Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Aug 2019 17:03:30 +0000 (UTC)
From:      Marcin Wojtas <mw@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r350761 - in head/stand: efi/loader i386/loader
Message-ID:  <201908081703.x78H3UQW062112@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mw
Date: Thu Aug  8 17:03:30 2019
New Revision: 350761
URL: https://svnweb.freebsd.org/changeset/base/350761

Log:
  Verify files loaded in chain command.
  
  The chain command can be used to chain load another binary.
  If veriexec is enabled we should verify it first.
  Note that on EFI systems the verification was already done
  through firmware, assuming that Secure Boot was enabled there.
  
  Submitted by: Kornel Duleba <mindal@semihalf.com>
  Reviewed by: sjg
  MFC after: 1 week
  Obtained from: Semihalf
  Differential Revision: https://reviews.freebsd.org/D20952

Modified:
  head/stand/efi/loader/main.c
  head/stand/i386/loader/chain.c

Modified: head/stand/efi/loader/main.c
==============================================================================
--- head/stand/efi/loader/main.c	Thu Aug  8 16:54:22 2019	(r350760)
+++ head/stand/efi/loader/main.c	Thu Aug  8 17:03:30 2019	(r350761)
@@ -1440,6 +1440,14 @@ command_chain(int argc, char *argv[])
 		return (CMD_ERROR);
 	}
 
+#ifdef LOADER_VERIEXEC
+	if (verify_file(fd, name, 0, VE_MUST) < 0) {
+		sprintf(command_errbuf, "can't verify: %s", name);
+		close(fd);
+		return (CMD_ERROR);
+	}
+#endif
+
 	if (fstat(fd, &st) < -1) {
 		command_errmsg = "stat failed";
 		close(fd);

Modified: head/stand/i386/loader/chain.c
==============================================================================
--- head/stand/i386/loader/chain.c	Thu Aug  8 16:54:22 2019	(r350760)
+++ head/stand/i386/loader/chain.c	Thu Aug  8 17:03:30 2019	(r350761)
@@ -75,6 +75,14 @@ command_chain(int argc, char *argv[])
 		return (CMD_ERROR);
 	}
 
+#ifdef LOADER_VERIEXEC
+	if (verify_file(fd, argv[1], 0, VE_MUST) < 0) {
+		sprintf(command_errbuf, "can't verify: %s", argv[1]);
+		close(fd);
+		return (CMD_ERROR);
+	}
+#endif
+
 	len = strlen(argv[1]);
 	if (argv[1][len-1] != ':') {
 		if (fstat(fd, &st) == -1) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908081703.x78H3UQW062112>