packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patch from upstream

Browse Source
This commit is contained in:
fly_fzc 2024-10-22 11:46:39 +08:00
parent 40644fc055
commit b412814c97
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-shim-don-t-set-second_stage-to-the-empty-string.patch Normal file
View File

@ -0,0 +1,54 @@
From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jonathan.davies@nutanix.com>
Date: Thu, 22 Feb 2024 16:24:01 +0000
Subject: [PATCH] shim: don't set second_stage to the empty string
When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets
second_stage to the empty string. This is unlikely to be what is intended, and
typically leads to a non-obvious failure mode.
The failure happens because parse_load_options's call to split_load_options
(after eating shim's own filename, if present) returns the empty string. Since
init_grub typically passes second_stage to start_image, this causes read_image
to concatenate the empty string onto the directory name. This means PathName
refers to the directory, not the path to a pe image. Then load_image
successfully opens a handle on the directory and reads "data" from it. It only
eventually fails when handle_image calls read_header which finds that this data
isn't in fact a pe header, reporting "Invalid image".
This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets
LoadOptions to the name of the shim program followed by a space character.
Instead, modify parse_load_options to leave second_stage set to its default
value rather than the empty string.
Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b
Conflict:NA
Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
---
load-options.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/load-options.c b/load-options.c
index a8c6e1a..8b92e37 100644
--- a/load-options.c
+++ b/load-options.c
@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li)
/*
* Set up the name of the alternative loader and the LoadOptions for
- * the loader
+ * the loader if it's not the empty string.
*/
if (loader_str) {
- second_stage = loader_str;
+ if (*loader_str) {
+ second_stage = loader_str;
+ }
load_options = remaining;
load_options_size = remaining_size;
}
--
2.33.0

6
shim.spec
View File

@ -25,7 +25,7 @@
Name: shim Name: shim
Version: 15.6 Version: 15.6
Release: 23 Release: 24
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64 ExclusiveArch: x86_64 aarch64
License: BSD License: BSD
@ -87,6 +87,7 @@ Patch49: backport-CVE-2023-2650.patch
Patch50: backport-CVE-2023-0465.patch Patch50: backport-CVE-2023-0465.patch
Patch51: backport-CVE-2024-0727.patch Patch51: backport-CVE-2024-0727.patch
Patch52: backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch Patch52: backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
Patch53: backport-shim-don-t-set-second_stage-to-the-empty-string.patch
# Feature for shim SMx support # Feature for shim SMx support
Patch9000:Feature-shim-openssl-add-ec-support.patch Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -229,6 +230,9 @@ make test
/usr/src/debug/%{name}-%{version}-%{release}/* /usr/src/debug/%{name}-%{version}-%{release}/*
%changelog %changelog
* Tue Oct 22 2024 fuanan <fuanan3@h-partners.com> -15.6-24
- backport patch from upstream
* Tue May 7 2024 jinlun <jinlun@huawei.com> - 15.6-23 * Tue May 7 2024 jinlun <jinlun@huawei.com> - 15.6-23
- Fix the TPCM feature issue - Fix the TPCM feature issue