[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/efi: Fix crash with initial empty EFI options

  • To: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 8 Jul 2025 10:26:17 +0200
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 08 Jul 2025 08:26:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08.07.2025 08:03, Frediano Ziglio wrote:
> On Mon, Jul 7, 2025 at 5:04 PM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>
>> On 07.07.2025 17:51, Frediano Ziglio wrote:
>>> On Mon, Jul 7, 2025 at 4:42 PM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>>>
>>>> On 07.07.2025 17:11, Frediano Ziglio wrote:
>>>>> EFI code path split options from EFI LoadOptions fields in 2
>>>>> pieces, first EFI options, second Xen options.
>>>>> "get_argv" function is called first to get the number of arguments
>>>>> in the LoadOptions, second, after allocating enough space, to
>>>>> fill some "argc"/"argv" variable. However the first parsing could
>>>>> be different from second as second is able to detect "--" argument
>>>>> separator. So it was possible that "argc" was bigger that the "argv"
>>>>> array leading to potential buffer overflows, in particular
>>>>> a string like "-- a b c" would lead to buffer overflow in "argv"
>>>>> resulting in crashes.
>>>>> Using EFI shell is possible to pass any kind of string in
>>>>> LoadOptions.
>>>>>
>>>>> Fixes: 201f261e859e ("EFI: move x86 boot/runtime code to common/efi")
>>>>
>>>> This only moves the function, but doesn't really introduce any issue 
>>>> afaics.
>>>>
>>>
>>> Okay, I'll follow the rename
>>>
>>>>> --- a/xen/common/efi/boot.c
>>>>> +++ b/xen/common/efi/boot.c
>>>>> @@ -345,6 +345,7 @@ static unsigned int __init get_argv(unsigned int 
>>>>> argc, CHAR16 **argv,
>>>>>                                      VOID *data, UINTN size, UINTN 
>>>>> *offset,
>>>>>                                      CHAR16 **options)
>>>>>  {
>>>>> +    CHAR16 **const orig_argv = argv;
>>>>>      CHAR16 *ptr = (CHAR16 *)(argv + argc + 1), *prev = NULL, *cmdline = 
>>>>> NULL;
>>>>>      bool prev_sep = true;
>>>>>
>>>>> @@ -384,7 +385,7 @@ static unsigned int __init get_argv(unsigned int 
>>>>> argc, CHAR16 **argv,
>>>>>                  {
>>>>>                      cmdline = data + *offset;
>>>>>                      /* Cater for the image name as first component. */
>>>>> -                    ++argc;
>>>>> +                    ++argv;
>>>>
>>>> We're on the argc == 0 and argv == NULL path here. Incrementing NULL is UB,
>>>> if I'm not mistaken.
>>>
>>> Not as far as I know. Why?
>>
>> Increment and decrement operators are like additions. For additions the 
>> standard
>> says: "For addition, either both operands shall have arithmetic type, or one
>> operand shall be a pointer to an object type and the other shall have integer
>> type." Neither of the alternatives is true for NULL.
>>
> 
> Yes and no. The expression here is not NULL + 1, but (CHAR16**)NULL +
> 1, hence the pointer has a type and so the expression is valid.
> 
>>> Some systems even can use NULL pointers as valid, like mmap.
>>
>> Right, but that doesn't make the use of NULL C-compliant.
>>
>>>>> @@ -402,7 +403,7 @@ static unsigned int __init get_argv(unsigned int 
>>>>> argc, CHAR16 **argv,
>>>>>          {
>>>>>              if ( cur_sep )
>>>>>                  ++ptr;
>>>>> -            else if ( argv )
>>>>> +            else if ( orig_argv )
>>>>>              {
>>>>>                  *ptr = *cmdline;
>>>>>                  *++ptr = 0;
>>>>> @@ -410,8 +411,8 @@ static unsigned int __init get_argv(unsigned int 
>>>>> argc, CHAR16 **argv,
>>>>>          }
>>>>>          else if ( !cur_sep )
>>>>>          {
>>>>> -            if ( !argv )
>>>>> -                ++argc;
>>>>> +            if ( !orig_argv )
>>>>> +                ++argv;
>>>>>              else if ( prev && wstrcmp(prev, L"--") == 0 )
>>>>>              {
>>>>>                  --argv;
>>>>
>>>> As per this, it looks like that on the 1st pass we may indeed overcount
>>>> arguments. But ...
>>>>
>>>
>>> I can use again argc if you prefer, not strong about it.
>>>
>>>>> @@ -428,9 +429,9 @@ static unsigned int __init get_argv(unsigned int 
>>>>> argc, CHAR16 **argv,
>>>>>          }
>>>>>          prev_sep = cur_sep;
>>>>>      }
>>>>> -    if ( argv )
>>>>> +    if ( orig_argv )
>>>>>          *argv = NULL;
>>>>> -    return argc;
>>>>> +    return argv - orig_argv;
>>>>>  }
>>>>>
>>>>>  static EFI_FILE_HANDLE __init get_parent_handle(const EFI_LOADED_IMAGE 
>>>>> *loaded_image,
>>>>> @@ -1348,8 +1349,8 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE 
>>>>> ImageHandle,
>>>>>                                    (argc + 1) * sizeof(*argv) +
>>>>>                                        loaded_image->LoadOptionsSize,
>>>>>                                    (void **)&argv) == EFI_SUCCESS )
>>>>> -            get_argv(argc, argv, loaded_image->LoadOptions,
>>>>> -                     loaded_image->LoadOptionsSize, &offset, &options);
>>>>> +            argc = get_argv(argc, argv, loaded_image->LoadOptions,
>>>>> +                            loaded_image->LoadOptionsSize, &offset, 
>>>>> &options);
>>>>
>>>> ... wouldn't this change alone cure that problem? And even that I don't
>>>> follow. Below here we have
>>>>
>>>>         for ( i = 1; i < argc; ++i )
>>>>         {
>>>>             CHAR16 *ptr = argv[i];
>>>>
>>>>             if ( !ptr )
>>>>                 break;
>>>>
>>>> and the 2nd pass of get_argv() properly terminates the (possibly too large)
>>>> array with a NULL sentinel. So I wonder what it is that I'm overlooking and
>>>> that is broken.
>>>
>>> I realized that because I got a crash, not just by looking at the code.
>>>
>>> The string was something like "-- a b c d":
>>
>> That's in the "plain command line" case or the LOAD_OPTIONS one? In the
>> former case the image name should come first, aiui. And in the latter case
>> the 2nd pass sets argv[0] to NULL very early, increments the pointer, and
>> hence at the bottom of the function argv[1] would also be set to NULL.
>> Aiui at least, i.e. ...
>>
>>> - the first get_argv call produces a 5 argc;
>>> - you allocate space for 6 pointers and length of the entire string to copy;
>>> - the parser writes a single pointer in argv and returns still 5 as argc;
>>> - returned argc is ignored;
>>> - code "for (i = 1; i < argc; ++i)" starts accessing argv[1] which is
>>> not initialized, in case of garbage you dereference garbage.
>>
>> ... I don't see how argv[1] can hold garbage.
> 
> As I said, this happened as a crash during testing, not looking at the
> code. It's a plain string in LoadOptions, *offset is set to 0 so
> there's no initial set of argv[0]. argv[0] is set with the beginning
> of "--" but then when "--" is detected" argv is moved back to initial
> value and the terminator is written still in argv[0], so argv[1] is
> never written.

On the 1st pass, which path does get_argv() take? The one commented "Plain
command line, as usually passed by the EFI shell", or the EFI_LOAD_OPTION
one? From your reply above I suspect the former, but then the image name
is missing from that line. Which would look like a firmware bug then, and
hence (if so) would also want describing as such (which in particular
would mean no Fixes: tag).

I'm routinely running xen.efi from the EFI shell on at least two systems,
and I have never had any trouble passing "--" as the first option. Which
I don't do all the time, but every now and then a need for doing so did
arise.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.