u-boot.git/lib/efi_loader/efi_image_loader.c, branch next Unnamed repository; edit this file 'description' to name the repository. efi_loader: fix pe reloc pointer overrun 2025-01-05T01:30:48+00:00 Aleksandar Gerasimovski Aleksandar.Gerasimovski@belden.com 2024-11-29T21:09:44+00:00 463e4e6476299b32452a8a9e57374241cca26292 The fix provided by 997fc12ec91 is actually introducing a buffer overrun, and the overrun is effective if the memory after the reloc section is not zeroed. Probably that's why this bug is not always noticeable. The problem is that 8-bytes 'rel' pointer can be 4-bytes aligned according to the PE Format, so the actual relocate function can take values after the reloc section. One example is the following dump from the reloc section: bce26000: 3000 0000 000c 0000 0000 0000 0000 0000 bce26010: 7c00 9340 67e0 f900 1c00 0ea1 a400 0f20 This section has two relocations at offset bce26008 and bce2600a, however the given size (rel_size) for this relocation is 16-bytes and this is coming form the efi image Misc.VirtualSize, so in this case the 'reloc' pointer ends at affset bce2600c and is taken as valid and this is where the overflow is. In our system we see this problem when we are starting the Boot Guard efi image. This patch is fixing the overrun while preserving the fix done by 997fc12ec91. Signed-off-by: Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The fix provided by 997fc12ec91 is actually introducing
a buffer overrun, and the overrun is effective if the
memory after the reloc section is not zeroed.
Probably that's why this bug is not always noticeable.

The problem is that 8-bytes 'rel' pointer can be 4-bytes aligned
according to the PE Format, so the actual relocate function can
take values after the reloc section.

One example is the following dump from the reloc section:

    bce26000: 3000 0000 000c 0000 0000 0000 0000 0000
    bce26010: 7c00 9340 67e0 f900 1c00 0ea1 a400 0f20

This section has two relocations at offset bce26008 and bce2600a,
however the given size (rel_size) for this relocation is 16-bytes
and this is coming form the efi image Misc.VirtualSize, so in this
case the 'reloc' pointer ends at affset bce2600c and is taken as
valid and this is where the overflow is.

In our system we see this problem when we are starting the
Boot Guard efi image.

This patch is fixing the overrun while preserving the fix done
by 997fc12ec91.

Signed-off-by: Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
sandbox: efi_loader: Correct use of addresses as pointers 2024-12-02T22:34:30+00:00 Simon Glass sjg@chromium.org 2024-11-27T17:17:19+00:00 e46e4d6fd7f969f0e60b0f54b69830da543b0d96 The cache-flush function is incorrect which causes a crash in the remoteproc tests with arm64. Fix both problems by using map_sysmem() to convert an address to a pointer and map_to_sysmem() to convert a pointer to an address. Also update the image-loader's cache-flushing logic. Signed-off-by: Simon Glass <sjg@chromium.org> Fixes: 3286d223fd7 ("sandbox: implement invalidate_icache_all()") Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Changes in v6: - Re-introduce Changes in v2: - Drop message about EFI_LOADER arch/sandbox/cpu/cache.c | 8 +++++++- drivers/remoteproc/rproc-elf-loader.c | 18 +++++++++++------- lib/efi_loader/efi_image_loader.c | 3 ++- 3 files changed, 20 insertions(+), 9 deletions(-) Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The cache-flush function is incorrect which causes a crash in the
remoteproc tests with arm64.

Fix both problems by using map_sysmem() to convert an address to a
pointer and map_to_sysmem() to convert a pointer to an address.

Also update the image-loader's cache-flushing logic.

Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 3286d223fd7 ("sandbox: implement invalidate_icache_all()")
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Changes in v6:
- Re-introduce

Changes in v2:
- Drop message about EFI_LOADER

arch/sandbox/cpu/cache.c              |  8 +++++++-
 drivers/remoteproc/rproc-elf-loader.c | 18 +++++++++++-------
 lib/efi_loader/efi_image_loader.c     |  3 ++-
 3 files changed, 20 insertions(+), 9 deletions(-)

Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib: Remove duplicate newlines 2024-07-15T18:12:18+00:00 Marek Vasut marek.vasut+renesas@mailbox.org 2024-07-13T13:19:22+00:00 2f8c004a5ae51b9b88479f3a728c564c021f50c5 Drop all duplicate newlines. No functional change. Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> 
Drop all duplicate newlines. No functional change.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
efi_loader: avoid duplicate weak invalidate_icache_all() 2024-06-19T19:10:23+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2024-06-16T17:31:05+00:00 19d41f495a24f112ed62c041d18e53334e1b791d If multiple weak implementations of a weak function exist, it is unclear which one the linker should chose. cmd/cache.c already defines a weak invalidate_icache_all(). We don't need a call to invalidate_icache_all() on x86. ARM, RISC-V, and Sandbox provide an implementation. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
If multiple weak implementations of a weak function exist, it is unclear
which one the linker should chose. cmd/cache.c already defines a weak
invalidate_icache_all().

We don't need a call to invalidate_icache_all() on x86.
ARM, RISC-V, and Sandbox provide an implementation.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: Remove <common.h> 2023-12-21T13:54:37+00:00 Tom Rini trini@konsulko.com 2023-12-14T18:16:55+00:00 c38cb227d39f8ce9983df8051f31dcc8466f311e We largely do not need <common.h> in these files, so drop it. The only exception here is that efi_freestanding.c needs <linux/types.h> and had been getting that via <common.h>. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Tom Rini <trini@konsulko.com> 
We largely do not need <common.h> in these files, so drop it. The only
exception here is that efi_freestanding.c needs <linux/types.h> and had
been getting that via <common.h>.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
efi_loader: Fix memory corruption on 32bit systems 2023-08-03T07:21:02+00:00 Dan Carpenter dan.carpenter@linaro.org 2023-07-26T06:54:52+00:00 829445382c196301309b7f12630c1e04a4986eba It's pretty unlikely that anyone is going to be using EFI authentication on a 32bit system. However, if you did, the efi_prepare_aligned_image() function would write 8 bytes of data to the &efi_size variable and it can only hold 4 bytes so that corrupts memory. Fixes: 163a0d7e2cbd ("efi_loader: add PE/COFF image measurement") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
It's pretty unlikely that anyone is going to be using EFI authentication
on a 32bit system.  However, if you did, the efi_prepare_aligned_image()
function would write 8 bytes of data to the &efi_size variable and it
can only hold 4 bytes so that corrupts memory.

Fixes: 163a0d7e2cbd ("efi_loader: add PE/COFF image measurement")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Correct SPL use of EFI_TCG2_PROTOCOL 2023-02-09T21:32:26+00:00 Simon Glass sjg@chromium.org 2023-02-05T22:39:46+00:00 07754cb0aece3e8d37637d77185f685f1cdfb404 This converts 1 usage of this option to the non-SPL form, since there is no SPL_EFI_TCG2_PROTOCOL defined in Kconfig Signed-off-by: Simon Glass <sjg@chromium.org> 
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_EFI_TCG2_PROTOCOL defined in Kconfig

Signed-off-by: Simon Glass <sjg@chromium.org>
efi_loader: image_loader: add a missing digest verification for signed PE image 2022-07-05T12:37:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-07-05T05:48:14+00:00 634f6b2fb1056021fba603ccb7488d1864787576 At the last step of PE image authentication, an image's hash value must be compared with a message digest stored as the content (of SpcPeImageData type) of pkcs7's contentInfo. Fixes: commit 4540dabdcaca ("efi_loader: image_loader: support image authentication") Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
At the last step of PE image authentication, an image's hash value must be
compared with a message digest stored as the content (of SpcPeImageData type)
of pkcs7's contentInfo.

Fixes: commit 4540dabdcaca ("efi_loader: image_loader: support image authentication")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: image_loader: replace EFI_PRINT with log macros 2022-07-05T12:37:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-07-05T05:48:13+00:00 b72d09fa7df75d56d2b618ce029bc8b001ed276b Now We are migrating from EFI_PRINT() to log macro's. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
Now We are migrating from EFI_PRINT() to log macro's.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
efi_loader: copy GUID in InstallProtocolInterface() 2022-03-12T11:27:07+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-03-09T18:56:23+00:00 66028930dac08f7116b5e3cdba35c3e65676c0cd InstallProtocolInterface() is called with a pointer to the protocol GUID. There is not guarantee that the memory used by the caller for the protocol GUID stays allocated. To play it safe the GUID should be copied to U-Boot's internal structures. Reported-by: Joerie de Gram <j.de.gram@gmail.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
InstallProtocolInterface() is called with a pointer to the protocol GUID.
There is not guarantee that the memory used by the caller for the protocol
GUID stays allocated. To play it safe the GUID should be copied to U-Boot's
internal structures.

Reported-by: Joerie de Gram <j.de.gram@gmail.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>