pe: Align section size up to page size for mem attrs #539
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Setting memory attributes is generally done at page granularity, and this is enforced by checks in `get_mem_attrs` and `update_mem_attrs`. But unlike the section address, the section size isn't necessarily aligned to 4KiB. Round up the section size to fix this. Signed-off-by: Nicholas Bishop <[email protected]>
vathpela
approved these changes
Jan 27, 2023
|
This doesn't seem included in the latest release (https://github.com/rhboot/shim/releases/tag/15.7). Any chance to get a new release with this? |
AkihiroSuda
added a commit
to AkihiroSuda/lima-vm-lima
that referenced
this pull request
Dec 11, 2023
…patibility) Distro images such as `ubuntu-23.10-server-cloudimg-arm64.img` and `Fedora-Cloud-Base-39-1.5.aarch64.qcow2` no longer boot with the [upstream EDK2](https://github.com/tianocore/edk2), after the introduction of the support for `EFI_MEMORY_ATTRIBUTE_PROTOCOL` in <tianocore/edk2#4150>. This issue happened because the UEFI shim used in those distro images do not support `EFI_MEMORY_ATTRIBUTE_PROTOCOL` properly. Debian images are known to be unaffected, as they do not use the UEFI shim. The issue was fixed in <rhboot/shim#539>, however, as of the time of writing this (Dec 2023), the shim commit is only present in its `main` branch and not used by most distro images. A workaround for this issue is being discussed in the edk2 mailing list <https://edk2.groups.io/g/devel/topic/102967690>, but it is still not accepted. We temporarily fork edk2 until the upstream accepts the workaround: <https://github.com/lima-vm/edk2-patched.tmp>. Signed-off-by: Akihiro Suda <[email protected]>
vathpela
added a commit
that referenced
this pull request
Jan 23, 2024
What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in #530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in #539 * test-sbat: Fix exit code by @vathpela in #540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in #541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in #551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in #560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in #562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in #563 * Optionally allow to keep shim protocol installed by @bluca in #565 * SBAT-related documents formatting and spelling by @aronowski in #566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569 * Add a security contact email address in README.md by @vathpela in #572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576 * mok: fix LogError() invocation by @vathpela in #577 * Minor housekeeping by @vathpela in #578 * Test ImageAddress() by @vathpela in #579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in #580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in #581 * Verify signature before verifying sbat levels by @jsetje in #583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in #584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587 * Housekeeping by @vathpela in #605 Signed-off-by: Peter Jones <[email protected]>
brianredbeard
pushed a commit
to brianredbeard/redhat-efi-boot-shim
that referenced
this pull request
Feb 22, 2024
What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539 * test-sbat: Fix exit code by @vathpela in rhboot#540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563 * Optionally allow to keep shim protocol installed by @bluca in rhboot#565 * SBAT-related documents formatting and spelling by @aronowski in rhboot#566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569 * Add a security contact email address in README.md by @vathpela in rhboot#572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576 * mok: fix LogError() invocation by @vathpela in rhboot#577 * Minor housekeeping by @vathpela in rhboot#578 * Test ImageAddress() by @vathpela in rhboot#579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581 * Verify signature before verifying sbat levels by @jsetje in rhboot#583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587 * Housekeeping by @vathpela in rhboot#605 Signed-off-by: Peter Jones <[email protected]>
pykello
added a commit
to ubicloud/build-edk2-firmware
that referenced
this pull request
Mar 8, 2024
edk2-stable202402 is the latest Edk2 release and works with x64. Newer versions of Edk2 require a fix in bootloader shim v15.8 to be usable in arm64, and currently v15.7 is included in Ubuntu images. So using edk2-stable202211 for arm64, which is the latest release that works. [1] rhboot/shim#539
pykello
added a commit
to ubicloud/build-edk2-firmware
that referenced
this pull request
Mar 8, 2024
edk2-stable202402 is the latest Edk2 release and works with x64. Newer versions of Edk2 require a fix in bootloader shim v15.8 to be usable in arm64, and currently v15.7 is included in Ubuntu images. So using edk2-stable202211 for arm64, which is the latest release that works. [1] rhboot/shim#539
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Setting memory attributes is generally done at page granularity, and this is enforced by checks in
get_mem_attrsandupdate_mem_attrs. But unlike the section address, the section size isn't necessarily aligned to 4KiB. Round up the section size to fix this.Signed-off-by: Nicholas Bishop [email protected]