From beec6834544d8288d34ef0cd8e3c40aa890a8a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= Date: Tue, 27 Jan 2026 17:18:43 +0100 Subject: efi_loader: fix use after free in efi_exit() with tcg2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The efi_exit() function frees the loaded image memory by calling efi_delete_image(). However, when CONFIG_EFI_TCG2_PROTOCOL is enabled, the image_obj->image_type structure member is accessed after the memory has been freed. Fix this by performing the tcg2 measurement before the image deletion. Fixes: 8fc4e0b4273a ("efi_loader: add boot variable measurement") Suggested-by: Ilias Apalodimas Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Tom Rini Cc: Masahisa Kojima Acked-by: Masahisa Kojima Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_boottime.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index ddc935d2240..b424d924896 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -3494,12 +3494,6 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, if (ret != EFI_SUCCESS) EFI_PRINT("%s: out of memory\n", __func__); } - /* efi_delete_image() frees image_obj. Copy before the call. */ - exit_jmp = image_obj->exit_jmp; - *image_obj->exit_status = exit_status; - if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION || - exit_status != EFI_SUCCESS) - efi_delete_image(image_obj, loaded_image_protocol); if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { @@ -3510,6 +3504,13 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, } } + /* efi_delete_image() frees image_obj. Copy before the call. */ + exit_jmp = image_obj->exit_jmp; + *image_obj->exit_status = exit_status; + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION || + exit_status != EFI_SUCCESS) + efi_delete_image(image_obj, loaded_image_protocol); + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status); -- cgit v1.2.3 From 32b835ccf3db8ae393c1ff27a9a367f7b6edd78f Mon Sep 17 00:00:00 2001 From: Pranav Tilak Date: Mon, 2 Feb 2026 17:07:17 +0530 Subject: efi_loader: Improve EFI variable load message Change the EFI variable load message from log_err() to log_info() with neutral wording. The previous "Failed to load" message caused customer confusion as it appeared to indicate an error condition. The efi_var_from_file() function deliberately returns EFI_SUCCESS in this case to allow the boot process to continue normally. This is documented in the function's comment block but was not reflected in the log message level or content. The message now uses informational wording to reflect that this is normal behavior when the ubootefi.var file does not yet exist. Signed-off-by: Pranav Tilak Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_var_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_var_file.c b/lib/efi_loader/efi_var_file.c index ba0bf33ffbd..f23a964a418 100644 --- a/lib/efi_loader/efi_var_file.c +++ b/lib/efi_loader/efi_var_file.c @@ -173,7 +173,7 @@ efi_status_t efi_var_from_file(void) r = fs_read(EFI_VAR_FILE_NAME, map_to_sysmem(buf), 0, EFI_VAR_BUF_SIZE, &len); if (r || len < sizeof(struct efi_var_file)) { - log_err("Failed to load EFI variables\n"); + log_info("No EFI variables loaded\n"); goto error; } if (buf->length != len || efi_var_restore(buf, false) != EFI_SUCCESS) -- cgit v1.2.3 From e94d0bd82761b7b41bc061368a11684f19130954 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= Date: Tue, 3 Feb 2026 13:59:41 +0100 Subject: efi_loader: fix efi_debug_image_info_normal allocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When adding a new EFI Debug Image Info entry, we allocate memory for a new EFI Debug Image Info Normal structure and we add a new entry into the EFI Debug Image Info Table, which is in fact just a pointer to the allocated structure. However, when allocating memory for the new structure we allocate memory for the wrong type, leading to allocating memory for just a pointer instead of the desired structure. Fix the type used during allocation. Fixes: 146546138af5 ("efi: add EFI_DEBUG_IMAGE_INFO for debug") Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Cc: Ying-Chun Liu (PaulLiu) Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_debug_support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_debug_support.c b/lib/efi_loader/efi_debug_support.c index 490b0bb7088..8d0c133871e 100644 --- a/lib/efi_loader/efi_debug_support.c +++ b/lib/efi_loader/efi_debug_support.c @@ -111,7 +111,7 @@ efi_status_t efi_core_new_debug_image_info_entry(u32 image_info_type, /* Allocate data for new entry. */ ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, - sizeof(union efi_debug_image_info), + sizeof(struct efi_debug_image_info_normal), (void **)(&(*table)[index].normal_image)); if (ret == EFI_SUCCESS && (*table)[index].normal_image) { /* Update the entry. */ -- cgit v1.2.3 From 36e321b487a9ac73c2dfb9cbaadb0244f70f66fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= Date: Thu, 5 Feb 2026 17:40:12 +0100 Subject: efi_net: add missing EFI_CALL in efi_net MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The efi_reinstall_protocol_interface() function is a UEFI function; make sure to call it from within U-Boot using the EFI_CALL() macro. This fixes the following assertion: lib/efi_loader/efi_boottime.c:3752: efi_reinstall_protocol_interface: Assertion `__efi_entry_check()' failed. To reproduce the issue, define LOG_DEBUG in lib/efi_loader/efi_boottime.c and build u-boot for your platform. Then, boot the U-Boot helloworld.efi application over the network. Example commands (adjust the URL and boot entry number): => efidebug boot add -u 0 net http://10.0.2.2:8000/helloworld.efi => efidebug boot order 0 => bootefi bootmgr Fixes: dd5d82a59995 ("efi_loader: efi_net: Add device path cache") Signed-off-by: Vincent Stehlé Cc: Heinrich Schuchardt Cc: Ilias Apalodimas Cc: Tom Rini Cc: Adriano Cordova Reviewed-by: Heinrich Schuchardt --- lib/efi_loader/efi_net.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/efi_loader/efi_net.c b/lib/efi_loader/efi_net.c index 0f8a851e3f2..c2b85dac236 100644 --- a/lib/efi_loader/efi_net.c +++ b/lib/efi_loader/efi_net.c @@ -1024,8 +1024,10 @@ efi_status_t efi_netobj_set_dp(struct efi_net_obj *netobj, struct efi_device_pat goto add; // If it is already installed, try to update it - ret = efi_reinstall_protocol_interface(&netobj->header, &efi_guid_device_path, - phandler->protocol_interface, new_net_dp); + ret = EFI_CALL(efi_reinstall_protocol_interface(&netobj->header, + &efi_guid_device_path, + phandler->protocol_interface, + new_net_dp)); if (ret != EFI_SUCCESS) return ret; -- cgit v1.2.3