
+ 	console_mode_handle();
+diff --git a/Makefile b/Makefile
+index 49e14a26521..a17fa2bef14 100644
+--- a/Makefile
++++ b/Makefile
+@@ -36,7 +36,7 @@ endif
+ OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
+-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
++MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+ FALLBACK_OBJS = fallback.o tpm.o errlog.o
+ ORIG_FALLBACK_SRCS = fallback.c
+-- 
+2.26.2
+
diff --git a/SOURCES/0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch b/SOURCES/0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
new file mode 100644
index 0000000..9b67776
--- /dev/null
+++ b/SOURCES/0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
@@ -0,0 +1,37 @@
+From ac610fe45491deccaab2c4ee689cbbdac117930a Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 8 Sep 2020 12:26:45 +0200
+Subject: [PATCH] Fix buffer overrun due DEFAULT_LOADER length miscalculation
+
+The DEFAULT_LOADER is a UCS-2 string and the StrLen() function returns the
+number of UCS-2 encoded characters in the string. But the allocated memory
+is in bytes, so only half of the needed memory to store it is allocated.
+
+This leads to a buffer overrun when the StrCpy() function attempts to copy
+the DEFAULT_LOADER to the allocated buffer.
+
+Fixes: 354bd9b1931 ("Actually check for errors from set_second_stage()")
+Reported-by: Stuart Hayes <stuart_hayes@dell.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ shim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index 34dce25c330..82913c934f6 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2096,8 +2096,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
+ 	unsigned int i;
+ 	UINTN second_stage_len;
+ 
+-	second_stage_len = StrLen(DEFAULT_LOADER) + 1;
++	second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
+ 	second_stage = AllocatePool(second_stage_len);
++
+ 	if (!second_stage) {
+ 		perror(L"Could not allocate %lu bytes\n", second_stage_len);
+ 		return EFI_OUT_OF_RESOURCES;
+-- 
+2.28.0
+
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 1983246..0d9b6cf 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,6 +1,6 @@
 Name:           shim
 Version:        15
-Release:        8.el7
+Release:        9.el7
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
@@ -76,6 +76,8 @@ Patch0060: 0060-Improve-debug-output-some.patch
 Patch0061: 0061-Also-use-a-config-table-to-mirror-mok-variables.patch
 Patch0062: 0062-Implement-lennysz-s-suggestions-for-MokListRT.patch
 Patch0063: 0063-hexdump.h-fix-arithmetic-error.patch
+Patch0064: 0064-Fix-some-mokmanager-stuff.patch
+Patch0065: 0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -282,6 +284,10 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
+* Wed Sep 09 2020 Peter Jones <pjones@redhat.com> - 15-9.el7
+- Fix an incorrect allocation size.
+  Related: rhbz#1875486
+
 * Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8.el7
 - Fix a load-address-dependent forever loop.
   Resolves: rhbz#1862045