If we fail to install our protocol, don't continue.

This shouldn't be exploitable unless you've got a way to make InstallProtocol fail and still, for example, have memory free to actually load and run something. Signed-off-by: Peter Jones <pjones@redhat.com>
2025-08-13 17:06:14 +00:00 · 2013-10-01 16:32:54 -04:00 · 2013-10-01 16:32:54 -04:00 · 51583bd500
commit 51583bd500
parent 6e5d86e565
1 changed files with 7 additions and 2 deletions
--- a/shim.c
+++ b/shim.c
@ -1625,9 +1625,14 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	/*
 	 * Install the protocol
 	 */
-	uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle,
-			  &shim_lock_guid, EFI_NATIVE_INTERFACE,
+	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
+			  &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE,
 			  &shim_lock_interface);
+	if (EFI_ERROR(efi_status)) {
+		console_error("Could not install security protocol",
+			      efi_status);
+		return efi_status;
+	}

 #if defined(OVERRIDE_SECURITY_POLICY)
 	/*