Date: Thu, 8 Aug 2019 17:03:30 +0000 (UTC) From: Marcin Wojtas <mw@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r350761 - in head/stand: efi/loader i386/loader Message-ID: <201908081703.x78H3UQW062112@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mw Date: Thu Aug 8 17:03:30 2019 New Revision: 350761 URL: https://svnweb.freebsd.org/changeset/base/350761 Log: Verify files loaded in chain command. The chain command can be used to chain load another binary. If veriexec is enabled we should verify it first. Note that on EFI systems the verification was already done through firmware, assuming that Secure Boot was enabled there. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg MFC after: 1 week Obtained from: Semihalf Differential Revision: https://reviews.freebsd.org/D20952 Modified: head/stand/efi/loader/main.c head/stand/i386/loader/chain.c Modified: head/stand/efi/loader/main.c ============================================================================== --- head/stand/efi/loader/main.c Thu Aug 8 16:54:22 2019 (r350760) +++ head/stand/efi/loader/main.c Thu Aug 8 17:03:30 2019 (r350761) @@ -1440,6 +1440,14 @@ command_chain(int argc, char *argv[]) return (CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, name, 0, VE_MUST) < 0) { + sprintf(command_errbuf, "can't verify: %s", name); + close(fd); + return (CMD_ERROR); + } +#endif + if (fstat(fd, &st) < -1) { command_errmsg = "stat failed"; close(fd); Modified: head/stand/i386/loader/chain.c ============================================================================== --- head/stand/i386/loader/chain.c Thu Aug 8 16:54:22 2019 (r350760) +++ head/stand/i386/loader/chain.c Thu Aug 8 17:03:30 2019 (r350761) @@ -75,6 +75,14 @@ command_chain(int argc, char *argv[]) return (CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, argv[1], 0, VE_MUST) < 0) { + sprintf(command_errbuf, "can't verify: %s", argv[1]); + close(fd); + return (CMD_ERROR); + } +#endif + len = strlen(argv[1]); if (argv[1][len-1] != ':') { if (fstat(fd, &st) == -1) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908081703.x78H3UQW062112>