Re: [PATCH 04/13] efi_loader: signature: fix a size check against revocation list

2020-05-30 Thread Heinrich Schuchardt 
On 5/29/20 8:41 AM, AKASHI Takahiro wrote:
> Since the size check against an entry in efi_search_siglist() is
> incorrect, this function will never find out a to-be-matched certificate
> and its associated revocation time in signature list.

%s/in signature/in the signature/

>
> Signed-off-by: AKASHI Takahiro 
> ---
>  lib/efi_loader/efi_signature.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
> index be6491c6e255..35f678de057e 100644
> --- a/lib/efi_loader/efi_signature.c
> +++ b/lib/efi_loader/efi_signature.c
> @@ -432,10 +432,11 @@ static bool efi_search_siglist(struct x509_certificate 
> *cert,
>*  time64_t revocation_time;
>* };
>*/
> - if ((sig_data->size == SHA256_SUM_LEN) &&
> - !memcmp(sig_data->data, hash, SHA256_SUM_LEN)) {
> + if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) &&
> + !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) {
>   memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN,
>  sizeof(*revoc_time));
> + debug("revocation time: 0x%llx\n", *revoc_time);

Since this is seconds since 1970 wouldn't it be reasonable to use
decimal output (%llu)?

Otherwise:
Reviewed-by: Heinrich Schuchardt 

>   found = true;
>   goto out;
>   }
>

[PATCH 04/13] efi_loader: signature: fix a size check against revocation list

2020-05-29 Thread AKASHI Takahiro 
Since the size check against an entry in efi_search_siglist() is
incorrect, this function will never find out a to-be-matched certificate
and its associated revocation time in signature list.

Signed-off-by: AKASHI Takahiro 
---
 lib/efi_loader/efi_signature.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index be6491c6e255..35f678de057e 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -432,10 +432,11 @@ static bool efi_search_siglist(struct x509_certificate 
*cert,
 *  time64_t revocation_time;
 * };
 */
-   if ((sig_data->size == SHA256_SUM_LEN) &&
-   !memcmp(sig_data->data, hash, SHA256_SUM_LEN)) {
+   if ((sig_data->size >= SHA256_SUM_LEN + sizeof(time64_t)) &&
+   !memcmp(sig_data->data, msg, SHA256_SUM_LEN)) {
memcpy(revoc_time, sig_data->data + SHA256_SUM_LEN,
   sizeof(*revoc_time));
+   debug("revocation time: 0x%llx\n", *revoc_time);
found = true;
goto out;
}
-- 
2.25.2