From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3B3727803CD for ; Tue, 9 Jan 2024 13:14:14 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=clYcJM15lwSwzaiHcSpdTSxwFq6c8QUsAe2Vev2qGDE=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1704806052; v=1; b=pMMZo3tqxCILt6A+46FCBW6iY2/d0SE6Dn9rbf7D3WjMgfQ5zcjaqBaAUct58nH7dm3njOcf cX3o61elnF/DbKlnrZWBD/P28NIIslG1X5SkpBnW8hZUaU7vwEwdixecRfZl9vvxnRCKRD2IMdP TwktHxW1LJD69MPnyKLOcBsE= X-Received: by 127.0.0.2 with SMTP id fShqYY7687511xB2yih61Z7z; Tue, 09 Jan 2024 05:14:12 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.16474.1704806051977632141 for ; Tue, 09 Jan 2024 05:14:12 -0800 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-425-8kgcrZotNye9bBNxJl8pAA-1; Tue, 09 Jan 2024 08:14:07 -0500 X-MC-Unique: 8kgcrZotNye9bBNxJl8pAA-1 X-Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5C4561C06505; Tue, 9 Jan 2024 13:14:07 +0000 (UTC) X-Received: from [10.39.193.97] (unknown [10.39.193.97]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 265B83C39; Tue, 9 Jan 2024 13:14:06 +0000 (UTC) Message-ID: Date: Tue, 9 Jan 2024 14:14:05 +0100 MIME-Version: 1.0 Subject: Re: [edk2-devel] [PATCH v5 3/3] OvmfPkg/VirtNorFlashDxe: sanity-check variables To: devel@edk2.groups.io, kraxel@redhat.com Cc: Sunil V L , Jiewen Yao , oliver@redhat.com, Andrei Warkentin , Ard Biesheuvel References: <20240109112902.30002-1-kraxel@redhat.com> <20240109112902.30002-4-kraxel@redhat.com> From: "Laszlo Ersek" In-Reply-To: <20240109112902.30002-4-kraxel@redhat.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: gqvVposmetRGQwTfqx1JAdTOx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=pMMZo3tq; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 1/9/24 12:29, Gerd Hoffmann wrote: > Extend the ValidateFvHeader function, additionally to the header checks > walk over the list of variables and sanity check them. > > In case we find inconsistencies indicating variable store corruption > return EFI_NOT_FOUND so the variable store will be re-initialized. > > Signed-off-by: Gerd Hoffmann > --- > OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf | 1 + > OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | 147 +++++++++++++++++++- > 2 files changed, 143 insertions(+), 5 deletions(-) > > diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf b/OvmfPkg/VirtNo= rFlashDxe/VirtNorFlashDxe.inf > index 2a3d4a218e61..f549400280a1 100644 > --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf > +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf > @@ -34,6 +34,7 @@ [LibraryClasses] > DxeServicesTableLib > HobLib > IoLib > + SafeIntLib > UefiBootServicesTableLib > UefiDriverEntryPoint > UefiLib > diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorF= lashDxe/VirtNorFlashFvb.c > index 9a614ae4b24d..ca2e40743dfd 100644 > --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c > +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c > @@ -12,6 +12,7 @@ > #include > #include > #include > +#include > #include > > #include > @@ -185,11 +186,12 @@ ValidateFvHeader ( > IN NOR_FLASH_INSTANCE *Instance > ) > { > - UINT16 Checksum; > - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; > - VARIABLE_STORE_HEADER *VariableStoreHeader; > - UINTN VariableStoreLength; > - UINTN FvLength; > + UINT16 Checksum; > + CONST EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; > + CONST VARIABLE_STORE_HEADER *VariableStoreHeader; > + UINTN VarOffset; > + UINTN VariableStoreLength; > + UINTN FvLength; > > FwVolHeader =3D (EFI_FIRMWARE_VOLUME_HEADER *)Instance->RegionBaseAddr= ess; > > @@ -258,6 +260,141 @@ ValidateFvHeader ( > return EFI_NOT_FOUND; > } > > + // > + // check variables > + // > + DEBUG ((DEBUG_INFO, "%a: checking variables\n", __func__)); > + VarOffset =3D sizeof (*VariableStoreHeader); > + for ( ; ;) { > + UINTN VarHeaderEnd; > + UINTN VarNameEnd; > + UINTN VarEnd; > + UINTN VarPadding; > + CONST AUTHENTICATED_VARIABLE_HEADER *VarHeader; > + CONST CHAR16 *VarName; > + CONST CHAR8 *VarState; > + RETURN_STATUS Status; > + > + Status =3D SafeUintnAdd (VarOffset, sizeof (*VarHeader), &VarHeaderE= nd); > + if (RETURN_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); > + return EFI_NOT_FOUND; > + } > + > + if (VarHeaderEnd >=3D VariableStoreHeader->Size) { > + if (VarOffset <=3D VariableStoreHeader->Size - sizeof (UINT16)) { > + CONST UINT16 *StartId =3D (VOID *)((UINTN)VariableStoreHeader += VarOffset); > + if (*StartId =3D=3D 0x55aa) { > + DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __fu= nc__)); > + return EFI_NOT_FOUND; > + } > + } > + > + DEBUG ((DEBUG_INFO, "%a: end of var list (no space left)\n", __fun= c__)); > + break; > + } I didn't think of this, but it certainly makes sense. Continues accepting trailing garbage, unless the tail starts with 0x55aa, which indicates that it's indeed either a truncated variable header, or one that's not truncated, but just fits (and has no room for subsequent name/data). Furthermore, we consider "VariableStoreHeader->Size" trusted & valid here, therefore the subtraction of sizeof (UINT16) is not supposed to wrap under. (The field is documented with: "Size of entire variable store, including size of variable store header but not including the size of FvHeader". The varstore hdr structure is larger than 2 bytes.) Reviewed-by: Laszlo Ersek Nit: to my knowledge, the coding style forbids initialization of "auto" storage class variables (more commonly put, "non-static local variables"). IOW, we should spell the above as: | diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c b/OvmfPkg/VirtNorF= lashDxe/VirtNorFlashFvb.c | index ca2e40743dfd..8fcd999ac6df 100644 | --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlashFvb.c | @@ -283,7 +283,9 @@ ValidateFvHeader ( | | if (VarHeaderEnd >=3D VariableStoreHeader->Size) { | if (VarOffset <=3D VariableStoreHeader->Size - sizeof (UINT16)) { | - CONST UINT16 *StartId =3D (VOID *)((UINTN)VariableStoreHeader += VarOffset); | + CONST UINT16 *StartId; | + | + StartId =3D (VOID *)((UINTN)VariableStoreHeader + VarOffset); | if (*StartId =3D=3D 0x55aa) { | DEBUG ((DEBUG_ERROR, "%a: startid at invalid location\n", __fu= nc__)); | return EFI_NOT_FOUND; Do you want me to fix up the patch upon merge for you, or do you prefer posting v6? (Again, I'm not sure why uncrustify accepts the code as-is... Of course if the coding style has changed meanwhile, and the local's initialization now counts as valid style, then I can merge this verbatim.) Thanks Laszlo > + > + VarHeader =3D (VOID *)((UINTN)VariableStoreHeader + VarOffset); > + if (VarHeader->StartId !=3D 0x55aa) { > + DEBUG ((DEBUG_INFO, "%a: end of var list (no startid)\n", __func__= )); > + break; > + } > + > + VarName =3D NULL; > + switch (VarHeader->State) { > + // usage: State =3D VAR_HEADER_VALID_ONLY > + case VAR_HEADER_VALID_ONLY: > + VarState =3D "header-ok"; > + VarName =3D L""; > + break; > + > + // usage: State =3D VAR_ADDED > + case VAR_ADDED: > + VarState =3D "ok"; > + break; > + > + // usage: State &=3D VAR_IN_DELETED_TRANSITION > + case VAR_ADDED &VAR_IN_DELETED_TRANSITION: > + VarState =3D "del-in-transition"; > + break; > + > + // usage: State &=3D VAR_DELETED > + case VAR_ADDED &VAR_DELETED: > + case VAR_ADDED &VAR_DELETED &VAR_IN_DELETED_TRANSITION: > + VarState =3D "deleted"; > + break; > + > + default: > + DEBUG (( > + DEBUG_ERROR, > + "%a: invalid variable state: 0x%x\n", > + __func__, > + VarHeader->State > + )); > + return EFI_NOT_FOUND; > + } > + > + Status =3D SafeUintnAdd (VarHeaderEnd, VarHeader->NameSize, &VarName= End); > + if (RETURN_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); > + return EFI_NOT_FOUND; > + } > + > + Status =3D SafeUintnAdd (VarNameEnd, VarHeader->DataSize, &VarEnd); > + if (RETURN_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); > + return EFI_NOT_FOUND; > + } > + > + if (VarEnd > VariableStoreHeader->Size) { > + DEBUG (( > + DEBUG_ERROR, > + "%a: invalid variable size: 0x%Lx + 0x%Lx + 0x%x + 0x%x > 0x%x\n= ", > + __func__, > + (UINT64)VarOffset, > + (UINT64)(sizeof (*VarHeader)), > + VarHeader->NameSize, > + VarHeader->DataSize, > + VariableStoreHeader->Size > + )); > + return EFI_NOT_FOUND; > + } > + > + if (((VarHeader->NameSize & 1) !=3D 0) || > + (VarHeader->NameSize < 4)) > + { > + DEBUG ((DEBUG_ERROR, "%a: invalid name size\n", __func__)); > + return EFI_NOT_FOUND; > + } > + > + if (VarName =3D=3D NULL) { > + VarName =3D (VOID *)((UINTN)VariableStoreHeader + VarHeaderEnd); > + if (VarName[VarHeader->NameSize / 2 - 1] !=3D L'\0') { > + DEBUG ((DEBUG_ERROR, "%a: name is not null terminated\n", __func= __)); > + return EFI_NOT_FOUND; > + } > + } > + > + DEBUG (( > + DEBUG_VERBOSE, > + "%a: +0x%04Lx: name=3D0x%x data=3D0x%x guid=3D%g '%s' (%a)\n", > + __func__, > + (UINT64)VarOffset, > + VarHeader->NameSize, > + VarHeader->DataSize, > + &VarHeader->VendorGuid, > + VarName, > + VarState > + )); > + > + VarPadding =3D (4 - (VarEnd & 3)) & 3; > + Status =3D SafeUintnAdd (VarEnd, VarPadding, &VarOffset); > + if (RETURN_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: integer overflow\n", __func__)); > + return EFI_NOT_FOUND; > + } > + } > + > return EFI_SUCCESS; > } > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113447): https://edk2.groups.io/g/devel/message/113447 Mute This Topic: https://groups.io/mt/103617812/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-