[PATCH] efi: Handle NULL return value when getting loaded image protocol

[PATCH] efi: Handle NULL return value when getting loaded image protocol

[Ard Biesheuvel]

The EFI spec mandates that the handle produced by the LoadImage boot
service has a LoadedImage protocol instance installed on it, but for
robustness, we should still deal with a NULL return value from the
helper routine that obtains this protocol pointer.

If this happens, don't try to start the image but unload it and return
an error.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 grub-core/loader/efi/linux.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 90ad1a7b82a76066..b434c56ae67d665e 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -214,6 +214,11 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
 
   /* Convert command line to UCS-2 */
   loaded_image = grub_efi_get_loaded_image (image_handle);
+  if (loaded_image == NULL)
+    {
+      grub_error (GRUB_ERR_BAD_FIRMWARE, "missing loaded_image proto");
+      goto unload;
+    }
   loaded_image->load_options_size = len =
     (grub_strlen (args) + 1) * sizeof (grub_efi_char16_t);
   loaded_image->load_options =
@@ -228,6 +233,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
   grub_dprintf ("linux", "starting image %p\n", image_handle);
   status = b->start_image (image_handle, 0, NULL);
 
+unload:
   /* When successful, not reached */
   b->unload_image (image_handle);
   grub_efi_free_pages ((grub_addr_t) loaded_image->load_options,
-- 
2.39.2

Re: [PATCH] efi: Handle NULL return value when getting loaded image protocol

[Ard Biesheuvel]

On Wed, 24 May 2023 at 19:15, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> The EFI spec mandates that the handle produced by the LoadImage boot
> service has a LoadedImage protocol instance installed on it, but for
> robustness, we should still deal with a NULL return value from the
> helper routine that obtains this protocol pointer.
>
> If this happens, don't try to start the image but unload it and return
> an error.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  grub-core/loader/efi/linux.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
> index 90ad1a7b82a76066..b434c56ae67d665e 100644
> --- a/grub-core/loader/efi/linux.c
> +++ b/grub-core/loader/efi/linux.c
> @@ -214,6 +214,11 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
>
>    /* Convert command line to UCS-2 */
>    loaded_image = grub_efi_get_loaded_image (image_handle);
> +  if (loaded_image == NULL)
> +    {
> +      grub_error (GRUB_ERR_BAD_FIRMWARE, "missing loaded_image proto");
> +      goto unload;
> +    }
>    loaded_image->load_options_size = len =
>      (grub_strlen (args) + 1) * sizeof (grub_efi_char16_t);
>    loaded_image->load_options =
> @@ -228,6 +233,7 @@ grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
>    grub_dprintf ("linux", "starting image %p\n", image_handle);
>    status = b->start_image (image_handle, 0, NULL);
>
> +unload:

Uhm this is slightly bogus - apologies. The free_pages call still
dereferences loaded_image

I'll send a v2 right away.

>    /* When successful, not reached */
>    b->unload_image (image_handle);
>    grub_efi_free_pages ((grub_addr_t) loaded_image->load_options,
> --
> 2.39.2
>