From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Tue, 03 Sep 2019 09:38:05 -0700
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 7A9003082128;
	Tue,  3 Sep 2019 16:38:04 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-140.ams2.redhat.com [10.36.116.140])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 558695DD6D;
	Tue,  3 Sep 2019 16:38:03 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Dandan Bi <dandan.bi@intel.com>,
	Leif Lindholm <leif.lindholm@linaro.org>
Subject: [PATCH] ArmVirtPkg/PlatformBootManagerLib: unload image on EFI_SECURITY_VIOLATION
Date: Tue,  3 Sep 2019 18:38:01 +0200
Message-Id: <20190903163801.28652-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Tue, 03 Sep 2019 16:38:04 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable

The LoadImage() boot service is a bit unusual in that it allocates
resources in a particular failure case; namely, it produces a valid
"ImageHandle" when it returns EFI_SECURITY_VIOLATION. This is supposed to
happen e.g. when Secure Boot verification fails for the image, but the
platform policy for the particular image origin (such as "fixed media" or
"removable media") is DEFER_EXECUTE_ON_SECURITY_VIOLATION. The return cod=
e
allows platform logic to selectively override the verification failure,
and launch the image nonetheless.

ArmVirtPkg/PlatformBootManagerLib does not override EFI_SECURITY_VIOLATIO=
N
for the kernel image loaded from fw_cfg -- any LoadImage() error is
considered fatal. When we simply treat EFI_SECURITY_VIOLATION like any
other LoadImage() error, we leak the resources associated with
"KernelImageHandle". From a resource usage perspective,
EFI_SECURITY_VIOLATION must be considered "success", and rolled back.

Implement this rollback, without breaking the proper "nesting" of error
handling jumps and labels.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1992
Fixes: 23d04b58e27b382bbd3f9b16ba9adb1cb203dad5
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    Repo:   https://github.com/lersek/edk2.git
    Branch: ldimg_armvirt_bz1992

 ArmVirtPkg/Library/PlatformBootManagerLib/QemuKernel.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/QemuKernel.c b/Arm=
VirtPkg/Library/PlatformBootManagerLib/QemuKernel.c
index 3cc83e3b7b95..d3851fd75fa5 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/QemuKernel.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/QemuKernel.c
@@ -968,53 +968,60 @@ TryRunningQemuKernel (
=20
   //
   // Create a device path for the kernel image to be loaded from that wi=
ll call
   // back into our file system.
   //
   KernelDevicePath =3D FileDevicePath (FileSystemHandle, KernelBlob->Nam=
e);
   if (KernelDevicePath =3D=3D NULL) {
     DEBUG ((EFI_D_ERROR, "%a: failed to allocate kernel device path\n",
       __FUNCTION__));
     Status =3D EFI_OUT_OF_RESOURCES;
     goto UninstallProtocols;
   }
=20
   //
   // Load the image. This should call back into our file system.
   //
   Status =3D gBS->LoadImage (
                   FALSE,             // BootPolicy: exact match required
                   gImageHandle,      // ParentImageHandle
                   KernelDevicePath,
                   NULL,              // SourceBuffer
                   0,                 // SourceSize
                   &KernelImageHandle
                   );
   if (EFI_ERROR (Status)) {
     DEBUG ((EFI_D_ERROR, "%a: LoadImage(): %r\n", __FUNCTION__, Status))=
;
-    goto FreeKernelDevicePath;
+    if (Status !=3D EFI_SECURITY_VIOLATION) {
+      goto FreeKernelDevicePath;
+    }
+    //
+    // From the resource allocation perspective, EFI_SECURITY_VIOLATION =
means
+    // "success", so we must roll back the image loading.
+    //
+    goto UnloadKernelImage;
   }
=20
   //
   // Construct the kernel command line.
   //
   Status =3D gBS->OpenProtocol (
                   KernelImageHandle,
                   &gEfiLoadedImageProtocolGuid,
                   (VOID **)&KernelLoadedImage,
                   gImageHandle,                  // AgentHandle
                   NULL,                          // ControllerHandle
                   EFI_OPEN_PROTOCOL_GET_PROTOCOL
                   );
   ASSERT_EFI_ERROR (Status);
=20
   if (CommandLineBlob->Data =3D=3D NULL) {
     KernelLoadedImage->LoadOptionsSize =3D 0;
   } else {
     //
     // Verify NUL-termination of the command line.
     //
     if (CommandLineBlob->Data[CommandLineBlob->Size - 1] !=3D '\0') {
       DEBUG ((EFI_D_ERROR, "%a: kernel command line is not NUL-terminate=
d\n",
         __FUNCTION__));
       Status =3D EFI_PROTOCOL_ERROR;
       goto UnloadKernelImage;
--=20
2.19.1.3.g30247aa5d201