Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the issue that the gBS->LoadImage pointer was empty. #691

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

jinlun123123123
Copy link

The interface shouldn't be replaced at the shim_fini
stage When the vendor certificate doesn't exist.

The interface shouldn't be replaced at the shim_fini
 stage When the vendor certificate doesn't exist.

Signed-off-by: Lun Jin <869793317@qq.com>
@kukrimate
Copy link

kukrimate commented Sep 22, 2024

		if (vendor_authorized_size || vendor_deauthorized_size) {
			/*
			 * If shim includes its own certificates then ensure
			 * that anything it boots has performed some
			 * validation of the next image.
			 */
			hook_system_services(systab);
			loader_is_participating = 0;
		}

The above is the hook installation code from shim_init. Hook is indeed only installed when moklist or moklistx is non-empty.

I hope there are no signed shims on the UEFI 3rd party CA with this condition.

EDIT: I initially thought this might be an exploitable UAF, but looks like the pointers written to the system table are always NULL, and I don't think there is any signed UEFI application that would allow an attacker to put shellcode there so maybe it's just an annoying crash.

@xcfxr
Copy link

xcfxr commented Oct 12, 2024

		if (vendor_authorized_size || vendor_deauthorized_size) {
			/*
			 * If shim includes its own certificates then ensure
			 * that anything it boots has performed some
			 * validation of the next image.
			 */
			hook_system_services(systab);
			loader_is_participating = 0;
		}

The above is the hook installation code from shim_init. Hook is indeed only installed when moklist or moklistx is non-empty.

I hope there are no signed shims on the UEFI 3rd party CA with this condition.

EDIT: I initially thought this might be an exploitable UAF, but looks like the pointers written to the system table are always NULL, and I don't think there is any signed UEFI application that would allow an attacker to put shellcode there so maybe it's just an annoying crash.

From the perspective of the logical integrity of the code, shim_fini needs to make the same judgment when uninstalling the hook, so this pr is meaningful.

@kukrimate
Copy link

From the perspective of the logical integrity of the code, shim_fini needs to make the same judgment when uninstalling the hook, so this pr is meaningful.

Absolutely, it should be merged, that was more of comment on severity.

@jsetje
Copy link
Collaborator

jsetje commented Oct 29, 2024

@jinlun123123123 can you please add your signed off by?

@mikebeaton
Copy link
Contributor

mikebeaton commented Oct 29, 2024

Hi - For information, I just checked, and the issue is not that the commit does not have a Signed-off-by, but that the CI DCO check (see Summary at end) apparently requires the Signed-off-by details to exactly match the GitHub account. From my test PR listed there, even a validated alternative address on the GitHub account is not sufficient, it has to match both the name and the account primary email address. (Which seems surprising.)

@jinlun123123123
Copy link
Author

Thank you all for reviewing and I resubmitted the PR:
#703

@mikebeaton
Copy link
Contributor

Thank you all for reviewing and I resubmitted the PR: #703

You may already be aware, but again FYI, you can also just force push to your own branch in a PR, and GitHub understands and updates the PR to the new set of commits on the branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants