[PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[Dan Carpenter]

The issue is this line:

	new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);

The efi_size variable is type size_t and on a 32 bit system that's 32
bits.  The u64 type is obviously 64 bits.  So we write 8 bytes to a 4
byte buffer which corrupts memory.

Fix this by changing the type of efi_prepare_aligned_image() to a
size_t pointer.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: Change efi_prepare_aligned_image() instead of changing
efi_image_authenticate().  This is a cleaner way to fix the problem.

 include/efi_loader.h              | 2 +-
 lib/efi_loader/efi_image_loader.c | 4 ++--
 lib/efi_loader/efi_tcg2.c         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/efi_loader.h b/include/efi_loader.h
index b5fa0fe01ded..9c1a9ed16af6 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -1022,7 +1022,7 @@ bool efi_secure_boot_enabled(void);
 
 bool efi_capsule_auth_enabled(void);
 
-void *efi_prepare_aligned_image(void *efi, u64 *efi_size);
+void *efi_prepare_aligned_image(void *efi, size_t *efi_size);
 
 bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
 		     WIN_CERTIFICATE **auth, size_t *auth_len);
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index 26df0da16c93..64980008403b 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -313,7 +313,7 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
  *
  * Return:	valid pointer to a image, return NULL if allocation fails.
  */
-void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
+void *efi_prepare_aligned_image(void *efi, size_t *efi_size)
 {
 	size_t new_efi_size;
 	void *new_efi;
@@ -600,7 +600,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
 	if (!efi_secure_boot_enabled())
 		return true;
 
-	new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
+	new_efi = efi_prepare_aligned_image(efi, &efi_size);
 	if (!new_efi)
 		return false;
 
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 49f8a5e77cbf..d57afd0c498b 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -882,7 +882,7 @@ out:
  *
  * Return:	status code
  */
-static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
+static efi_status_t tcg2_hash_pe_image(void *efi, size_t efi_size,
 				       struct tpml_digest_values *digest_list)
 {
 	WIN_CERTIFICATE *wincerts = NULL;
-- 
2.39.2

Re: [PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[Ilias Apalodimas]

Hi Dan, 

[...]

> @@ -313,7 +313,7 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
>   *
>   * Return:	valid pointer to a image, return NULL if allocation fails.
>   */
> -void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
> +void *efi_prepare_aligned_image(void *efi, size_t *efi_size)
>  {
>  	size_t new_efi_size;
>  	void *new_efi;
> @@ -600,7 +600,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	if (!efi_secure_boot_enabled())
>  		return true;
>  
> -	new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
> +	new_efi = efi_prepare_aligned_image(efi, &efi_size);
>  	if (!new_efi)
>  		return false;
>  
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index 49f8a5e77cbf..d57afd0c498b 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -882,7 +882,7 @@ out:
>   *
>   * Return:	status code
>   */
> -static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
> +static efi_status_t tcg2_hash_pe_image(void *efi, size_t efi_size,
>  				       struct tpml_digest_values *digest_list)

Unfortunately the rabbit hole is a bit deeper with this one.
tcg2_hash_pe_image() is called in 
- tcg2_measure_pe_image(). This one is called in efi_load_pe() and the type
  is indeed a size_t there, so that's fine
- efi_tcg2_hash_log_extend_event(), this one is different...
The function is described by the EFI spec [0] which mandates a u64... I
think that was the reason efi_prepare_aligned_image() is using a u64 to
begin with.  This one uses the size only though not the pointer, but in a
32bit platform it would truncate s size > UINT_MAX.

[0] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

Regards
/Ilias
>  {
>  	WIN_CERTIFICATE *wincerts = NULL;
> -- 
> 2.39.2
> 

Re: [PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[Dan Carpenter]

On Thu, Jul 27, 2023 at 11:22:15AM +0300, Ilias Apalodimas wrote:
> Hi Dan, 
> 
> [...]
> 
> > @@ -313,7 +313,7 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
> >   *
> >   * Return:	valid pointer to a image, return NULL if allocation fails.
> >   */
> > -void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
> > +void *efi_prepare_aligned_image(void *efi, size_t *efi_size)
> >  {
> >  	size_t new_efi_size;
> >  	void *new_efi;
> > @@ -600,7 +600,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> >  	if (!efi_secure_boot_enabled())
> >  		return true;
> >  
> > -	new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
> > +	new_efi = efi_prepare_aligned_image(efi, &efi_size);
> >  	if (!new_efi)
> >  		return false;
> >  
> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > index 49f8a5e77cbf..d57afd0c498b 100644
> > --- a/lib/efi_loader/efi_tcg2.c
> > +++ b/lib/efi_loader/efi_tcg2.c
> > @@ -882,7 +882,7 @@ out:
> >   *
> >   * Return:	status code
> >   */
> > -static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
> > +static efi_status_t tcg2_hash_pe_image(void *efi, size_t efi_size,
> >  				       struct tpml_digest_values *digest_list)
> 
> Unfortunately the rabbit hole is a bit deeper with this one.
> tcg2_hash_pe_image() is called in 
> - tcg2_measure_pe_image(). This one is called in efi_load_pe() and the type
>   is indeed a size_t there, so that's fine
> - efi_tcg2_hash_log_extend_event(), this one is different...
> The function is described by the EFI spec [0] which mandates a u64... I
> think that was the reason efi_prepare_aligned_image() is using a u64 to
> begin with.  This one uses the size only though not the pointer, but in a
> 32bit platform it would truncate s size > UINT_MAX.
> 
> [0] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

I have maybe misread something...  I don't think this is a real issue.
32bit systems aren't going to be able to allocate that much memory
anyway.  Also there are a lot of size_t parameters already so it's not
a new issue.

regards,
dan carpenter

Re: [PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[Simon Glass]

Hi,

On Thu, 27 Jul 2023 at 08:36, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> On Thu, Jul 27, 2023 at 11:22:15AM +0300, Ilias Apalodimas wrote:
> > Hi Dan,
> >
> > [...]
> >
> > > @@ -313,7 +313,7 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
> > >   *
> > >   * Return: valid pointer to a image, return NULL if allocation fails.
> > >   */
> > > -void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
> > > +void *efi_prepare_aligned_image(void *efi, size_t *efi_size)
> > >  {
> > >     size_t new_efi_size;
> > >     void *new_efi;
> > > @@ -600,7 +600,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> > >     if (!efi_secure_boot_enabled())
> > >             return true;
> > >
> > > -   new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
> > > +   new_efi = efi_prepare_aligned_image(efi, &efi_size);
> > >     if (!new_efi)
> > >             return false;
> > >
> > > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > > index 49f8a5e77cbf..d57afd0c498b 100644
> > > --- a/lib/efi_loader/efi_tcg2.c
> > > +++ b/lib/efi_loader/efi_tcg2.c
> > > @@ -882,7 +882,7 @@ out:
> > >   *
> > >   * Return: status code
> > >   */
> > > -static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
> > > +static efi_status_t tcg2_hash_pe_image(void *efi, size_t efi_size,
> > >                                    struct tpml_digest_values *digest_list)
> >
> > Unfortunately the rabbit hole is a bit deeper with this one.
> > tcg2_hash_pe_image() is called in
> > - tcg2_measure_pe_image(). This one is called in efi_load_pe() and the type
> >   is indeed a size_t there, so that's fine
> > - efi_tcg2_hash_log_extend_event(), this one is different...
> > The function is described by the EFI spec [0] which mandates a u64... I
> > think that was the reason efi_prepare_aligned_image() is using a u64 to
> > begin with.  This one uses the size only though not the pointer, but in a
> > 32bit platform it would truncate s size > UINT_MAX.
> >
> > [0] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
>
> I have maybe misread something...  I don't think this is a real issue.
> 32bit systems aren't going to be able to allocate that much memory
> anyway.  Also there are a lot of size_t parameters already so it's not
> a new issue.

We should really use ulong for addresses and malloc() sizes.

Regards,
Simon

Re: [PATCH v2] efi_loader: Fix memory corruption on 32bit systems

[Heinrich Schuchardt]

Am 28. Juli 2023 03:51:55 MESZ schrieb Simon Glass <sjg@google.com>:
>Hi,
>
>On Thu, 27 Jul 2023 at 08:36, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>>
>> On Thu, Jul 27, 2023 at 11:22:15AM +0300, Ilias Apalodimas wrote:
>> > Hi Dan,
>> >
>> > [...]
>> >
>> > > @@ -313,7 +313,7 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
>> > >   *
>> > >   * Return: valid pointer to a image, return NULL if allocation fails.
>> > >   */
>> > > -void *efi_prepare_aligned_image(void *efi, u64 *efi_size)
>> > > +void *efi_prepare_aligned_image(void *efi, size_t *efi_size)
>> > >  {
>> > >     size_t new_efi_size;
>> > >     void *new_efi;
>> > > @@ -600,7 +600,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>> > >     if (!efi_secure_boot_enabled())
>> > >             return true;
>> > >
>> > > -   new_efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size);
>> > > +   new_efi = efi_prepare_aligned_image(efi, &efi_size);
>> > >     if (!new_efi)
>> > >             return false;
>> > >
>> > > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
>> > > index 49f8a5e77cbf..d57afd0c498b 100644
>> > > --- a/lib/efi_loader/efi_tcg2.c
>> > > +++ b/lib/efi_loader/efi_tcg2.c
>> > > @@ -882,7 +882,7 @@ out:
>> > >   *
>> > >   * Return: status code
>> > >   */
>> > > -static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
>> > > +static efi_status_t tcg2_hash_pe_image(void *efi, size_t efi_size,
>> > >                                    struct tpml_digest_values *digest_list)
>> >
>> > Unfortunately the rabbit hole is a bit deeper with this one.
>> > tcg2_hash_pe_image() is called in
>> > - tcg2_measure_pe_image(). This one is called in efi_load_pe() and the type
>> >   is indeed a size_t there, so that's fine
>> > - efi_tcg2_hash_log_extend_event(), this one is different...
>> > The function is described by the EFI spec [0] which mandates a u64... I
>> > think that was the reason efi_prepare_aligned_image() is using a u64 to
>> > begin with.  This one uses the size only though not the pointer, but in a
>> > 32bit platform it would truncate s size > UINT_MAX.
>> >
>> > [0] https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
>>
>> I have maybe misread something...  I don't think this is a real issue.
>> 32bit systems aren't going to be able to allocate that much memory
>> anyway.  Also there are a lot of size_t parameters already so it's not
>> a new issue.
>
>We should really use ulong for addresses and malloc() sizes.

Please, do not abuse long.

According to the C specification the size of long is independent of the size of pointers.

Addresses should be pointers and sizes should be size_t.

Best regards

Heinrich