From 5f9b53753118ade7b502bce9866ea527a8a86372 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 27 Dec 2020 15:33:09 +0100 Subject: [PATCH 1/6] efi_loader: missing parentheses after if IS_ENABLED() contains parentheses. But we should still put extra parentheses around it in an if statement for readability. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_boottime.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 246b59d3b3..32bdb81914 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2000,7 +2000,7 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, } if (!efi_st_keep_devices) { - if IS_ENABLED(CONFIG_USB_DEVICE) + if (IS_ENABLED(CONFIG_USB_DEVICE)) udc_disconnect(); board_quiesce_devices(); dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL); From 9abb01af749f61de8467de05a27f7262fb1dec7b Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 27 Dec 2020 14:47:50 +0100 Subject: [PATCH 2/6] efi_loader: escape key handling Up to now the escape key was not correctly detected in UEFI applications. We had to hit it twice for a single escape to be recognized. Use a 10 ms delay to detect if we are dealing with the escape key or an escape sequence. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_console.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/efi_loader/efi_console.c b/lib/efi_loader/efi_console.c index 011accab78..705109596e 100644 --- a/lib/efi_loader/efi_console.c +++ b/lib/efi_loader/efi_console.c @@ -14,6 +14,7 @@ #include #include #include +#include #define EFI_COUT_MODE_2 2 #define EFI_MAX_COUT_MODE 3 @@ -688,6 +689,17 @@ static efi_status_t efi_cin_read_key(struct efi_key_data *key) switch (ch) { case 0x1b: + /* + * If a second key is received within 10 ms, assume that we are + * dealing with an escape sequence. Otherwise consider this the + * escape key being hit. 10 ms is long enough to work fine at + * 1200 baud and above. + */ + udelay(10000); + if (!tstc()) { + pressed_key.scan_code = 23; + break; + } /* * Xterm Control Sequences * https://www.xfree86.org/4.8.0/ctlseqs.html From e434311dbaf1e79b09ac01dce198499e328549f8 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Sun, 27 Dec 2020 15:46:00 +0100 Subject: [PATCH 3/6] efi_loader: avoid invalid free load_options passed from do_efibootmgr() to do_bootefi_exec() may contain invalid data from the stack which will lead to an invalid free(). Fixes: 0ad64007feb9 ("efi_loader: set load options in boot manager") Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_bootmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_bootmgr.c b/lib/efi_loader/efi_bootmgr.c index 61dc72a23d..d3be2f94c6 100644 --- a/lib/efi_loader/efi_bootmgr.c +++ b/lib/efi_loader/efi_bootmgr.c @@ -275,7 +275,7 @@ static efi_status_t try_load_entry(u16 n, efi_handle_t *handle, memcpy(*load_options, lo.optional_data, size); ret = efi_set_load_options(*handle, size, *load_options); } else { - load_options = NULL; + *load_options = NULL; } error: From 34dc4a9ec9bef5ec5291d61a18fa523260302108 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 28 Dec 2020 00:59:09 +0100 Subject: [PATCH 4/6] efi_loader: efi_signal_event() fix comment typos Add missing commas. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_boottime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 32bdb81914..417215a210 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -271,8 +271,8 @@ efi_status_t is_valid_tpl(efi_uintn_t tpl) * efi_signal_event() - signal an EFI event * @event: event to signal * - * This function signals an event. If the event belongs to an event group all - * events of the group are signaled. If they are of type EVT_NOTIFY_SIGNAL + * This function signals an event. If the event belongs to an event group, all + * events of the group are signaled. If they are of type EVT_NOTIFY_SIGNAL, * their notification function is queued. * * For the SignalEvent service see efi_signal_event_ext. From aeaf0e6d58093102aa35921c7bc6fcb0580504bd Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 28 Dec 2020 22:42:51 +0100 Subject: [PATCH 5/6] efi_loader: describe struct efi_loaded_image_obj Add the missing description of some fields of struct efi_loaded_image_obj. Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/efi_loader.h b/include/efi_loader.h index 3c68b85b68..dc3c6ac304 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -297,8 +297,10 @@ enum efi_image_auth_status { * @exit_status: exit status passed to Exit() * @exit_data_size: exit data size passed to Exit() * @exit_data: exit data passed to Exit() - * @exit_jmp: long jump buffer for returning form started image + * @exit_jmp: long jump buffer for returning from started image * @entry: entry address of the relocated image + * @image_type: indicates if the image is an applicition or a driver + * @auth_status: indicates if the image is authenticated */ struct efi_loaded_image_obj { struct efi_object header; From be48b0f453a3903e924a4f1790f134b9b36e5fa8 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 28 Dec 2020 23:24:40 +0100 Subject: [PATCH 6/6] efi_loader: use after free in efi_exit() Do not use data from the loaded image object after deleting it. Fixes: 126a43f15b36 ("efi_loader: unload applications upon Exit()") Signed-off-by: Heinrich Schuchardt --- include/efi_loader.h | 4 ++-- lib/efi_loader/efi_boottime.c | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/include/efi_loader.h b/include/efi_loader.h index dc3c6ac304..0fc2255f3f 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -304,10 +304,10 @@ enum efi_image_auth_status { */ struct efi_loaded_image_obj { struct efi_object header; - efi_status_t exit_status; + efi_status_t *exit_status; efi_uintn_t *exit_data_size; u16 **exit_data; - struct jmp_buf_data exit_jmp; + struct jmp_buf_data *exit_jmp; EFIAPI efi_status_t (*entry)(efi_handle_t image_handle, struct efi_system_table *st); u16 image_type; diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 417215a210..a89bdb3140 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2899,6 +2899,8 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, efi_status_t ret; void *info; efi_handle_t parent_image = current_image; + efi_status_t exit_status; + struct jmp_buf_data exit_jmp; EFI_ENTRY("%p, %p, %p", image_handle, exit_data_size, exit_data); @@ -2920,9 +2922,11 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, image_obj->exit_data_size = exit_data_size; image_obj->exit_data = exit_data; + image_obj->exit_status = &exit_status; + image_obj->exit_jmp = &exit_jmp; /* call the image! */ - if (setjmp(&image_obj->exit_jmp)) { + if (setjmp(&exit_jmp)) { /* * We called the entry point of the child image with EFI_CALL * in the lines below. The child image called the Exit() boot @@ -2944,10 +2948,10 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, */ assert(__efi_entry_check()); EFI_PRINT("%lu returned by started image\n", - (unsigned long)((uintptr_t)image_obj->exit_status & + (unsigned long)((uintptr_t)exit_status & ~EFI_ERROR_MASK)); current_image = parent_image; - return EFI_EXIT(image_obj->exit_status); + return EFI_EXIT(exit_status); } current_image = image_handle; @@ -3130,6 +3134,7 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, struct efi_loaded_image *loaded_image_protocol; struct efi_loaded_image_obj *image_obj = (struct efi_loaded_image_obj *)image_handle; + struct jmp_buf_data *exit_jmp; EFI_ENTRY("%p, %ld, %zu, %p", image_handle, exit_status, exit_data_size, exit_data); @@ -3171,6 +3176,9 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, if (ret != EFI_SUCCESS) EFI_PRINT("%s: out of memory\n", __func__); } + /* efi_delete_image() frees image_obj. Copy before the call. */ + exit_jmp = image_obj->exit_jmp; + *image_obj->exit_status = exit_status; if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION || exit_status != EFI_SUCCESS) efi_delete_image(image_obj, loaded_image_protocol); @@ -3184,8 +3192,7 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, */ efi_restore_gd(); - image_obj->exit_status = exit_status; - longjmp(&image_obj->exit_jmp, 1); + longjmp(exit_jmp, 1); panic("EFI application exited"); out: