File ovmf-bsc1174246-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch of Package ovmf.37685

From 494127613b36e870250649b02cd4ce5f1969d9bd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 3 Mar 2023 18:35:53 +0800
Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of
 GetEfiGlobalVariable2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Call gRT->GetVariable() directly to read the SecureBoot variable.  It is
one byte in size so we can easily place it on the stack instead of
having GetEfiGlobalVariable2() allocate it for us, which avoids a few
possible error cases.

Skip secure boot checks if (and only if):

 (a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
     the return value, or
 (b) the SecureBoot variable was read successfully and is set to
     SECURE_BOOT_MODE_DISABLE.

Previously the code skipped the secure boot checks on *any*
gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
value to NULL in that case) and also on memory allocation failures.

Fixes: CVE-2019-14560
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Suggested-by: Marvin Häuser <mhaeuser@posteo.de>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../DxeImageVerificationLib.c                 | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

Index: edk2-edk2-stable202008/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
===================================================================
--- edk2-edk2-stable202008.orig/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ edk2-edk2-stable202008/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1644,7 +1644,8 @@ DxeImageVerificationHandler (
   EFI_IMAGE_EXECUTION_ACTION           Action;
   WIN_CERTIFICATE                      *WinCertificate;
   UINT32                               Policy;
-  UINT8                                *SecureBoot;
+  UINT8				       SecureBoot;
+  UINTN				       SecureBootSize;
   PE_COFF_LOADER_IMAGE_CONTEXT         ImageContext;
   UINT32                               NumberOfRvaAndSizes;
   WIN_CERTIFICATE_EFI_PKCS             *PkcsCertData;
@@ -1659,6 +1660,8 @@ DxeImageVerificationHandler (
   RETURN_STATUS                        PeCoffStatus;
   EFI_STATUS                           HashStatus;
   EFI_STATUS                           DbStatus;
+  EFI_STATUS                           VarStatus;
+  UINT32                               VarAttr;
   BOOLEAN                              IsFound;
 
   SignatureList     = NULL;
@@ -1714,22 +1717,25 @@ DxeImageVerificationHandler (
     CpuDeadLoop ();
   }
 
-  GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
+  SecureBootSize = sizeof (SecureBoot);
+  VarStatus      = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot);
   //
   // Skip verification if SecureBoot variable doesn't exist.
   //
-  if (SecureBoot == NULL) {
+  if (VarStatus == EFI_NOT_FOUND) {
     return EFI_SUCCESS;
   }
 
   //
   // Skip verification if SecureBoot is disabled but not AuditMode
   //
-  if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
-    FreePool (SecureBoot);
+  if ((VarStatus == EFI_SUCCESS) &&
+      (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                   EFI_VARIABLE_RUNTIME_ACCESS)) &&
+      (SecureBoot == SECURE_BOOT_MODE_DISABLE))
+  {
     return EFI_SUCCESS;
   }
-  FreePool (SecureBoot);
 
   //
   // Read the Dos header.
openSUSE Build Service is sponsored by