Xen project Mailing List

Re: [PATCH] xen/efi: Fix crash with initial empty EFI options

To: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>

Date: Mon, 7 Jul 2025 17:42:50 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 07 Jul 2025 15:43:08 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.07.2025 17:11, Frediano Ziglio wrote: > EFI code path split options from EFI LoadOptions fields in 2 > pieces, first EFI options, second Xen options. > "get_argv" function is called first to get the number of arguments > in the LoadOptions, second, after allocating enough space, to > fill some "argc"/"argv" variable. However the first parsing could > be different from second as second is able to detect "--" argument > separator. So it was possible that "argc" was bigger that the "argv" > array leading to potential buffer overflows, in particular > a string like "-- a b c" would lead to buffer overflow in "argv" > resulting in crashes. > Using EFI shell is possible to pass any kind of string in > LoadOptions. > > Fixes: 201f261e859e ("EFI: move x86 boot/runtime code to common/efi") This only moves the function, but doesn't really introduce any issue afaics. > --- a/xen/common/efi/boot.c > +++ b/xen/common/efi/boot.c > @@ -345,6 +345,7 @@ static unsigned int __init get_argv(unsigned int argc, > CHAR16 **argv, > VOID *data, UINTN size, UINTN *offset, > CHAR16 **options) > { > + CHAR16 **const orig_argv = argv; > CHAR16 *ptr = (CHAR16 *)(argv + argc + 1), *prev = NULL, *cmdline = NULL; > bool prev_sep = true; > > @@ -384,7 +385,7 @@ static unsigned int __init get_argv(unsigned int argc, > CHAR16 **argv, > { > cmdline = data + *offset; > /* Cater for the image name as first component. */ > - ++argc; > + ++argv; We're on the argc == 0 and argv == NULL path here. Incrementing NULL is UB, if I'm not mistaken. > @@ -402,7 +403,7 @@ static unsigned int __init get_argv(unsigned int argc, > CHAR16 **argv, > { > if ( cur_sep ) > ++ptr; > - else if ( argv ) > + else if ( orig_argv ) > { > *ptr = *cmdline; > *++ptr = 0; > @@ -410,8 +411,8 @@ static unsigned int __init get_argv(unsigned int argc, > CHAR16 **argv, > } > else if ( !cur_sep ) > { > - if ( !argv ) > - ++argc; > + if ( !orig_argv ) > + ++argv; > else if ( prev && wstrcmp(prev, L"--") == 0 ) > { > --argv; As per this, it looks like that on the 1st pass we may indeed overcount arguments. But ... > @@ -428,9 +429,9 @@ static unsigned int __init get_argv(unsigned int argc, > CHAR16 **argv, > } > prev_sep = cur_sep; > } > - if ( argv ) > + if ( orig_argv ) > *argv = NULL; > - return argc; > + return argv - orig_argv; > } > > static EFI_FILE_HANDLE __init get_parent_handle(const EFI_LOADED_IMAGE > *loaded_image, > @@ -1348,8 +1349,8 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE > ImageHandle, > (argc + 1) * sizeof(*argv) + > loaded_image->LoadOptionsSize, > (void **)&argv) == EFI_SUCCESS ) > - get_argv(argc, argv, loaded_image->LoadOptions, > - loaded_image->LoadOptionsSize, &offset, &options); > + argc = get_argv(argc, argv, loaded_image->LoadOptions, > + loaded_image->LoadOptionsSize, &offset, > &options); ... wouldn't this change alone cure that problem? And even that I don't follow. Below here we have for ( i = 1; i < argc; ++i ) { CHAR16 *ptr = argv[i]; if ( !ptr ) break; and the 2nd pass of get_argv() properly terminates the (possibly too large) array with a NULL sentinel. So I wonder what it is that I'm overlooking and that is broken. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.