tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/SecurityPkg
History
Laszlo Ersek d547f31c32 SecurityPkg: VariableServiceSetVariable(): fix dbt <-> GUID association 
SVN r16380 ("UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp
Verification support for Secure Boot") broke the "dbt" variable's
association with its expected namespace GUID.

According to "MdePkg/Include/Guid/ImageAuthentication.h", *all* of the
"db", "dbx", and "dbt" (== EFI_IMAGE_SECURITY_DATABASE2) variables have
their special meanings in the EFI_IMAGE_SECURITY_DATABASE_GUID namespace.

However, the above commit introduced the following expression in
VariableServiceSetVariable():

> -  } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
> -          ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))) {
> +  } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
> +          ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))
> +           || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2)) == 0) {

Simply replacing the individual expressions with the predicates
"GuidMatch", "DbMatch", "DbxMatch", and "DbtMatch", the above
transformation becomes:

> -  } else if (GuidMatch &&
> -          ((DbMatch) || (DbxMatch))) {
> +  } else if (GuidMatch &&
> +          ((DbMatch) || (DbxMatch))
> +           || DbtMatch) {

In shorter form, we change

  GuidMatch && (DbMatch || DbxMatch)

into

  GuidMatch && (DbMatch || DbxMatch) || DbtMatch

which is incorrect, because this way "dbt" will match outside of the
intended namespace / GUID.

The error was caught by gcc:

> SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c: In function
> 'VariableServiceSetVariable':
>
> SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c:3188:71: error:
> suggest parentheses around '&&' within '||' [-Werror=parentheses]
>
>    } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
>                                                                        ^
> cc1: all warnings being treated as errors

Fix the parentheses.

This change may have security implications.

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Qin Long <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16389 6f19259b-4bc3-4df7-8a09-765794883524
 		2014-11-14 13:47:14 +00:00
..
Application SecurityPkg: Convert non DOS format files to DOS format 2014-09-03 08:51:17 +00:00
Include Fix PCD help information format and a typo. 2014-01-23 03:19:38 +00:00
Library UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp Verification support for Secure Boot 2014-11-14 08:41:12 +00:00
RandomNumberGenerator/RngDxe SecurityPkg: Convert non DOS format files to DOS format 2014-09-03 08:51:17 +00:00
Tcg Fix execution status & DEBUG message level mismatch. EFI_D_ERROR is used only when failure/case can’t be resolved by code. 2014-11-10 05:01:15 +00:00
UserIdentification Clean up the code. Action statement should not have text two opcode. 2014-10-21 05:48:00 +00:00
VariableAuthenticated SecurityPkg: VariableServiceSetVariable(): fix dbt <-> GUID association 2014-11-14 13:47:14 +00:00
Contributions.txt EDK II Contributions.txt: Update patch format information 2014-10-31 22:05:50 +00:00
License.txt Update copyright format 2012-04-24 06:49:39 +00:00
SecurityPkg.dec Update SecurityPkg package version to 0.94. 2014-09-02 07:05:34 +00:00
SecurityPkg.dsc Update SecurityPkg package version to 0.94. 2014-09-02 07:05:34 +00:00
SecurityPkg.uni SecurityPkg: Convert non DOS format files to DOS format 2014-09-03 08:51:17 +00:00
SecurityPkgExtra.uni SecurityPkg: INF/DEC file updates to EDK II packages 2014-08-28 05:49:39 +00:00