kern/58075: efi_bootdp memory corrupted by OpenProtocol on some machines

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/58075: efi_bootdp memory corrupted by OpenProtocol on some machines
From: campbell+netbsd%mumble.net@localhost
Date: Sun, 24 Mar 2024 18:35:00 +0000 (UTC)

>Number:         58075
>Category:       kern
>Synopsis:       efi_bootdp memory corrupted by OpenProtocol on some machines
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 24 18:35:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
The EFINetBSD Foundation
>Environment:
>Description:
The call to EFI_BOOT_SERVICES::OpenProtocol in efi_net_probe invalidates efi_bootdp:

https://nxr.netbsd.org/xref/src/sys/stand/efiboot/efinet.c?r=1.9#380

efi_net_probe (before OpenProtocol): Type=3 SubType=11 Length=37 @ 0xF896D698
  xx xx xx xx xx xx 00 00  00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
  01 03 0C 1B 00

efi_net_probe (after OpenProtocol): Type=24 SubType=214 Length=63638 @ 0xF896D698
  00 00 00 00 B8 13 8A F8  00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
  ...

After this happens, logic later on in efi_block_probe sometimes goes into an infinite loop in efi_device_path_depth trying to operate on the now-invalid efi_bootdp.

In revision 1.7, rin@ changed it to discard efi_bootp after calling OpenProtocol:

> MI efiboot: Stop using efi_bootdp after exclusive open for PXE
> 
> Once boot device is exclusively opened for Simple Network Protocol,
> further access via device path (efi_bootdp) is illegal.
> 
> For some implementations, boot device path gets corrupted by
> exclusive open, and subsequent access by efi_device_path_depth(),
> e.g., causes infinite recursion.
> 
> Fix PXE boot for QEMU/aarch64 with EDK2 on some Linux distributions.
> 
> Thanks yamaguchi@ for comments and tests.

https://nxr.netbsd.org/diff/src/sys/stand/efiboot/efinet.c?r2=%2Fsrc%2Fsys%2Fstand%2Fefiboot%2Fefinet.c%401.7&r1=%2Fsrc%2Fsys%2Fstand%2Fefiboot%2Fefinet.c%401.6

However, it was reverted in 1.9, leaving efi_bootp invalid and regressing to the bug with infinite loop in efi_device_path_depth:

> MI efiboot: Revert "Stop using efi_bootdp after exclusive open for PXE"
> 
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/stand/efiboot/efinet.c#rev1.7
> 
> Some UEFI implementations pass multiple boot options as boot device path,
> and NULL-clearing it results in boot failures.
> 
> Thanks skrll@ for pointing it out. 

https://nxr.netbsd.org/diff/src/sys/stand/efiboot/efinet.c?r2=%2Fsrc%2Fsys%2Fstand%2Fefiboot%2Fefinet.c%401.9&r1=%2Fsrc%2Fsys%2Fstand%2Fefiboot%2Fefinet.c%401.8
>How-To-Repeat:
boot on a socionext synquacer
>Fix:
Yes, please!

Prev by Date: Re: install/58057: Installer segfaults when trying to encrypt a partition
Next by Date: Re: kern/58075 (efi_bootdp memory corrupted by OpenProtocol on some machines)
Previous by Thread: PR/58061 CVS commit: src/usr.sbin/sysinst
Next by Thread: Re: kern/58075: efi_bootdp memory corrupted by OpenProtocol on some machines
Indexes:

Home | Main Index | Thread Index | Old Index