[PATCH 5.5 regression fix 0/2] efi/libstub: Fix mixed-mode crash at boot

[PATCH 5.5 regression fix 0/2] efi/libstub: Fix mixed-mode crash at boot

[Hans de Goede]

Hi All,

Commit 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table")
causes drivers/efi/libstub/random.c to be used on x86 for the first time
and some of the code in that file does not deal properly with mixed-mode
setups causing a crash at boot on mixed-mode devices.

The first patch in this series fixes this and is the regression-fix from
$subject.

While looking into this I did a quick search for other cases of the same
problem in the libstub code and I found the same issue in the handling of
LILO-style file= kernel commandline arguments, which I guess are not
used that often because AFAICT we have no bug report for these not working
in mixed-mode. The second patch fixes this, this is a pre-existing problem
and not a 5.5 regression, still we should probably also include this fix
in 5.5.

Regards,

Hans

[PATCH 5.5 regression fix 1/2] efi/libstub/random: Initialize pointer variables to zero for mixed mode

[Hans de Goede]

Commit 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the
UEFI RNG table"), causes the drivers/efi/libstub/random.c code to get used
on x86 for the first time.

But this code was not written with EFI mixed mode in mind (running a 64
bit kernel on 32 bit EFI firmware), this causes the kernel to crash during
early boot when running in mixed mode.

The problem is that in mixed mode pointers are 64 bit, but when running on
a 32 bit firmware, EFI calls which return a pointer value by reference only
fill the lower 32 bits of the passed pointer, leaving the upper 32 bits
uninitialized which leads to crashes.

This commit fixes this by initializing pointers which are passed by
reference to EFI calls to NULL before passing them, so that the upper 32
bits are initialized to 0.

Fixes: 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/firmware/efi/libstub/random.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/libstub/random.c b/drivers/firmware/efi/libstub/random.c
index 35edd7cfb6a1..97378cf96a2e 100644
--- a/drivers/firmware/efi/libstub/random.c
+++ b/drivers/firmware/efi/libstub/random.c
@@ -33,7 +33,7 @@ efi_status_t efi_get_random_bytes(efi_system_table_t *sys_table_arg,
 {
 	efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
 	efi_status_t status;
-	struct efi_rng_protocol *rng;
+	struct efi_rng_protocol *rng = NULL;
 
 	status = efi_call_early(locate_protocol, &rng_proto, NULL,
 				(void **)&rng);
@@ -162,8 +162,8 @@ efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg)
 	efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
 	efi_guid_t rng_algo_raw = EFI_RNG_ALGORITHM_RAW;
 	efi_guid_t rng_table_guid = LINUX_EFI_RANDOM_SEED_TABLE_GUID;
-	struct efi_rng_protocol *rng;
-	struct linux_efi_random_seed *seed;
+	struct efi_rng_protocol *rng = NULL;
+	struct linux_efi_random_seed *seed = NULL;
 	efi_status_t status;
 
 	status = efi_call_early(locate_protocol, &rng_proto, NULL,
-- 
2.23.0

[PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Hans de Goede]

When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
firmware), we _must_ initialize any pointers which are returned by
reference by an EFI call to NULL before making the EFI call.

In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
EFI calls which return a pointer value by reference only fill the lower
32 bits of the passed pointer, leaving the upper 32 bits uninitialized
unless we explicitly set them to 0 before the call.

We have had this bug in the efi-stub-helper.c file reading code for
a while now, but this has likely not been noticed sofar because
this code only gets triggered when LILO style file=... arguments are
present on the kernel cmdline.

Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index e02579907f2e..6ca7d86743af 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
 				  u64 *file_sz)
 {
 	efi_file_handle_t *h, *fh = __fh;
-	efi_file_info_t *info;
+	efi_file_info_t *info = NULL;
 	efi_status_t status;
 	efi_guid_t info_guid = EFI_FILE_INFO_ID;
 	unsigned long info_sz;
@@ -527,7 +527,7 @@ efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg,
 				  unsigned long *load_addr,
 				  unsigned long *load_size)
 {
-	struct file_info *files;
+	struct file_info *files = NULL;
 	unsigned long file_addr;
 	u64 file_size_total;
 	efi_file_handle_t *fh = NULL;
-- 
2.23.0

Re: [PATCH 5.5 regression fix 1/2] efi/libstub/random: Initialize pointer variables to zero for mixed mode

[Ard Biesheuvel]

On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
>
> Commit 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the
> UEFI RNG table"), causes the drivers/efi/libstub/random.c code to get used
> on x86 for the first time.
>
> But this code was not written with EFI mixed mode in mind (running a 64
> bit kernel on 32 bit EFI firmware), this causes the kernel to crash during
> early boot when running in mixed mode.
>
> The problem is that in mixed mode pointers are 64 bit, but when running on
> a 32 bit firmware, EFI calls which return a pointer value by reference only
> fill the lower 32 bits of the passed pointer, leaving the upper 32 bits
> uninitialized which leads to crashes.
>
> This commit fixes this by initializing pointers which are passed by
> reference to EFI calls to NULL before passing them, so that the upper 32
> bits are initialized to 0.
>
> Fixes: 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table")
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Thanks Hans.

I'm a bit annoyed with myself since I should have been able to catch
this in my QEMU tests and I didn't

I'll queue this (and the next patch) as a fix



> ---
>  drivers/firmware/efi/libstub/random.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/random.c b/drivers/firmware/efi/libstub/random.c
> index 35edd7cfb6a1..97378cf96a2e 100644
> --- a/drivers/firmware/efi/libstub/random.c
> +++ b/drivers/firmware/efi/libstub/random.c
> @@ -33,7 +33,7 @@ efi_status_t efi_get_random_bytes(efi_system_table_t *sys_table_arg,
>  {
>         efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
>         efi_status_t status;
> -       struct efi_rng_protocol *rng;
> +       struct efi_rng_protocol *rng = NULL;
>
>         status = efi_call_early(locate_protocol, &rng_proto, NULL,
>                                 (void **)&rng);
> @@ -162,8 +162,8 @@ efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg)
>         efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
>         efi_guid_t rng_algo_raw = EFI_RNG_ALGORITHM_RAW;
>         efi_guid_t rng_table_guid = LINUX_EFI_RANDOM_SEED_TABLE_GUID;
> -       struct efi_rng_protocol *rng;
> -       struct linux_efi_random_seed *seed;
> +       struct efi_rng_protocol *rng = NULL;
> +       struct linux_efi_random_seed *seed = NULL;
>         efi_status_t status;
>
>         status = efi_call_early(locate_protocol, &rng_proto, NULL,
> --
> 2.23.0
>

Re: [PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Ard Biesheuvel]

On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
>
> When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
> firmware), we _must_ initialize any pointers which are returned by
> reference by an EFI call to NULL before making the EFI call.
>
> In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
> EFI calls which return a pointer value by reference only fill the lower
> 32 bits of the passed pointer, leaving the upper 32 bits uninitialized
> unless we explicitly set them to 0 before the call.
>
> We have had this bug in the efi-stub-helper.c file reading code for
> a while now, but this has likely not been noticed sofar because
> this code only gets triggered when LILO style file=... arguments are
> present on the kernel cmdline.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
> index e02579907f2e..6ca7d86743af 100644
> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
> @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
>                                   u64 *file_sz)
>  {
>         efi_file_handle_t *h, *fh = __fh;

What about h? Doesn't it suffer from the same problem?

> -       efi_file_info_t *info;
> +       efi_file_info_t *info = NULL;
>         efi_status_t status;
>         efi_guid_t info_guid = EFI_FILE_INFO_ID;
>         unsigned long info_sz;

And info_sz?


> @@ -527,7 +527,7 @@ efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg,
>                                   unsigned long *load_addr,
>                                   unsigned long *load_size)
>  {
> -       struct file_info *files;
> +       struct file_info *files = NULL;
>         unsigned long file_addr;
>         u64 file_size_total;
>         efi_file_handle_t *fh = NULL;
> --
> 2.23.0
>

Re: [PATCH 5.5 regression fix 0/2] efi/libstub: Fix mixed-mode crash at boot

[Dominik Brodowski]

On Thu, Dec 12, 2019 at 11:31:56AM +0100, Hans de Goede wrote:
> Hi All,
> 
> Commit 0d95981438c3 ("x86: efi/random: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table")
> causes drivers/efi/libstub/random.c to be used on x86 for the first time
> and some of the code in that file does not deal properly with mixed-mode
> setups causing a crash at boot on mixed-mode devices.
> 
> The first patch in this series fixes this and is the regression-fix from
> $subject.

Sorry for the bug, and thanks for the bugfix!

	Dominik

Re: [PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Hans de Goede]

Hi,

On 12-12-2019 12:29, Ard Biesheuvel wrote:
> On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
>>
>> When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
>> firmware), we _must_ initialize any pointers which are returned by
>> reference by an EFI call to NULL before making the EFI call.
>>
>> In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
>> EFI calls which return a pointer value by reference only fill the lower
>> 32 bits of the passed pointer, leaving the upper 32 bits uninitialized
>> unless we explicitly set them to 0 before the call.
>>
>> We have had this bug in the efi-stub-helper.c file reading code for
>> a while now, but this has likely not been noticed sofar because
>> this code only gets triggered when LILO style file=... arguments are
>> present on the kernel cmdline.
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> ---
>>   drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> index e02579907f2e..6ca7d86743af 100644
>> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
>> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
>>                                    u64 *file_sz)
>>   {
>>          efi_file_handle_t *h, *fh = __fh;
> 
> What about h? Doesn't it suffer from the same problem?
> 
>> -       efi_file_info_t *info;
>> +       efi_file_info_t *info = NULL;
>>          efi_status_t status;
>>          efi_guid_t info_guid = EFI_FILE_INFO_ID;
>>          unsigned long info_sz;
> 
> And info_sz?

You are right in both cases. I only checked allocate_pool and locate_protocol callers as those
are the usual suspects.

Shall I send a v2 of just this patch, or of the entire series, or are you going to
fix this up?

Regards,

Hans


> 
> 
>> @@ -527,7 +527,7 @@ efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg,
>>                                    unsigned long *load_addr,
>>                                    unsigned long *load_size)
>>   {
>> -       struct file_info *files;
>> +       struct file_info *files = NULL;
>>          unsigned long file_addr;
>>          u64 file_size_total;
>>          efi_file_handle_t *fh = NULL;
>> --
>> 2.23.0
>>
> 

Re: [PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Hans de Goede]

Hi,

On 12-12-2019 12:29, Ard Biesheuvel wrote:
> On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
>>
>> When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
>> firmware), we _must_ initialize any pointers which are returned by
>> reference by an EFI call to NULL before making the EFI call.
>>
>> In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
>> EFI calls which return a pointer value by reference only fill the lower
>> 32 bits of the passed pointer, leaving the upper 32 bits uninitialized
>> unless we explicitly set them to 0 before the call.
>>
>> We have had this bug in the efi-stub-helper.c file reading code for
>> a while now, but this has likely not been noticed sofar because
>> this code only gets triggered when LILO style file=... arguments are
>> present on the kernel cmdline.
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> ---
>>   drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> index e02579907f2e..6ca7d86743af 100644
>> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
>> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
>>                                    u64 *file_sz)
>>   {
>>          efi_file_handle_t *h, *fh = __fh;
> 
> What about h? Doesn't it suffer from the same problem?
> 
>> -       efi_file_info_t *info;
>> +       efi_file_info_t *info = NULL;
>>          efi_status_t status;
>>          efi_guid_t info_guid = EFI_FILE_INFO_ID;
>>          unsigned long info_sz;
> 
> And info_sz?

And "efi_file_io_interface_t *io" and "efi_file_handle_t *fh"
in efi_open_volume().

I think that is all of them.

Regards,

Hans

Re: [PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Ard Biesheuvel]

On Thu, 12 Dec 2019 at 13:45, Hans de Goede <hdegoede@redhat.com> wrote:
>
> Hi,
>
> On 12-12-2019 12:29, Ard Biesheuvel wrote:
> > On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
> >>
> >> When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
> >> firmware), we _must_ initialize any pointers which are returned by
> >> reference by an EFI call to NULL before making the EFI call.
> >>
> >> In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
> >> EFI calls which return a pointer value by reference only fill the lower
> >> 32 bits of the passed pointer, leaving the upper 32 bits uninitialized
> >> unless we explicitly set them to 0 before the call.
> >>
> >> We have had this bug in the efi-stub-helper.c file reading code for
> >> a while now, but this has likely not been noticed sofar because
> >> this code only gets triggered when LILO style file=... arguments are
> >> present on the kernel cmdline.
> >>
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> >> ---
> >>   drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
> >>   1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
> >> index e02579907f2e..6ca7d86743af 100644
> >> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
> >> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
> >> @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
> >>                                    u64 *file_sz)
> >>   {
> >>          efi_file_handle_t *h, *fh = __fh;
> >
> > What about h? Doesn't it suffer from the same problem?
> >
> >> -       efi_file_info_t *info;
> >> +       efi_file_info_t *info = NULL;
> >>          efi_status_t status;
> >>          efi_guid_t info_guid = EFI_FILE_INFO_ID;
> >>          unsigned long info_sz;
> >
> > And info_sz?
>
> And "efi_file_io_interface_t *io" and "efi_file_handle_t *fh"
> in efi_open_volume().
>
> I think that is all of them.
>

OK.

I'll fix it up locally.

Re: [PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

[Ard Biesheuvel]

On Thu, 12 Dec 2019 at 15:02, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> On Thu, 12 Dec 2019 at 13:45, Hans de Goede <hdegoede@redhat.com> wrote:
> >
> > Hi,
> >
> > On 12-12-2019 12:29, Ard Biesheuvel wrote:
> > > On Thu, 12 Dec 2019 at 11:32, Hans de Goede <hdegoede@redhat.com> wrote:
> > >>
> > >> When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI
> > >> firmware), we _must_ initialize any pointers which are returned by
> > >> reference by an EFI call to NULL before making the EFI call.
> > >>
> > >> In mixed mode pointers are 64 bit, but when running on a 32 bit firmware,
> > >> EFI calls which return a pointer value by reference only fill the lower
> > >> 32 bits of the passed pointer, leaving the upper 32 bits uninitialized
> > >> unless we explicitly set them to 0 before the call.
> > >>
> > >> We have had this bug in the efi-stub-helper.c file reading code for
> > >> a while now, but this has likely not been noticed sofar because
> > >> this code only gets triggered when LILO style file=... arguments are
> > >> present on the kernel cmdline.
> > >>
> > >> Cc: stable@vger.kernel.org
> > >> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> > >> ---
> > >>   drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
> > >>   1 file changed, 2 insertions(+), 2 deletions(-)
> > >>
> > >> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
> > >> index e02579907f2e..6ca7d86743af 100644
> > >> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
> > >> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
> > >> @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh,
> > >>                                    u64 *file_sz)
> > >>   {
> > >>          efi_file_handle_t *h, *fh = __fh;
> > >
> > > What about h? Doesn't it suffer from the same problem?
> > >
> > >> -       efi_file_info_t *info;
> > >> +       efi_file_info_t *info = NULL;
> > >>          efi_status_t status;
> > >>          efi_guid_t info_guid = EFI_FILE_INFO_ID;
> > >>          unsigned long info_sz;
> > >
> > > And info_sz?
> >
> > And "efi_file_io_interface_t *io" and "efi_file_handle_t *fh"
> > in efi_open_volume().
> >
> > I think that is all of them.
> >
>
> OK.
>
> I'll fix it up locally.

Actually, I am going to drop this patch, and disable file loading
entirely for mixed mode. Your findings here prove it is unlikely that
it works on mixed mode systems today, and the
efi_file_handle_t::open() prototype is actually incompatible with
mixed mode, since it takes u64 arguments, which are marshalled
incorrectly by the thunking code (each function arg gets a 32-bit
stack slot for the 32-bit calling convention, which works fine for
pointers and smaller types, but it breaks for u64 since they require
two stack slots)