The UEFI specification requires that when UEFI variables are set using time
based authentication we have to check that unused fields of the timestamp
are zero

Signed-off-by: Heinrich Schuchardt <xypron.g...@gmx.de>
---
 lib/efi_loader/efi_variable.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 6271dbcf41..364feeec40 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -480,11 +480,15 @@ static efi_status_t efi_variable_authenticate(u16 
*variable,
        if (guidcmp(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7))
                goto err;

+       memcpy(&timestamp, &auth->time_stamp, sizeof(timestamp));
+       if (timestamp.pad1 || timestamp.nanosecond || timestamp.timezone ||
+          timestamp.daylight || timestamp.pad2)
+             goto err;
+
        *data += sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength;
        *data_size -= (sizeof(auth->time_stamp)
                                + auth->auth_info.hdr.dwLength);

-       memcpy(&timestamp, &auth->time_stamp, sizeof(timestamp));
        memset(&tm, 0, sizeof(tm));
        tm.tm_year = timestamp.year;
        tm.tm_mon = timestamp.month;
--
2.27.0

Reply via email to