From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=eImzidEY;
 spf=pass (domain: linaro.org, ip: 209.85.215.193, mailfrom: ard.biesheuvel@linaro.org)
Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193])
 by groups.io with SMTP; Tue, 16 Apr 2019 23:40:49 -0700
Received: by mail-pg1-f193.google.com with SMTP id 85so11539046pgc.3
        for <devel@edk2.groups.io>; Tue, 16 Apr 2019 23:40:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=igcCl5DvA77ZHxiMbY1xMN71wavu8jYCLnHVZal0Fp0=;
        b=eImzidEYCLo1i6qHmWUMhCZQ7YZBrAliYqK1bDhB0BY+djxb+3xT+xOR+blH1NFlb7
         8OdEp20TA+tfu7Rd/HKulM0FckecGX5QEwXZptp2kNMFC9gd5EC59JiOCyMBqzYmd0/L
         LZTWugptX80P45qetBLz10Mb+DPVZGvKK5S15n9TiVvL7mN6ZwskGTbCOubGN4OeF7lv
         BbWaLEkiJirJHfQu7IzI4JwQSgQaJTRWyz1hJOsNgh70l0FiYhAmDfKAg8ecd1yrKlTQ
         OZzquAF1NHXesqqdKgWHIrtGuiNbs98tr7p81FIT1xD9xFh9hnb5CFQwEpZDCW1gKDOF
         wyEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=igcCl5DvA77ZHxiMbY1xMN71wavu8jYCLnHVZal0Fp0=;
        b=gxJQAw0l8Nto3GWyBWxAzzncpnuFtUxSd53liLj/izFcb1768zhBRGnnmpMj+Z6TiO
         HazPZiKVDuJ9yWv2Zh5Y71RmpfncTc85SVPyuGy6rzi7mqlnZ1YeGrsQfteZPqpycArJ
         Vzg3UJh8ScOQBvPTcAiAQiNFv1CmH62qf/agyJjLVHrNVH7Fyqt+D5x127iTZs0kzMwV
         mEnB/2VxCyVEEhFx6NAGFU3GFdJMEjCt8FgHC++mZ/oVSI1NzwmQ+gB04xxllMFgKEay
         drhCTdBXP2wg0bZEnnq0wk//ZGPKlp9QHj30xjVfgBVmwi2FlKymKrWo10vCu03jM2xQ
         sx/A==
X-Gm-Message-State: APjAAAVS0FhBVdDZi9e2WABjWckYzVwCJ7mePl8c/hYsHNxNHBrO9oX8
	f8uW3tZFMg6lOP+elRRSVGXVCxv1jaTY7bVi
X-Google-Smtp-Source: APXvYqyHKCiIXyZyqEu1oFqHMuTKMZMZKncaX3oqqNF3r/IuL6GWAyZfbmv5r2FuvUUy97ZXSL0hmQ==
X-Received: by 2002:a63:e10b:: with SMTP id z11mr80238380pgh.46.1555483248664;
        Tue, 16 Apr 2019 23:40:48 -0700 (PDT)
Return-Path: <ard.biesheuvel@linaro.org>
Received: from localhost.localdomain ([216.243.17.14])
        by smtp.gmail.com with ESMTPSA id m69sm78862316pfi.151.2019.04.16.23.40.46
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 16 Apr 2019 23:40:47 -0700 (PDT)
From: "Ard Biesheuvel" <ard.biesheuvel@linaro.org>
To: devel@edk2.groups.io
Cc: jian.j.wang@intel.com,
	hao.a.wu@intel.com,
	ray.ni@intel.com,
	glin@suse.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v2] MdeModulePkg/UefiBootManagerLib: fix crash on uninitialized ExitData
Date: Tue, 16 Apr 2019 23:40:47 -0700
Message-Id: <20190417064047.4676-1-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.17.1

As reported by Gary, the recent LoadImage/StartImage changes to
accommodate dispatching PE/COFF images built for foreign architectures
may result in a crash when loading an IA32 option ROM into a X64 VM
running OVMF:

  Loading driver at 0x0007E537000 EntryPoint=0x0007E53C06D 8086100e.efi
  InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 7F003B98
  ProtectUefiImageCommon - 0x7F002BC0
    - 0x000000007E537000 - 0x000000000009F900
  Image type IA32 can't be started on X64 UEFI system.
  ASSERT MdeModulePkg/Core/Dxe/Mem/Pool.c(698): Head->Signature == ((('p') |
              ('h' << 8)) | ((('d') | ('0' << 8)) << 16)) || Head->Signature
              == ((('p') | ('h' << 8)) | ((('d') | ('1' << 8)) << 16))

This turns out to be caused by the deferred image loading code in BDS,
which doesn't check the result code of gBS->StartImage(), and ends up
trying to free an uninitialized pointer.

Given that ExitData is never actually used, let's just get rid of it
entirely. While we're at it, drop the pointless assignment of Status
as well.

Tested-by: Gary Lin <glin@suse.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
v2: drop ExitData entirely instead of initializing it to NULL

 MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
index fc8775dfa419..6b8fb4d92461 100644
--- a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
+++ b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
@@ -439,8 +439,6 @@ EfiBootManagerDispatchDeferredImages (
   UINTN                              ImageSize;
   BOOLEAN                            BootOption;
   EFI_HANDLE                         ImageHandle;
-  UINTN                              ExitDataSize;
-  CHAR16                             *ExitData;
   UINTN                              ImageCount;
   UINTN                              LoadCount;
 
@@ -502,10 +500,7 @@ EfiBootManagerDispatchDeferredImages (
         // a 5 Minute period
         //
         gBS->SetWatchdogTimer (5 * 60, 0x0000, 0x00, NULL);
-        Status = gBS->StartImage (ImageHandle, &ExitDataSize, &ExitData);
-        if (ExitData != NULL) {
-          FreePool (ExitData);
-        }
+        gBS->StartImage (ImageHandle, NULL, NULL);
 
         //
         // Clear the Watchdog Timer after the image returns.
-- 
2.17.1