From f8d1ad26781e8624092d4d9fef7238348a8f30b5 Mon Sep 17 00:00:00 2001
From: Max Tottenham <mtottenh@akamai.com>
Date: Mon, 14 Jan 2019 14:03:29 +0000
Subject: [PATCH] tpm: Fix bug in GRUB2 TPM module

The value of tpm_handle changes between successive calls to grub_tpm_handle_find(),
as instead of simply copying the stored pointer we end up taking the address of
said pointer when using the cached value of grub_tpm_handle.

This causes grub_efi_open_protocol() to return a nullptr in grub_tpm2_execute()
and grub_tpm2_log_event(). Said nullptr goes unchecked and
efi_call_5(tpm->hash_log_extend_event,...) ends up jumping to 0x0, Qemu crashes
once video ROM is reached at 0xb0000.

This patch seems to do the trick of fixing that bug, but we should also ensure
that all calls to grub_efi_open_protocol() are checked so that we don't start
executing low memory.

Signed-off-by: Max Tottenham <mtottenh@akamai.com>
Reviewed-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/efi/tpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
index 563ceba7a..7475fd87b 100644
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -89,7 +89,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
 
   if (grub_tpm_handle != NULL)
     {
-      *tpm_handle = &grub_tpm_handle;
+      *tpm_handle = grub_tpm_handle;
       *protocol_version = grub_tpm_version;
       return 1;
     }