[PATCH] efi_loader: variable: keep temporary buffer during the authentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] efi_loader: variable: keep temporary buffer during the authentication

AKASHI Takahiro
This is a bug fix; Setting an authenticated variable may fail due to
a memory corruption in the authentication.

A temporary buffer will, if needed, be allocated to parse a variable's
authentication data, and some portion of buffer, specifically signer's
certificates, will be referenced by efi_signature_verify().

So the buffer should be kept valid until the authentication process
is finished.

Signed-off-by: AKASHI Takahiro <[hidden email]>
Tested-by: Heinrich Schuchardt <[hidden email]>
---
 lib/efi_loader/efi_variable.c | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index e509d6dbf0cf..0c06931135e3 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -37,16 +37,21 @@ static u8 pkcs7_hdr[] = {
  * efi_variable_parse_signature - parse a signature in variable
  * @buf: Pointer to variable's value
  * @buflen: Length of @buf
+ * @tmpbuf: Pointer to temporary buffer
  *
  * Parse a signature embedded in variable's value and instantiate
  * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
  * pkcs7's signedData, some header needed be prepended for correctly
  * parsing authentication data, particularly for variable's.
+ * A temporary buffer will be allocated if needed, and it should be
+ * kept valid during the authentication because some data in the buffer
+ * will be referenced by efi_signature_verify().
  *
  * Return: Pointer to pkcs7_message structure on success, NULL on error
  */
 static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
-  size_t buflen)
+  size_t buflen,
+  u8 **tmpbuf)
 {
  u8 *ebuf;
  size_t ebuflen, len;
@@ -59,7 +64,9 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
  if (buflen > sizeof(pkcs7_hdr) &&
     !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
  msg = pkcs7_parse_message(buf, buflen);
- goto out;
+ if (IS_ERR(msg))
+ return NULL;
+ return msg;
  }
 
  /*
@@ -94,12 +101,12 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
 
  msg = pkcs7_parse_message(ebuf, ebuflen);
 
- free(ebuf);
-
-out:
- if (IS_ERR(msg))
+ if (IS_ERR(msg)) {
+ free(ebuf);
  return NULL;
+ }
 
+ *tmpbuf = ebuf;
  return msg;
 }
 
@@ -136,6 +143,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
  struct efi_time timestamp;
  struct rtc_time tm;
  u64 new_time;
+ u8 *ebuf;
  enum efi_auth_var_type var_type;
  efi_status_t ret;
 
@@ -143,6 +151,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
  truststore = NULL;
  truststore2 = NULL;
  regs = NULL;
+ ebuf = NULL;
  ret = EFI_SECURITY_VIOLATION;
 
  if (*data_size < sizeof(struct efi_variable_authentication_2))
@@ -204,9 +213,12 @@ static efi_status_t efi_variable_authenticate(u16 *variable,
  /* variable's signature list */
  if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
  goto err;
+
+ /* ebuf should be kept valid during the authentication */
  var_sig = efi_variable_parse_signature(auth->auth_info.cert_data,
        auth->auth_info.hdr.dwLength
-   - sizeof(auth->auth_info));
+   - sizeof(auth->auth_info),
+       &ebuf);
  if (!var_sig) {
  EFI_PRINT("Parsing variable's signature failed\n");
  goto err;
@@ -262,6 +274,7 @@ err:
  efi_sigstore_free(truststore);
  efi_sigstore_free(truststore2);
  pkcs7_free_message(var_sig);
+ free(ebuf);
  free(regs);
 
  return ret;
--
2.27.0