From 023e3200cc66a299e4b5ad9e52983909fbfab26a Mon Sep 17 00:00:00 2001 From: Yang_X_Y Date: Mon, 5 Aug 2024 11:56:52 +0800 Subject: [PATCH 1/2] fix cve-2024-40547-40548 --- fix-cve-2023-40547-40548.patch | 72 ++++++++++++++++++++++++++++++++++ shim.spec | 9 ++++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 fix-cve-2023-40547-40548.patch diff --git a/fix-cve-2023-40547-40548.patch b/fix-cve-2023-40547-40548.patch new file mode 100644 index 0000000..5741d94 --- /dev/null +++ b/fix-cve-2023-40547-40548.patch @@ -0,0 +1,72 @@ +From 428c26a1fd3bf447db8db32abda1175465754e9c Mon Sep 17 00:00:00 2001 +From: Yang_X_Y +Date: Mon, 5 Aug 2024 11:26:14 +0800 +Subject: [PATCH] fix-cve-2023-40547/40548 + +--- + httpboot.c | 8 +++++++- + pe.c | 6 +++++- + shim.c | 6 ++++++ + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/httpboot.c b/httpboot.c +index dfa493b..b34dd49 100644 +--- a/httpboot.c ++++ b/httpboot.c +@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size) + } + + if (*buf_size == 0) { +- perror(L"Failed to get Content-Lenght\n"); ++ perror(L"Failed to get Content-Length\n"); ++ goto error; ++ } ++ ++ if (*buf_size < rx_message.BodyLength) { ++ efi_status = EFI_BAD_BUFFER_SIZE; ++ perror(L"Invalid Content-Length\n"); + goto error; + } + +diff --git a/pe.c b/pe.c +index 9a3679e..5f1ab32 100644 +--- a/pe.c ++++ b/pe.c +@@ -851,7 +851,11 @@ verify_sbat_section(char *SBATBase, size_t SBATSize) + return in_protocol ? EFI_SUCCESS : EFI_SECURITY_VIOLATION; + } + +- sbat_size = SBATSize + 1; ++ if (checked_add(SBATSize, 1, &sbat_size)) { ++ dprint(L"SBATSize + 1 would overflow\n"); ++ return EFI_SECURITY_VIOLATION; ++ } ++ + sbat_data = AllocatePool(sbat_size); + if (!sbat_data) { + console_print(L"Failed to allocate .sbat section buffer\n"); +diff --git a/shim.c b/shim.c +index 4437898..6cbcc54 100644 +--- a/shim.c ++++ b/shim.c +@@ -731,11 +731,17 @@ verify_buffer_sbat (char *data, int datasize, + * and ignore the section if it isn't. */ + if (Section->SizeOfRawData && + Section->SizeOfRawData >= Section->Misc.VirtualSize) { ++ uint64_t boundary; + SBATBase = ImageAddress(data, datasize, + Section->PointerToRawData); + SBATSize = Section->SizeOfRawData; + dprint(L"sbat section base:0x%lx size:0x%lx\n", + SBATBase, SBATSize); ++ if (checked_add((uint64_t)SBATBase, SBATSize, &boundary) || ++ (boundary > (uint64_t)data + datasize)) { ++ perror(L"Section exceeds bounds of image\n"); ++ return EFI_UNSUPPORTED; ++ } + } + } + +-- +2.33.0 + diff --git a/shim.spec b/shim.spec index 50ac224..fd21221 100644 --- a/shim.spec +++ b/shim.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global grub_version 2.06 %global fwupd_version 1.5.8 @@ -35,6 +35,10 @@ Source100: shim-find-debuginfo.sh Patch0001: 0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch +#https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d +#https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8 +Patch0002: fix-cve-2023-40547-40548.patch + BuildRequires: efi-filesystem BuildRequires: efi-srpm-macros >= 5 BuildRequires: gcc make dos2unix findutils git pesign @@ -161,6 +165,9 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Mon Aug 05 2024 yangxinyu - 15.7-3 +- fix-cve-2024-40547 40548 + * Thu Apr 13 2023 Chunmei Xu - 15.7-2 - optimise spec file - replace shim-unsigned-x64/aa64 -- Gitee From ae8a7cc1a31d35bfb537ef2cd3c24e37aa0c46f0 Mon Sep 17 00:00:00 2001 From: Yang_X_Y Date: Mon, 5 Aug 2024 12:32:19 +0800 Subject: [PATCH 2/2] update --- fix-cve-2023-40547-40548.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fix-cve-2023-40547-40548.patch b/fix-cve-2023-40547-40548.patch index 5741d94..faed230 100644 --- a/fix-cve-2023-40547-40548.patch +++ b/fix-cve-2023-40547-40548.patch @@ -37,7 +37,7 @@ index 9a3679e..5f1ab32 100644 } - sbat_size = SBATSize + 1; -+ if (checked_add(SBATSize, 1, &sbat_size)) { ++ if (checked_add((uint64_t)SBATSize, 1, &sbat_size)) { + dprint(L"SBATSize + 1 would overflow\n"); + return EFI_SECURITY_VIOLATION; + } -- Gitee