From patchwork Wed Aug 12 00:37:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 247625 Delivered-To: patch@linaro.org Received: by 2002:a92:cc90:0:0:0:0:0 with SMTP id x16csp1077937ilo; Tue, 11 Aug 2020 17:38:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCYuWhNdBVVXw7ri91UHznc9sYvFiou2ra6MHjKHFiqT7lSM6PwbWt4zTFBH2Uoxj4qsh7 X-Received: by 2002:a17:906:198e:: with SMTP id g14mr28298364ejd.266.1597192702476; Tue, 11 Aug 2020 17:38:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597192702; cv=none; d=google.com; s=arc-20160816; b=jKw6OxBHthaSXftoAeZzJmLmOzAoIVMOrQRqI9sJMDzCoQmW2d8xQuk14Q/y4q8wPJ /1tJ5QwjSq06diwiYOXojSl3ExCr+nY0yeh3hF5Dr/sJE92AnSD/f/xRIzpq5+OVVGBF qC/cR4Im2ncWArZ/DlNEu+Zui2c6iyPh7g5e7cgV9K82qzeymqLQXNO4RS4Yo6ShqTgV eE7YfSFyw6mJcRtdGzNlgSLZvcyzWtRGeYNR0U6gTQBYsG72z7VpiJI0kjqa8v0LMcLD Rfeqg9aCIHdiOzqcgz6mepaBh01humTvePCpBYkFuz88qPbIIKv1vQv61iXLnNXuuIRM Y6uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=/swCTC3V3SkmQh52Hmi/LO90hEy/WERIBBctBcv9w5Q=; b=ysN6Akw6/fALfpI91vRQFGLDJ0ssk+BuPbi32Dg95rVy+T0UrouEcrBNaB2iT0xMQk wu6K1YrDoWl3/yKRjDHmq7fNd+gY8AmXzHCK+mldhzehBZO5oGrcd/dX8hfpsJRcSX5E Fiq73T8yzoTq/9HQlcBqqP2DzTbSUguM14kqvegqGRhXxjt0tL+49HO8m5gweQZX7O2B LQpur/pelC27SbvajskZeV+vYwSZaST87BJhvPJvxkEAhqFKIbI4SOv9Oszaoefvphfq E5ng3b6/cgflWDFGiwpnzl1mBd8YFMyf9wgDYHlMIIm/rkWgI0f/luf5HzEcz10gxw4H n12w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NPo8nmPo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d5si161298ejb.58.2020.08.11.17.38.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Aug 2020 17:38:22 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NPo8nmPo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4C40C819E8; Wed, 12 Aug 2020 02:38:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="NPo8nmPo"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 74E7A81B50; Wed, 12 Aug 2020 02:38:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 56139808B3 for ; Wed, 12 Aug 2020 02:38:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x443.google.com with SMTP id m71so144580pfd.1 for ; Tue, 11 Aug 2020 17:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/swCTC3V3SkmQh52Hmi/LO90hEy/WERIBBctBcv9w5Q=; b=NPo8nmPo1NyHk3r7lG7zV8Us5xyH86zIG6DcnhIgsaL9XORSasEskJEADPn8EcCopL KCT9vdtl/nC7XepKSDqGS92yCanSmFuqpMeLv8Huy+d/cppfL8eeDQ9i4iwXOjxtdlvX qRxACiOVF5+m8jk8aYEuB3ep2QlYBPBImL40s6iLgl89KZPsYUjYaTp50huczd/Fxpyg UJgQanjVNs0pgYPQDDQqnnk0g+Knr8Vxa0+5XunkZNdYVUlGo+lesN0PZiMw9u9WAK9L ZWsGhA9+iDOhfknvCvdcP87LPP6Mk7ArB2wy3/n/AUsjeLdN05qiJT9LmbyjfkgqZbHK WSgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/swCTC3V3SkmQh52Hmi/LO90hEy/WERIBBctBcv9w5Q=; b=XaCGJF72WzapkB/Y4Q4aYv4xCasPl9eDlgW3WfzRJCrC8a5l/INHiKDL1JpanVvFpw tB7pD8C1RPxFutVOmuYHMEN+OX19rdpnYfW2J67tgH0G5EbZnh3T7Llcpj+ZSgsnjLli B9Q/4npVl+isybf8PbjKrvEmVmB47tWTYraHoi3V6Waggay/0XDQb8t7b9JhdZ+y1qkz kMjY0gvU5EYpnA3cFu8FdNwYWUsSom6h4d4+e5eHR4lGdBP+8buV8A5cUV7JQelgSsdH u8IYQYW/2Am2E3FaLV+s6rNNlygZKV+Q7h9KKAnNu+If+jrBpiyn8CCxnQeRvWvYa4Zw s3Zg== X-Gm-Message-State: AOAM530egaX5+vxeTsPUqgbaNJEZJpxrCNNt5TyDtY5Hq0fEvzugVxqg 4MGRwF+gzMoXZbeWlKJM1sFmEg== X-Received: by 2002:a63:dd13:: with SMTP id t19mr2862113pgg.430.1597192693491; Tue, 11 Aug 2020 17:38:13 -0700 (PDT) Received: from localhost.localdomain (p784a66b9.tkyea130.ap.so-net.ne.jp. [120.74.102.185]) by smtp.gmail.com with ESMTPSA id k2sm323925pgm.11.2020.08.11.17.38.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Aug 2020 17:38:12 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH] efi_loader: variable: keep temporary buffer during the authentication Date: Wed, 12 Aug 2020 09:37:50 +0900 Message-Id: <20200812003750.448750-1-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This is a bug fix; Setting an authenticated variable may fail due to a memory corruption in the authentication. A temporary buffer will, if needed, be allocated to parse a variable's authentication data, and some portion of buffer, specifically signer's certificates, will be referenced by efi_signature_verify(). So the buffer should be kept valid until the authentication process is finished. Signed-off-by: AKASHI Takahiro Tested-by: Heinrich Schuchardt --- lib/efi_loader/efi_variable.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) -- 2.27.0 diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c index e509d6dbf0cf..0c06931135e3 100644 --- a/lib/efi_loader/efi_variable.c +++ b/lib/efi_loader/efi_variable.c @@ -37,16 +37,21 @@ static u8 pkcs7_hdr[] = { * efi_variable_parse_signature - parse a signature in variable * @buf: Pointer to variable's value * @buflen: Length of @buf + * @tmpbuf: Pointer to temporary buffer * * Parse a signature embedded in variable's value and instantiate * a pkcs7_message structure. Since pkcs7_parse_message() accepts only * pkcs7's signedData, some header needed be prepended for correctly * parsing authentication data, particularly for variable's. + * A temporary buffer will be allocated if needed, and it should be + * kept valid during the authentication because some data in the buffer + * will be referenced by efi_signature_verify(). * * Return: Pointer to pkcs7_message structure on success, NULL on error */ static struct pkcs7_message *efi_variable_parse_signature(const void *buf, - size_t buflen) + size_t buflen, + u8 **tmpbuf) { u8 *ebuf; size_t ebuflen, len; @@ -59,7 +64,9 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf, if (buflen > sizeof(pkcs7_hdr) && !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) { msg = pkcs7_parse_message(buf, buflen); - goto out; + if (IS_ERR(msg)) + return NULL; + return msg; } /* @@ -94,12 +101,12 @@ static struct pkcs7_message *efi_variable_parse_signature(const void *buf, msg = pkcs7_parse_message(ebuf, ebuflen); - free(ebuf); - -out: - if (IS_ERR(msg)) + if (IS_ERR(msg)) { + free(ebuf); return NULL; + } + *tmpbuf = ebuf; return msg; } @@ -136,6 +143,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable, struct efi_time timestamp; struct rtc_time tm; u64 new_time; + u8 *ebuf; enum efi_auth_var_type var_type; efi_status_t ret; @@ -143,6 +151,7 @@ static efi_status_t efi_variable_authenticate(u16 *variable, truststore = NULL; truststore2 = NULL; regs = NULL; + ebuf = NULL; ret = EFI_SECURITY_VIOLATION; if (*data_size < sizeof(struct efi_variable_authentication_2)) @@ -204,9 +213,12 @@ static efi_status_t efi_variable_authenticate(u16 *variable, /* variable's signature list */ if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info)) goto err; + + /* ebuf should be kept valid during the authentication */ var_sig = efi_variable_parse_signature(auth->auth_info.cert_data, auth->auth_info.hdr.dwLength - - sizeof(auth->auth_info)); + - sizeof(auth->auth_info), + &ebuf); if (!var_sig) { EFI_PRINT("Parsing variable's signature failed\n"); goto err; @@ -262,6 +274,7 @@ err: efi_sigstore_free(truststore); efi_sigstore_free(truststore2); pkcs7_free_message(var_sig); + free(ebuf); free(regs); return ret;