Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regression: CopyMem() in ad8692e copies out of bounds #725

Merged
merged 1 commit into from
Feb 19, 2025
Merged

regression: CopyMem() in ad8692e copies out of bounds #725

merged 1 commit into from
Feb 19, 2025

Conversation

jsetje
Copy link
Collaborator

@jsetje jsetje commented Feb 19, 2025

The CopyMem() introduced in
ad8692e avoid EFIv2 runtime services on Apple x86 machines copies 100 CHAR16s no matter what. NX enabled firmware catches this and the boot breaks on those systems.

https://uefi.org/specs/UEFI/2.10/04_EFI_System_Table.html says that FirmwareVendor is a pointer to a null terminated string that identifies the vendor that produces the system firmware for the platform. If we can rely on it being null terminated then we don't need to copy the string at all.

@jsetje
Copy link
Collaborator Author

jsetje commented Feb 19, 2025

I'm not 100% sure that we can really count on the string being null terminated since other places also seem to just copy the first 100 char16s.

@jsetje @vathpela
regression: out of bounds read in CopyMem() in ad8692e
698f368 
The CopyMem() introduced in "ad8692e avoid EFIv2 runtime services on
Apple x86 machines" copies 100 CHAR16s no matter what. NX enabled
firmware catches this and the boot breaks on those systems when the
value is smaller than that and it's up against a page boundary with a
page that's not mapped as readable.

https://uefi.org/specs/UEFI/2.10/04_EFI_System_Table.html says
that FirmwareVendor is a pointer to a NUL terminated string that
identifies the vendor that produces the system firmware for the platform.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
vathpela
vathpela approved these changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@vathpela vathpela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jan and I have tested this and think it should work unless someone has done something truly unlikely with their string placement.

Which means we'll find out when someone has.

@vathpela vathpela merged commit 1294b47 into rhboot:main Feb 19, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vathpela vathpela vathpela approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsetje @vathpela