From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=AV6jZiL7; spf=pass (domain: linaro.org, ip: 209.85.214.193, mailfrom: ard.biesheuvel@linaro.org) Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by groups.io with SMTP; Tue, 16 Apr 2019 13:29:38 -0700 Received: by mail-pl1-f193.google.com with SMTP id a96so10889911pla.6 for ; Tue, 16 Apr 2019 13:29:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=p0FKk16hvj2hFbn9KaD5b3/jibUU71/qdGtp/4w/eaI=; b=AV6jZiL7dUxYx2733ziNp/wmPRH1Cu4B3knalY5Fn16NRSF+Ev+d5YVv1VrOuLcztP 0geQ/53V3pgj/vQRrm+1XGSbMdMTeRvsg5wbg+A4b5xdSnfWj+0ahe/sUfCwpGEEGk0q 8a0WVfIcZTJ7YM7cSdTReJGNK2eAp5Gou30oxdjN0QkKfkt27cH/rzA6jPFo4fXfDB45 WNrDpoZUD15S0axPU3vanMJvqEgiSnoal854qBScuOHi/c02/wmDryIkHffuKdKTv76+ fifuwFBuK0e7rb2HL0UA/EGTkCgUegi6OjRZd7RowD6O6QEA8qvZn5jGwXYhlZZIq/Rg ORCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=p0FKk16hvj2hFbn9KaD5b3/jibUU71/qdGtp/4w/eaI=; b=PsxknVu0xb6NrrITau08/S8/Hek3KVqLRqo7Tj/E2JcO2l+jQKjmLjZE6v4Mp31VTt BSI7hHBcEpqfTTqEm0MvR83yhRwx/7DUc8B+v++c9qmHpClJKeCsgDl5WSJwLIpi1kMQ cHYwBVilXlqCeJ8r7W8p8BMcMaxShMLgbCs/c5bu/Xc7pkFmoBTBIsRplSiZNR26nhHZ rffv5q9CTQccStFa+MY2yvwZgwScxF20gLvxQH70XMSUfeYqi+kfhzYv8CRPGLT2q/Xt /sHJfncmr7hOs3fOogeCI4ROM4zGgH9bUOs8zQPH9+Om//m8atYJu3uf4vCM63Gu3+/N alSQ== X-Gm-Message-State: APjAAAW6PMYEN/pxTZNMCrk3h1oDGuoezx6mK/wHY/FC3EPy1GmRKn5y ERDWGzAxkp+DHwVhEIzPPbj9wcTpyld/pQ== X-Google-Smtp-Source: APXvYqwvUsDtAs6wuv0n4QwLf9ykXMRFnlDKCgIQXgCD5K5XJuCcTgjxG/gqWIo+lgnKvB9EtTXdhg== X-Received: by 2002:a17:902:d705:: with SMTP id w5mr2805825ply.200.1555446577463; Tue, 16 Apr 2019 13:29:37 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([167.220.58.67]) by smtp.gmail.com with ESMTPSA id p6sm57156011pfd.122.2019.04.16.13.29.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 13:29:36 -0700 (PDT) From: "Ard Biesheuvel" To: devel@edk2.groups.io Cc: jian.j.wang@intel.com, hao.a.wu@intel.com, ray.ni@intel.com, glin@suse.com, Ard Biesheuvel Subject: [PATCH] MdeModulePkg/UefiBootManagerLib: fix crash on uninitialized ExitData Date: Tue, 16 Apr 2019 13:29:35 -0700 Message-Id: <20190416202935.32297-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 As reported by Gary, the recent LoadImage/StartImage changes to accommodate dispatching PE/COFF images built for foreign architectures may result in a crash when loading an IA32 option ROM into a X64 VM running OVMF: Loading driver at 0x0007E537000 EntryPoint=0x0007E53C06D 8086100e.efi InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 7F003B98 ProtectUefiImageCommon - 0x7F002BC0 - 0x000000007E537000 - 0x000000000009F900 Image type IA32 can't be started on X64 UEFI system. ASSERT MdeModulePkg/Core/Dxe/Mem/Pool.c(698): Head->Signature == ((('p') | ('h' << 8)) | ((('d') | ('0' << 8)) << 16)) || Head->Signature == ((('p') | ('h' << 8)) | ((('d') | ('1' << 8)) << 16)) This turns out to be caused by the deferred image loading code in BDS, which doesn't check the result code of gBS->StartImage(), and ends up trying to free an uninitialized pointer. So ensure ExitData is initialized before the call. Signed-off-by: Ard Biesheuvel --- MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c index fc8775dfa419..cf99de5b924a 100644 --- a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c +++ b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c @@ -502,6 +502,7 @@ EfiBootManagerDispatchDeferredImages ( // a 5 Minute period // gBS->SetWatchdogTimer (5 * 60, 0x0000, 0x00, NULL); + ExitData = NULL; Status = gBS->StartImage (ImageHandle, &ExitDataSize, &ExitData); if (ExitData != NULL) { FreePool (ExitData); -- 2.17.1