svn commit: r350761 - in head/stand: efi/loader i386/loader
Marcin Wojtas
mw at FreeBSD.org
Thu Aug 8 17:03:31 UTC 2019
Author: mw
Date: Thu Aug 8 17:03:30 2019
New Revision: 350761
URL: https://svnweb.freebsd.org/changeset/base/350761
Log:
Verify files loaded in chain command.
The chain command can be used to chain load another binary.
If veriexec is enabled we should verify it first.
Note that on EFI systems the verification was already done
through firmware, assuming that Secure Boot was enabled there.
Submitted by: Kornel Duleba <mindal at semihalf.com>
Reviewed by: sjg
MFC after: 1 week
Obtained from: Semihalf
Differential Revision: https://reviews.freebsd.org/D20952
Modified:
head/stand/efi/loader/main.c
head/stand/i386/loader/chain.c
Modified: head/stand/efi/loader/main.c
==============================================================================
--- head/stand/efi/loader/main.c Thu Aug 8 16:54:22 2019 (r350760)
+++ head/stand/efi/loader/main.c Thu Aug 8 17:03:30 2019 (r350761)
@@ -1440,6 +1440,14 @@ command_chain(int argc, char *argv[])
return (CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, name, 0, VE_MUST) < 0) {
+ sprintf(command_errbuf, "can't verify: %s", name);
+ close(fd);
+ return (CMD_ERROR);
+ }
+#endif
+
if (fstat(fd, &st) < -1) {
command_errmsg = "stat failed";
close(fd);
Modified: head/stand/i386/loader/chain.c
==============================================================================
--- head/stand/i386/loader/chain.c Thu Aug 8 16:54:22 2019 (r350760)
+++ head/stand/i386/loader/chain.c Thu Aug 8 17:03:30 2019 (r350761)
@@ -75,6 +75,14 @@ command_chain(int argc, char *argv[])
return (CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, argv[1], 0, VE_MUST) < 0) {
+ sprintf(command_errbuf, "can't verify: %s", argv[1]);
+ close(fd);
+ return (CMD_ERROR);
+ }
+#endif
+
len = strlen(argv[1]);
if (argv[1][len-1] != ':') {
if (fstat(fd, &st) == -1) {
More information about the svn-src-all
mailing list