From: "Laszlo Ersek" <lersek@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>, devel@edk2.groups.io
Cc: oliver@redhat.com, Jiewen Yao <jiewen.yao@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Sunil V L <sunilvl@ventanamicro.com>,
Andrei Warkentin <andrei.warkentin@intel.com>
Subject: Re: [edk2-devel] [PATCH v4 3/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables
Date: Tue, 9 Jan 2024 10:04:51 +0100 [thread overview]
Message-ID: <58031d49-3ab0-8df7-ebfd-251aeb92eca0@redhat.com> (raw)
In-Reply-To: <20240108192123.42359-4-kraxel@redhat.com>
On 1/8/24 20:21, Gerd Hoffmann wrote:
> Extend the ValidateFvHeader function, additionally to the header checks
> walk over the list of variables and sanity check them.
>
> In case we find inconsistencies indicating variable store corruption
> return EFI_NOT_FOUND so the variable store will be re-initialized.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf | 1 +
> OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 139 +++++++++++++++++++-
> 2 files changed, 135 insertions(+), 5 deletions(-)
>
> diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
> index 2a3d4a218e61..f549400280a1 100644
> --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
> +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
> @@ -34,6 +34,7 @@ [LibraryClasses]
> DxeServicesTableLib
> HobLib
> IoLib
> + SafeIntLib
> UefiBootServicesTableLib
> UefiDriverEntryPoint
> UefiLib
> diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
> index 9a614ae4b24d..56148e9f1f95 100644
> --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
> +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c
> @@ -12,6 +12,7 @@
> #include <Library/BaseMemoryLib.h>
> #include <Library/MemoryAllocationLib.h>
> #include <Library/PcdLib.h>
> +#include <Library/SafeIntLib.h>
> #include <Library/UefiLib.h>
>
> #include <Guid/NvVarStoreFormatted.h>
> @@ -185,11 +186,13 @@ ValidateFvHeader (
> IN NOR_FLASH_INSTANCE *Instance
> )
> {
> - UINT16 Checksum;
> - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
> - VARIABLE_STORE_HEADER *VariableStoreHeader;
> - UINTN VariableStoreLength;
> - UINTN FvLength;
> + UINT16 Checksum;
> + CONST EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
> + CONST VARIABLE_STORE_HEADER *VariableStoreHeader;
> + UINTN VarOffset;
> + UINTN VariableStoreLength;
> + UINTN FvLength;
> + RETURN_STATUS Status;
(1) Status could have been moved in the "for" loop, AFAICT -- also
mentioned in my previous review --, but it's not a sticking point.
>
> FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *)Instance->RegionBaseAddress;
>
> @@ -258,6 +261,132 @@ ValidateFvHeader (
> return EFI_NOT_FOUND;
> }
>
> + //
> + // check variables
> + //
> + DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__));
> + VarOffset = sizeof (*VariableStoreHeader);
> + for ( ; ;) {
> + UINTN VarHeaderEnd;
> + UINTN VarNameEnd;
> + UINTN VarEnd;
> + UINTN VarPadding;
> + CONST AUTHENTICATED_VARIABLE_HEADER *VarHeader;
> + CHAR16 *VarName;
(2) Should have noticed in my previous review: VarName could be
CONST-ified as well.
Totally minor.
> + CONST CHAR8 *VarState;
> +
> + Status = SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderEnd);
> + if (RETURN_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> +
> + if (VarHeaderEnd >= VariableStoreHeader->Size) {
> + DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __func__));
> + break;
> + }
(3) I *still* don't understand this.
In the v3 discussion:
- we agreed that the ">" case was clearly unacceptable,
- and you convinced me that the "=" case was also unacceptable (because
that could only potentially accommodate a VAR_HEADER_VALID_ONLY state
header without subsequent space for name & data, and we agreed that a
var header like that, residing *permanently* in the varstore, was not
acceptable).
Fine: that's reason for keeping the unified ">=" condition. But my point
in turn (which you didn't reflect upon, and seem not to have addressed
in this patch) was that this condition means that the varstore is
*bogus*, and should be reformatted. In my previous review I recommended
that we replace the "break" here -- which leads to the function
returning EFI_SUCCESS -- with "return EFI_NOT_FOUND" -- which causes the
varstore to be reformatted.
And then, as I wrote, the only successful exit from the loop would be
the subsequent "break" below:
> +
> + VarHeader = (VOID *)((UINTN)VariableStoreHeader + VarOffset);
> + if (VarHeader->StartId != 0x55aa) {
> + DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__));
> + break;
> + }
So: what's wrong with returning EFI_NOT_FOUND if
VarHeaderEnd >= VariableStoreHeader->Size
evaluates to true?
> +
> + VarName = NULL;
> + switch (VarHeader->State) {
> + // usage: State = VAR_HEADER_VALID_ONLY
> + case VAR_HEADER_VALID_ONLY:
> + VarState = "header-ok";
> + VarName = L"<unknown>";
> + break;
> +
> + // usage: State = VAR_ADDED
> + case VAR_ADDED:
> + VarState = "ok";
> + break;
> +
> + // usage: State &= VAR_IN_DELETED_TRANSITION
> + case VAR_ADDED &VAR_IN_DELETED_TRANSITION:
> + VarState = "del-in-transition";
> + break;
> +
> + // usage: State &= VAR_DELETED
> + case VAR_ADDED &VAR_DELETED:
> + case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION:
> + VarState = "deleted";
> + break;
> +
> + default:
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a: invalid variable state: 0x%x\n",
> + __func__,
> + VarHeader->State
> + ));
> + return EFI_NOT_FOUND;
> + }
> +
> + Status = SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarNameEnd);
> + if (RETURN_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> +
> + Status = SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd);
> + if (RETURN_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> +
> + if (VarEnd > VariableStoreHeader->Size) {
> + DEBUG ((
> + DEBUG_ERROR,
> + "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n",
> + __func__,
> + (UINT64)VarOffset,
> + (UINT64)(sizeof (*VarHeader)),
> + VarHeader->NameSize,
> + VarHeader->DataSize,
> + VariableStoreHeader->Size
> + ));
> + return EFI_NOT_FOUND;
> + }
> +
> + if ((VarHeader->NameSize & 1) ||
(4) Minor: I don't understand why uncrustify does not catch this, but
the edk2 coding style requires us to spell this as
(VarHeader->NameSize & 1) != 0
to my understanding.
Apologies for not noticing it in my previous review.
> + (VarHeader->NameSize < 4))
> + {
> + DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> +
> + if (VarName == NULL) {
> + VarName = (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd);
> + if (VarName[VarHeader->NameSize / 2 - 1] != L'\0') {
> + DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> + }
> +
> + DEBUG ((
> + DEBUG_VERBOSE,
> + "%a: +0x%04Lx: name=0x%x data=0x%x guid=%g '%s' (%a)\n",
> + __func__,
> + (UINT64)VarOffset,
> + VarHeader->NameSize,
> + VarHeader->DataSize,
> + &VarHeader->VendorGuid,
> + VarName,
> + VarState
> + ));
> +
> + VarPadding = (4 - (VarEnd & 3)) & 3;
> + Status = SafeUintnAdd (VarEnd, VarPadding, &VarOffset);
> + if (RETURN_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__));
> + return EFI_NOT_FOUND;
> + }
> + }
> +
> return EFI_SUCCESS;
> }
>
- If you can explain the "break" under (3), I'm happy to R-b this patch
(and to merge this v4 series). The rest of my comments ((1), (2), (4))
doesn't justify a respin, in itself.
- If you decide to replace the "break" with "return EFI_NOT_FOUND" under
(3), then addressing the rest ((1), (2), (4)) would be nice, in v5.
Thanks!
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113435): https://edk2.groups.io/g/devel/message/113435
Mute This Topic: https://groups.io/mt/103605077/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2024-01-09 9:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-08 19:21 [edk2-devel] [PATCH v4 0/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables Gerd Hoffmann
2024-01-08 19:21 ` [edk2-devel] [PATCH v4 1/3] OvmfPkg/RiscVVirt: use gEfiAuthenticatedVariableGuid unconditionally Gerd Hoffmann
2024-01-09 7:33 ` Sunil V L
2024-01-09 8:27 ` Laszlo Ersek
2024-01-08 19:21 ` [edk2-devel] [PATCH v4 2/3] OvmfPkg/VirtNorFlashDxe: stop accepting gEfiVariableGuid Gerd Hoffmann
2024-01-09 8:30 ` Laszlo Ersek
2024-01-08 19:21 ` [edk2-devel] [PATCH v4 3/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables Gerd Hoffmann
2024-01-09 9:04 ` Laszlo Ersek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58031d49-3ab0-8df7-ebfd-251aeb92eca0@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox