** Description changed:
-
- The bsearch() function signature is:
- void *bsearch(const void *key, const void *base,
- size_t nmemb, size_t size,
- int (*compar)(const void *, const void *));
-
- In drivers/firmware/efi/efi.c, the efi_status_to_err() and efi_status_to_str() functions call bsearch() with swapped 3rd and 4th arguments:
-
- Current (buggy):
- found = bsearch((void *)(uintptr_t)status, efi_error_codes,
- sizeof(struct efi_error_code), num, // WRONG ORDER
- efi_status_cmp_bsearch);
-
- Correct:
- found = bsearch((void *)(uintptr_t)status, efi_error_codes,
- num, sizeof(struct efi_error_code), // CORRECT ORDER
- efi_status_cmp_bsearch);
-
- == Impact ==
- With swapped arguments:
- - bsearch thinks there are 24 elements of 12 bytes each (on 64-bit)
- - Correct: 12 elements of 24 bytes each
- - This causes bsearch to read at wrong offsets, potentially returning incorrect error codes or failing to find valid status codes
-
- == Root Cause ==
- The bug was introduced in the SAUCE patch cherry-picked from kernel-ark:
- commit 2ae9082db0b5 ("Add efi_status_to_str() and rework efi_status_to_err().")
- from https://gitlab.com/cki-project/kernel-ark
-
- == Fix ==
- The fix has been merged in kernel-ark upstream:
- https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
+
+ [Impact]
+ The swapped bsearch() arguments cause the function to calculate incorrect
+ element offsets when searching the efi_error_codes array:
+
+ - Buggy behavior: bsearch thinks there are 24 elements of 12 bytes each
+ - Correct behavior: 12 elements of 24 bytes each (on 64-bit systems)
+
+ This causes efi_status_to_err() and efi_status_to_str() to read at wrong
+ memory offsets (every 12 bytes instead of every 24 bytes), potentially:
+ - Returning incorrect errno values for EFI status codes
+ - Returning wrong error description strings
+ - Failing to find valid status codes and returning default error values
+
+ These functions are used to translate EFI firmware error codes to Linux
+ errno values and human-readable strings, affecting error reporting for
+ EFI-related operations including secure boot and firmware variable access.
+
+ [Test Plan]
+ 1. Build kernel with the fix applied
+ 2. Boot system with UEFI firmware
+ 3. Trigger EFI error conditions that exercise efi_status_to_err() and
+ efi_status_to_str(), such as:
+ - Secure boot signature verification failures
+ - EFI variable access errors
+ - MOK (Machine Owner Key) operations
+ 4. Verify dmesg shows correct EFI error messages
+ 5. Compare error messages before and after the fix to confirm correct
+ status code translation
+
+ Alternatively, a unit test can verify the bsearch returns correct results:
+ - Call efi_status_to_err() with known EFI status codes (e.g., EFI_SUCCESS,
+ EFI_INVALID_PARAMETER, EFI_SECURITY_VIOLATION)
+ - Verify correct errno values are returned (-EINVAL, -EACCES, etc.)
+
+ [Where problems could occur]
+ The fix swaps two adjacent function arguments. Potential issues:
+
+ 1. The fix changes the search behavior, which could theoretically expose
+ latent bugs in code that was accidentally working due to the incorrect
+ search. For example, if code was relying on the -EINVAL fallback when
+ bsearch failed to find a match, it might now receive a different (correct)
+ errno value.
+
+ 2. Since this affects EFI error reporting, any issues would manifest as
+ incorrect error messages in dmesg or wrong return values from EFI
+ operations. This could affect debugging but should not cause system
+ instability.
+
+ [Other Info]
+ - Root cause: The bug was introduced in the SAUCE patch cherry-picked from
+ kernel-ark commit 2ae9082db0b5:
+ https://gitlab.com/cki-project/kernel-ark/-/commit/2ae9082db0b5
+ - Upstream fix: https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
+ - bsearch(3) man page: https://man7.org/linux/man-pages/man3/bsearch.3.html
** Also affects: linux (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2141276
Title:
efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE
patch
Status in linux package in Ubuntu:
New
Status in linux source package in Jammy:
New
Status in linux source package in Noble:
New
Bug description:
[Impact]
The swapped bsearch() arguments cause the function to calculate incorrect
element offsets when searching the efi_error_codes array:
- Buggy behavior: bsearch thinks there are 24 elements of 12 bytes each
- Correct behavior: 12 elements of 24 bytes each (on 64-bit systems)
This causes efi_status_to_err() and efi_status_to_str() to read at wrong
memory offsets (every 12 bytes instead of every 24 bytes), potentially:
- Returning incorrect errno values for EFI status codes
- Returning wrong error description strings
- Failing to find valid status codes and returning default error values
These functions are used to translate EFI firmware error codes to Linux
errno values and human-readable strings, affecting error reporting for
EFI-related operations including secure boot and firmware variable access.
[Test Plan]
1. Build kernel with the fix applied
2. Boot system with UEFI firmware
3. Trigger EFI error conditions that exercise efi_status_to_err() and
efi_status_to_str(), such as:
- Secure boot signature verification failures
- EFI variable access errors
- MOK (Machine Owner Key) operations
4. Verify dmesg shows correct EFI error messages
5. Compare error messages before and after the fix to confirm correct
status code translation
Alternatively, a unit test can verify the bsearch returns correct results:
- Call efi_status_to_err() with known EFI status codes (e.g., EFI_SUCCESS,
EFI_INVALID_PARAMETER, EFI_SECURITY_VIOLATION)
- Verify correct errno values are returned (-EINVAL, -EACCES, etc.)
[Where problems could occur]
The fix swaps two adjacent function arguments. Potential issues:
1. The fix changes the search behavior, which could theoretically expose
latent bugs in code that was accidentally working due to the incorrect
search. For example, if code was relying on the -EINVAL fallback when
bsearch failed to find a match, it might now receive a different (correct)
errno value.
2. Since this affects EFI error reporting, any issues would manifest as
incorrect error messages in dmesg or wrong return values from EFI
operations. This could affect debugging but should not cause system
instability.
[Other Info]
- Root cause: The bug was introduced in the SAUCE patch cherry-picked from
kernel-ark commit 2ae9082db0b5:
https://gitlab.com/cki-project/kernel-ark/-/commit/2ae9082db0b5
- Upstream fix: https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
- bsearch(3) man page: https://man7.org/linux/man-pages/man3/bsearch.3.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141276/+subscriptions
Комментариев нет:
Отправить комментарий