[PATCH v3 04/13] efi_loader: signature: fix a size check against revocation list
AKASHI Takahiro
takahiro.akashi at linaro.org
Wed Jul 8 07:01:54 CEST 2020
Since the size check against an entry in efi_search_siglist() is
incorrect, this function will never find out a to-be-matched certificate
and its associated revocation time in the signature list.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
lib/efi_loader/efi_signature.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index da3818ac62e2..f0282c8c3c05 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -434,10 +434,11 @@ static bool efi_search_siglist(struct x509_certificate *cert,
* time64_t revocation_time;
* };
*/
- if ((sig_data->size == SHA256_SUM_LEN) &&
- !memcmp(sig_data->data, hash, SHA256_SUM_LEN)) {
+ if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) &&
+ !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) {
memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN,
sizeof(*revoc_time));
+ EFI_PRINT("revocation time: 0x%llx\n", *revoc_time);
found = true;
goto out;
}
--
2.27.0
More information about the U-Boot
mailing list