!196 [sync] PR-192: backport patch from upstream

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-10-22 08:24:59 +00:00 · 2024-10-22 08:24:59 +00:00 · d7e3dccf03
commit d7e3dccf03
parent b3e2875cd9 509d534207
2 changed files with 60 additions and 2 deletions
--- a/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
+++ b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
@ -0,0 +1,54 @@
 From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001
 From: Jonathan Davies <jonathan.davies@nutanix.com>
 Date: Thu, 22 Feb 2024 16:24:01 +0000
 Subject: [PATCH] shim: don't set second_stage to the empty string
 When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets
 second_stage to the empty string. This is unlikely to be what is intended, and
 typically leads to a non-obvious failure mode.
 The failure happens because parse_load_options's call to split_load_options
 (after eating shim's own filename, if present) returns the empty string. Since
 init_grub typically passes second_stage to start_image, this causes read_image
 to concatenate the empty string onto the directory name. This means PathName
 refers to the directory, not the path to a pe image. Then load_image
 successfully opens a handle on the directory and reads "data" from it. It only
 eventually fails when handle_image calls read_header which finds that this data
 isn't in fact a pe header, reporting "Invalid image".
 This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets
 LoadOptions to the name of the shim program followed by a space character.
 Instead, modify parse_load_options to leave second_stage set to its default
 value rather than the empty string.
 Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b
 Conflict:NA
 Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
 ---
 load-options.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/load-options.c b/load-options.c
 index a8c6e1a..8b92e37 100644
 --- a/load-options.c
 +++ b/load-options.c
@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li)
 	/*
 	 * Set up the name of the alternative loader and the LoadOptions for
 -	 * the loader
 +	 * the loader if it's not the empty string.
 	 */
 	if (loader_str) {
 -		second_stage = loader_str;
 +		if (*loader_str) {
 +			second_stage = loader_str;
 +		}
 		load_options = remaining;
 		load_options_size = remaining_size;
 	}
 -- 
 2.33.0
--- a/shim.spec
+++ b/shim.spec
@ -25,7 +25,7 @@
 Name:	   	   shim
 Version:	   15.7
-Release:	   13
+Release:	   14
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@ -54,6 +54,7 @@ Patch14:backport-CVE-2023-2650.patch
 Patch15:backport-CVE-2024-0727.patch
 Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
 Patch17:backport-Align-section-size-up-to-page-size-for-mem-attrs.patch
 Patch18:backport-shim-don-t-set-second_stage-to-the-empty-string.patch
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -211,7 +212,10 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 %changelog
-* Wed May 29 2024 jinlun <jinlun@huawei.com> -15.7-12
+* Tue Oct 22 2024 fuanan <fuanan3@h-partners.com> -15.7-14
 - backport patch from upstream
 * Wed May 29 2024 jinlun <jinlun@huawei.com> -15.7-13
 - add CFCA sign shim
 * Fri May 17 2024 wangcheng <wangcheng156@huawei.com> - 15.7-12