[Bug 1980023] Re: linux-azure-cvm: Properly reallocate the kernel image
Dimitri John Ledkov
1980023 at bugs.launchpad.net
Tue Jun 28 08:49:37 UTC 2022
> Ideally, this would have been fixed in systemd's EFI stub by setting
the virtual size of the .linux PE section to init_size, which would
cause the bootloader load the kernel into a buffer large enough, making
this additional relocation unnecessary.
I'm not too sure if that is a bug in systemd though. the kernel.efi (and
addition of .linux PE section) is never done by systemd, but by other
tooling (i.e. core-initrd / dracut / etc).
** Also affects: systemd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1980023
Title:
linux-azure-cvm: Properly reallocate the kernel image
Status in linux-azure-cvm package in Ubuntu:
New
Status in systemd package in Ubuntu:
New
Status in linux-azure-cvm source package in Focal:
Fix Committed
Status in systemd source package in Focal:
New
Bug description:
[Impact]
The kernel header defines a field called init_size that specifies the
amount of memory that the kernel requires for the in-place
decompression, and the bootloader is expected to load the kernel into
a buffer of this size. This doesn't happen when using the systemd EFI
stub to load the kernel though - the kernel image is stored on disk in
a PE section with a virtual size no larger than the compressed size,
so it's loaded into memory by the bootloader into a buffer that's too
small for the in-place decompression. The initrd is loaded into memory
immediately after the kernel.
To work around this, the kernel's EFI stub allocates a new buffer of
init_size bytes and relocates the kernel image into it (21cb9b41:
"efi/x86: Always relocate the kernel for EFI handover entry"), but
this code has a bug - it copies init_size bytes from the source buffer
(ie, where the kernel image was loaded into memory by the bootloader)
to the new buffer. This ends up reading past the end of the .linux and
.initrd PE sections and all of the memory regions allocated by the
bootloader, resulting in an out of bounds read and causing problem
with Confidential VMs.
This is fixed by 688eb282: "efi/x86: Only copy the compressed kernel
image in efi_relocate_kernel()", which needs to be backported to the
kernel we provide for CVM. Ideally, this would have been fixed in
systemd's EFI stub by setting the virtual size of the .linux PE
section to init_size, which would cause the bootloader load the kernel
into a buffer large enough, making this additional relocation
unnecessary.
[Test Plan]
Tested by Microsoft and boot tested by me.
[Where problems could occur]
Decompression might fail if init_size is wrong causing the system to
not boot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure-cvm/+bug/1980023/+subscriptions
More information about the foundations-bugs
mailing list