UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that...

Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 614aa23ccc2817579f114b4b1d03b70b838d91af
 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 81b19c52832ba7245d17e53c74ca80df8f876361..e188f3ecbce3af7ec6f89b9cc757ce4913eb273d 100644 (file)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -38,8 +38,8 @@ static __init bool uefi_check_ignore_db(void)
 /*
  * Get a certificate list blob from the named EFI variable.
  */
-static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-                                 unsigned long *size)
+static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+                                 unsigned long *size , void **cert_list)
 {
        efi_status_t status;
        unsigned long lsize = 4;
@@ -47,24 +47,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
        void *db;
 
        status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+       if (status == EFI_NOT_FOUND) {
+               *size = 0;
+               *cert_list = NULL;
+               return 0;
+       }
+
        if (status != EFI_BUFFER_TOO_SMALL) {
                pr_err("Couldn't get size: 0x%lx\n", status);
-               return NULL;
+               return efi_status_to_err(status);
        }
 
        db = kmalloc(lsize, GFP_KERNEL);
        if (!db)
-               return NULL;
+               return -ENOMEM;
 
        status = efi.get_variable(name, guid, NULL, &lsize, db);
        if (status != EFI_SUCCESS) {
                kfree(db);
                pr_err("Error reading db var: 0x%lx\n", status);
-               return NULL;
+               return efi_status_to_err(status);
        }
 
        *size = lsize;
-       return db;
+       *cert_list = db;
+       return 0;
 }
 
 /*
@@ -153,10 +160,10 @@ static int __init load_uefi_certs(void)
         * an error if we can't get them.
         */
        if (!uefi_check_ignore_db()) {
-               db = get_cert_list(L"db", &secure_var, &dbsize);
-               if (!db) {
+               rc = get_cert_list(L"db", &secure_var, &dbsize, &db);
+               if (rc < 0) {
                        pr_err("MODSIGN: Couldn't get UEFI db list\n");
-               } else {
+               } else if (dbsize != 0) {
                        rc = parse_efi_signature_list("UEFI:db",
                                        db, dbsize, get_handler_for_db);
                        if (rc)
@@ -166,10 +173,10 @@ static int __init load_uefi_certs(void)
                }
        }
 
-       mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-       if (!mok) {
+       rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+       if (rc < 0) {
                pr_info("Couldn't get UEFI MokListRT\n");
-       } else {
+       } else if (moksize != 0) {
                rc = parse_efi_signature_list("UEFI:MokListRT",
                                              mok, moksize, get_handler_for_db);
                if (rc)
@@ -177,10 +184,10 @@ static int __init load_uefi_certs(void)
                kfree(mok);
        }
 
-       dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
-       if (!dbx) {
+       rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
+       if (rc < 0) {
                pr_info("Couldn't get UEFI dbx list\n");
-       } else {
+       } else if (dbxsize != 0) {
                rc = parse_efi_signature_list("UEFI:dbx",
                                              dbx, dbxsize,
                                              get_handler_for_dbx);