Xen project Mailing List

[PATCH v2 1/2] EFI: avoid OOB config file reads

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 25 Mar 2026 14:24:02 +0100

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID"

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Marek Marczykowski <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Delivery-date: Wed, 25 Mar 2026 13:24:07 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The message emitted by pre_parse() pretty clearly states the original intention. Yet what it said wasn't done, and would have been unfriendly to the user. Hence accesses past the allocated buffer were possible. Insert a terminating NUL immediately past the data read, to then drop the no longer applicable message. NB: The iscntrl() check of just the last byte is more strict than what pre_parse() would accept without issuing its prior message, yet I'd like to keep the new logic reasonably simple. Config files shouldn't be huge, and we shouldn't be _that_ short of memory (or we'd fail elsewhere pretty soon). Fixes: bf6501a62e80 ("x86-64: EFI boot code") Reported-by: Kamil Frankowicz <kamil.frankowicz@xxxxxxx> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- Is the efi_arch_flush_dcache_area() really needed for config files? Else it could be in an "else" to the "if()" added to read_file(). And then, how is it guaranteed that data from the area isn't brought back into the cache (perhaps speculatively)? In read_section() we could further leverage section alignment padding (if present, and if filled with zeroes), to limit when to allocate and copy. Thoughts? --- v2: Entirely different approach. --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -833,8 +833,9 @@ static bool __init read_file(EFI_FILE_HA what = L"Allocation"; file->addr = min(1UL << (32 + PAGE_SHIFT), HYPERVISOR_VIRT_END - DIRECTMAP_VIRT_START); + /* For config files allocate an extra byte to put a NUL there. */ ret = efi_bs->AllocatePages(AllocateMaxAddress, EfiLoaderData, - PFN_UP(size), &file->addr); + PFN_UP(size + (file == &cfg)), &file->addr); if ( EFI_ERROR(ret) ) goto fail; @@ -853,6 +854,9 @@ static bool __init read_file(EFI_FILE_HA efi_arch_flush_dcache_area(file->ptr, file->size); + if ( file == &cfg ) + file->str[file->size] = 0; + return true; fail: @@ -878,6 +882,23 @@ static bool __init read_section(const EF file->ptr = ptr; + /* For cfg file, if necessary allocate space to put an extra NUL there. */ + if ( file == &cfg && file->size && !iscntrl(file->str[file->size - 1]) ) + { + EFI_PHYSICAL_ADDRESS addr; + EFI_STATUS ret = efi_bs->AllocatePages(AllocateMaxAddress, + EfiLoaderData, + PFN_UP(file->size + 1), &addr); + + if ( EFI_ERROR(ret) ) + return false; + + memcpy((void *)addr, ptr, file->size); + file->addr = addr; + file->need_to_free = true; + file->str[file->size] = 0; + } + handle_file_info(name, file, options); return true; @@ -906,9 +927,6 @@ static void __init pre_parse(const struc else start = 0; } - if ( file->size && end[-1] ) - PrintStr(L"No newline at end of config file," - " last line will be ignored.\r\n"); } static void __init init_secure_boot_mode(void)

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.