From 51583bd5006b362a63b6e49ad91aed2d1917f2ed Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 1 Oct 2013 16:32:54 -0400
Subject: [PATCH] If we fail to install our protocol, don't continue.

This shouldn't be exploitable unless you've got a way to make
InstallProtocol fail and still, for example, have memory free to
actually load and run something.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/shim.c b/shim.c
index b725629..2a3d055 100644
--- a/shim.c
+++ b/shim.c
@@ -1625,9 +1625,14 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	/*
 	 * Install the protocol
 	 */
-	uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle,
-			  &shim_lock_guid, EFI_NATIVE_INTERFACE,
+	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
+			  &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE,
 			  &shim_lock_interface);
+	if (EFI_ERROR(efi_status)) {
+		console_error("Could not install security protocol",
+			      efi_status);
+		return efi_status;
+	}
 
 #if defined(OVERRIDE_SECURITY_POLICY)
 	/*