[Bug 1980023] Re: linux-azure-cvm: Properly reallocate the kernel image
Dimitri John Ledkov
1980023 at bugs.launchpad.net
Tue Jun 28 09:03:17 UTC 2022
PE File Base Relocations (interpreted .reloc section contents)
Virtual Address: 000024b2 Chunk size 10 (0xa) Number of fixups 1
reloc 0 offset 0 [24b2] ABSOLUTE
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00007500 0000000000004000 0000000000004000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc 0000000a 000000000000c000 000000000000c000 00007a00 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00002128 000000000000d000 000000000000d000 00007c00 2**5
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic 00000110 0000000000010000 0000000000010000 00009e00 2**3
CONTENTS, ALLOC, LOAD, DATA
4 .rela 00000e58 0000000000011000 0000000000011000 0000a000 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000378 0000000000012000 0000000000012000 0000b000 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .cmdline 00000050 0000000000030000 0000000000030000 0000b400 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 000000ff 0000000000050000 0000000000050000 0000b600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .linux 009e5980 0000000002000000 0000000002000000 0000b800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .initrd 01c64f31 0000000003000000 0000000003000000 009f1200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
Note that VMA and LVM are the same for .linux section. and size of .linux section is specified exactly to its size.
Should we increase .linux size to init_size then? or push .initrd to
always be much later without much care?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1980023
Title:
linux-azure-cvm: Properly reallocate the kernel image
Status in linux-azure-cvm package in Ubuntu:
New
Status in systemd package in Ubuntu:
New
Status in linux-azure-cvm source package in Focal:
Fix Committed
Status in systemd source package in Focal:
New
Bug description:
[Impact]
The kernel header defines a field called init_size that specifies the
amount of memory that the kernel requires for the in-place
decompression, and the bootloader is expected to load the kernel into
a buffer of this size. This doesn't happen when using the systemd EFI
stub to load the kernel though - the kernel image is stored on disk in
a PE section with a virtual size no larger than the compressed size,
so it's loaded into memory by the bootloader into a buffer that's too
small for the in-place decompression. The initrd is loaded into memory
immediately after the kernel.
To work around this, the kernel's EFI stub allocates a new buffer of
init_size bytes and relocates the kernel image into it (21cb9b41:
"efi/x86: Always relocate the kernel for EFI handover entry"), but
this code has a bug - it copies init_size bytes from the source buffer
(ie, where the kernel image was loaded into memory by the bootloader)
to the new buffer. This ends up reading past the end of the .linux and
.initrd PE sections and all of the memory regions allocated by the
bootloader, resulting in an out of bounds read and causing problem
with Confidential VMs.
This is fixed by 688eb282: "efi/x86: Only copy the compressed kernel
image in efi_relocate_kernel()", which needs to be backported to the
kernel we provide for CVM. Ideally, this would have been fixed in
systemd's EFI stub by setting the virtual size of the .linux PE
section to init_size, which would cause the bootloader load the kernel
into a buffer large enough, making this additional relocation
unnecessary.
[Test Plan]
Tested by Microsoft and boot tested by me.
[Where problems could occur]
Decompression might fail if init_size is wrong causing the system to
not boot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure-cvm/+bug/1980023/+subscriptions
More information about the foundations-bugs
mailing list