[PATCH] efi_runtime: ensure we don't allocate a zero byte buffer (LP: #1429890)
Colin Ian King
colin.king at canonical.com
Mon Mar 16 11:14:46 UTC 2015
On 11/03/15 22:11, Ricardo Neri wrote:
> On Wed, 2015-03-11 at 19:44 +0000, Colin Ian King wrote:
>> To clarify, which approach are you referring to?
>>
>> 1) ZERO_SIZE_PTR being replaced to a NULL or
>
> I would suggest that efi_runtime could make dst = NULL if len = 0, no
> need to call kmalloc. Hopefully, true NULL cases are handled correctly
> in efi.get_next_variable and we should be able to see how the firmware
> handles it.
I've checked a handful of implementations on x86 and aarch64, and a NULL
causes the service to return EFI_INVALID_PARAMETER, which is to be
expected since it is an invalid parameter. In this case, we are now
testing the name == NULL validation of the service rather than the len
== 0 validation. And doing so means we have changed the semantics of
the original test, as it expects EFI_BUFFER_TOO_SMALL to be returned.
>
>> 2) allocating a 1 byte buffer and passing that over to stop the kernel
>> breaking.
>
> This would be my last resort, provided that the kernel fails only in the
> ZERO_SIZE_PTR case and not with the NULL case.
>
>
The alternative is to pass name as a pointer to write protected page for
the zero length buffer case, this can then check if the page is being
written to (which it should not), the pointer is non-null (hence we
don't get the EFI_INVALID_PARAMETER) failure, and hence we can also
check for the zero length case.
Colin
More information about the fwts-devel
mailing list