Re: [U-Boot] [RFC 1/1] cmd: fs: fix data abort in load cmd
Thanks Heinrich! Will test it ASAP. On Wed, Apr 10, 2019 at 8:36 PM Heinrich Schuchardt wrote: > > On 4/10/19 8:48 AM, Igor Opaniuk wrote: > > Hi Heinrich, > > > > Thanks for looking into this, > > > > On Tue, Apr 9, 2019 at 11:28 PM Heinrich Schuchardt > > wrote: > >> > >> On 4/9/19 3:08 PM, Igor Opaniuk wrote: > >>> With CONFIG_CMD_BOOTEFI=y, load command causes data abort > >>> when path_to_uefi(fp->str, path) tries to write uefi path out of > >>> bounds of u16 str[] array (check efi_device_path_file_path struct for > >>> details). This is caused by unproper handling of void *buf pointer > >>> in efi_dp_from_file(), particularly when the buf pointer value is changed > >>> after dp_part_fill() invocation. > >>> > load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > >>> pc : [<2fab48ae>]lr : [<2fab4339>] > >>> reloc pc : [<178338ae>] lr : [<1789>] > >>> sp : 2da77120 ip : 0003 fp : 0005 > >>> r10: 2daa31d0 r9 : 2da80ea8 r8 : 0001 > >>> r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 003a > >>> r3 : 0069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f > >>> Flags: nzCv IRQs off FIQs off Mode SVC_32 > >>> Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c) > >>> Resetting CPU ... > >>> > >> > >> Thanks for reporting the problem. > >> > >>> With the change suggested: > >>> > load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > >>> 5675440 bytes read in 188 ms (28.8 MiB/s) > >>> > >>> Signed-off-by: Igor Opaniuk > >>> --- > >>> lib/efi_loader/efi_device_path.c | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/lib/efi_loader/efi_device_path.c > >>> b/lib/efi_loader/efi_device_path.c > >>> index 53b40c8c3c..97b4356167 100644 > >>> --- a/lib/efi_loader/efi_device_path.c > >>> +++ b/lib/efi_loader/efi_device_path.c > >>> @@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct > >>> blk_desc *desc, int part, > >>>buf = dp_part_fill(buf, desc, part); > >>> > >>>/* add file-path: */ > >>> - fp = buf; > >>> + fp = start; > >> > >> This cannot be correct. dp_part_fill() is meant to set buf to the end of > >> the partition device path, e.g. > >> /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f) > > > > That's why I added RFC tag, as I definitely don't understand the full > > picture of what's going here(and lack of time to discover) :) > > > >> > >> In the lines below we want to add a further device path node with the > >> filename followed by the end node, e.g. > >> > >> /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f)/Shell.efi > >> > >> With your patch we end up with a device path containing only the file > >> name and the end node, e.g. > >> > >> /Shell.efi > > > > Thanks for the explanation. > > > >> > >> If you think this is an out of bound problem we must fix the estimation > >> of the device path size. > >> > >> For better understanding the problem could you, please, print the value > >> of dpsize and then call dp_alloc() with a sufficiently large argument. > >> > >> Before the return statement add > >> > >> printf("desc %p\n", desc); > >> printf("dp length %zu\n", efi_dp_size(start)); > >> > >> This should provide the calculated device path length and its actual size. > > > > So with the changes: > > > > diff --git a/lib/efi_loader/efi_device_path.c > > b/lib/efi_loader/efi_device_path.c > > index 97b4356167..ef707e2505 100644 > > --- a/lib/efi_loader/efi_device_path.c > > +++ b/lib/efi_loader/efi_device_path.c > > @@ -821,6 +821,8 @@ struct efi_device_path *efi_dp_from_file(struct > > blk_desc *desc, int part, > > fpsize = sizeof(struct efi_device_path) + 2 * (strlen(path) + 1); > > dpsize += fpsize; > > > > + printf("dpsize %zu\n", dpsize); > > + > > start = buf = dp_alloc(dpsize + sizeof(END)); > > if (!buf) > > return NULL; > > @@ -837,6 +839,8 @@ struct efi_device_path *efi_dp_from_file(struct > > blk_desc *desc, int part, > > buf += fpsize; > > > > *((struct efi_device_path *)buf) = END; > > + printf("desc %p\n", desc); > > + printf("dp length %zu\n", efi_dp_size(start)); > > > > return start; > > } > > > > Output: > > dpsize 153 > > desc 2daa3d30 > > > > And U-boot hangs on efi_dp_size(start) invocation, so I never receive > > any output from the last printf() invocation. > > In > http://git.denx.de/?p=u-boot-efi.git;a=shortlog;h=refs/heads/efi-2019-07 > I have already added a patch the problem with efi_dp_size(). > > efi_loader: move efi_save_gd() call to board_r.c > http://git.denx.de/?p=u-boot-efi.git;a=commit;h=5658c83d1c3637d4aa5bc366ab987b776ea105eb > > So I suggest that you start from the efi-2019-07 branch. > > Regards > > Heinrich > > > > >> Please, indicate the config file that you are using. > > > > colibri_imx6_defconfig > > > >> > >> Best regards > >> > >> Heinrich > >> > >>>
Re: [U-Boot] [RFC 1/1] cmd: fs: fix data abort in load cmd
On 4/10/19 8:48 AM, Igor Opaniuk wrote: Hi Heinrich, Thanks for looking into this, On Tue, Apr 9, 2019 at 11:28 PM Heinrich Schuchardt wrote: On 4/9/19 3:08 PM, Igor Opaniuk wrote: With CONFIG_CMD_BOOTEFI=y, load command causes data abort when path_to_uefi(fp->str, path) tries to write uefi path out of bounds of u16 str[] array (check efi_device_path_file_path struct for details). This is caused by unproper handling of void *buf pointer in efi_dp_from_file(), particularly when the buf pointer value is changed after dp_part_fill() invocation. load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb pc : [<2fab48ae>]lr : [<2fab4339>] reloc pc : [<178338ae>] lr : [<1789>] sp : 2da77120 ip : 0003 fp : 0005 r10: 2daa31d0 r9 : 2da80ea8 r8 : 0001 r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 003a r3 : 0069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f Flags: nzCv IRQs off FIQs off Mode SVC_32 Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c) Resetting CPU ... Thanks for reporting the problem. With the change suggested: load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb 5675440 bytes read in 188 ms (28.8 MiB/s) Signed-off-by: Igor Opaniuk --- lib/efi_loader/efi_device_path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 53b40c8c3c..97b4356167 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, buf = dp_part_fill(buf, desc, part); /* add file-path: */ - fp = buf; + fp = start; This cannot be correct. dp_part_fill() is meant to set buf to the end of the partition device path, e.g. /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f) That's why I added RFC tag, as I definitely don't understand the full picture of what's going here(and lack of time to discover) :) In the lines below we want to add a further device path node with the filename followed by the end node, e.g. /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f)/Shell.efi With your patch we end up with a device path containing only the file name and the end node, e.g. /Shell.efi Thanks for the explanation. If you think this is an out of bound problem we must fix the estimation of the device path size. For better understanding the problem could you, please, print the value of dpsize and then call dp_alloc() with a sufficiently large argument. Before the return statement add printf("desc %p\n", desc); printf("dp length %zu\n", efi_dp_size(start)); This should provide the calculated device path length and its actual size. So with the changes: diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 97b4356167..ef707e2505 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -821,6 +821,8 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, fpsize = sizeof(struct efi_device_path) + 2 * (strlen(path) + 1); dpsize += fpsize; + printf("dpsize %zu\n", dpsize); + start = buf = dp_alloc(dpsize + sizeof(END)); if (!buf) return NULL; @@ -837,6 +839,8 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, buf += fpsize; *((struct efi_device_path *)buf) = END; + printf("desc %p\n", desc); + printf("dp length %zu\n", efi_dp_size(start)); return start; } Output: dpsize 153 desc 2daa3d30 And U-boot hangs on efi_dp_size(start) invocation, so I never receive any output from the last printf() invocation. In http://git.denx.de/?p=u-boot-efi.git;a=shortlog;h=refs/heads/efi-2019-07 I have already added a patch the problem with efi_dp_size(). efi_loader: move efi_save_gd() call to board_r.c http://git.denx.de/?p=u-boot-efi.git;a=commit;h=5658c83d1c3637d4aa5bc366ab987b776ea105eb So I suggest that you start from the efi-2019-07 branch. Regards Heinrich Please, indicate the config file that you are using. colibri_imx6_defconfig Best regards Heinrich fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE; fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH; fp->dp.length = fpsize; ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [RFC 1/1] cmd: fs: fix data abort in load cmd
Hi Heinrich, Thanks for looking into this, On Tue, Apr 9, 2019 at 11:28 PM Heinrich Schuchardt wrote: > > On 4/9/19 3:08 PM, Igor Opaniuk wrote: > > With CONFIG_CMD_BOOTEFI=y, load command causes data abort > > when path_to_uefi(fp->str, path) tries to write uefi path out of > > bounds of u16 str[] array (check efi_device_path_file_path struct for > > details). This is caused by unproper handling of void *buf pointer > > in efi_dp_from_file(), particularly when the buf pointer value is changed > > after dp_part_fill() invocation. > > > >> load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > > pc : [<2fab48ae>]lr : [<2fab4339>] > > reloc pc : [<178338ae>] lr : [<1789>] > > sp : 2da77120 ip : 0003 fp : 0005 > > r10: 2daa31d0 r9 : 2da80ea8 r8 : 0001 > > r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 003a > > r3 : 0069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f > > Flags: nzCv IRQs off FIQs off Mode SVC_32 > > Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c) > > Resetting CPU ... > > > > Thanks for reporting the problem. > > > With the change suggested: > > > >> load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > > 5675440 bytes read in 188 ms (28.8 MiB/s) > > > > Signed-off-by: Igor Opaniuk > > --- > > lib/efi_loader/efi_device_path.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/efi_loader/efi_device_path.c > > b/lib/efi_loader/efi_device_path.c > > index 53b40c8c3c..97b4356167 100644 > > --- a/lib/efi_loader/efi_device_path.c > > +++ b/lib/efi_loader/efi_device_path.c > > @@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct > > blk_desc *desc, int part, > > buf = dp_part_fill(buf, desc, part); > > > > /* add file-path: */ > > - fp = buf; > > + fp = start; > > This cannot be correct. dp_part_fill() is meant to set buf to the end of > the partition device path, e.g. > /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f) That's why I added RFC tag, as I definitely don't understand the full picture of what's going here(and lack of time to discover) :) > > In the lines below we want to add a further device path node with the > filename followed by the end node, e.g. > > /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f)/Shell.efi > > With your patch we end up with a device path containing only the file > name and the end node, e.g. > > /Shell.efi Thanks for the explanation. > > If you think this is an out of bound problem we must fix the estimation > of the device path size. > > For better understanding the problem could you, please, print the value > of dpsize and then call dp_alloc() with a sufficiently large argument. > > Before the return statement add > > printf("desc %p\n", desc); > printf("dp length %zu\n", efi_dp_size(start)); > > This should provide the calculated device path length and its actual size. So with the changes: diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 97b4356167..ef707e2505 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -821,6 +821,8 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, fpsize = sizeof(struct efi_device_path) + 2 * (strlen(path) + 1); dpsize += fpsize; + printf("dpsize %zu\n", dpsize); + start = buf = dp_alloc(dpsize + sizeof(END)); if (!buf) return NULL; @@ -837,6 +839,8 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, buf += fpsize; *((struct efi_device_path *)buf) = END; + printf("desc %p\n", desc); + printf("dp length %zu\n", efi_dp_size(start)); return start; } Output: dpsize 153 desc 2daa3d30 And U-boot hangs on efi_dp_size(start) invocation, so I never receive any output from the last printf() invocation. > Please, indicate the config file that you are using. colibri_imx6_defconfig > > Best regards > > Heinrich > > > fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE; > > fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH; > > fp->dp.length = fpsize; > > > > ___ > U-Boot mailing list > U-Boot@lists.denx.de > https://lists.denx.de/listinfo/u-boot -- Best regards - Freundliche GrĂ¼sse - Meilleures salutations Senior Development Engineer, Igor Opaniuk Toradex AG Altsagenstrasse 5 | 6048 Horw/Luzern | Switzerland | T: +41 41 500 48 00 (main line) ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [RFC 1/1] cmd: fs: fix data abort in load cmd
On 4/9/19 3:08 PM, Igor Opaniuk wrote: > With CONFIG_CMD_BOOTEFI=y, load command causes data abort > when path_to_uefi(fp->str, path) tries to write uefi path out of > bounds of u16 str[] array (check efi_device_path_file_path struct for > details). This is caused by unproper handling of void *buf pointer > in efi_dp_from_file(), particularly when the buf pointer value is changed > after dp_part_fill() invocation. > >> load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > pc : [<2fab48ae>]lr : [<2fab4339>] > reloc pc : [<178338ae>] lr : [<1789>] > sp : 2da77120 ip : 0003 fp : 0005 > r10: 2daa31d0 r9 : 2da80ea8 r8 : 0001 > r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 003a > r3 : 0069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f > Flags: nzCv IRQs off FIQs off Mode SVC_32 > Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c) > Resetting CPU ... > Thanks for reporting the problem. > With the change suggested: > >> load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb > 5675440 bytes read in 188 ms (28.8 MiB/s) > > Signed-off-by: Igor Opaniuk > --- > lib/efi_loader/efi_device_path.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/efi_loader/efi_device_path.c > b/lib/efi_loader/efi_device_path.c > index 53b40c8c3c..97b4356167 100644 > --- a/lib/efi_loader/efi_device_path.c > +++ b/lib/efi_loader/efi_device_path.c > @@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc > *desc, int part, > buf = dp_part_fill(buf, desc, part); > > /* add file-path: */ > - fp = buf; > + fp = start; This cannot be correct. dp_part_fill() is meant to set buf to the end of the partition device path, e.g. /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f) In the lines below we want to add a further device path node with the filename followed by the end node, e.g. /VenHw(dbca4c98-6cb0-694d-0872-819c650cb7b8)/HD(1,MBR,0xd1535d21,0x1,0x7f)/Shell.efi With your patch we end up with a device path containing only the file name and the end node, e.g. /Shell.efi If you think this is an out of bound problem we must fix the estimation of the device path size. For better understanding the problem could you, please, print the value of dpsize and then call dp_alloc() with a sufficiently large argument. Before the return statement add printf("desc %p\n", desc); printf("dp length %zu\n", efi_dp_size(start)); This should provide the calculated device path length and its actual size. Please, indicate the config file that you are using. Best regards Heinrich > fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE; > fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH; > fp->dp.length = fpsize; > ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [RFC 1/1] cmd: fs: fix data abort in load cmd
With CONFIG_CMD_BOOTEFI=y, load command causes data abort when path_to_uefi(fp->str, path) tries to write uefi path out of bounds of u16 str[] array (check efi_device_path_file_path struct for details). This is caused by unproper handling of void *buf pointer in efi_dp_from_file(), particularly when the buf pointer value is changed after dp_part_fill() invocation. > load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb pc : [<2fab48ae>] lr : [<2fab4339>] reloc pc : [<178338ae>]lr : [<1789>] sp : 2da77120 ip : 0003 fp : 0005 r10: 2daa31d0 r9 : 2da80ea8 r8 : 0001 r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 003a r3 : 0069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f Flags: nzCv IRQs off FIQs off Mode SVC_32 Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c) Resetting CPU ... With the change suggested: > load usb 0:1 0x1200 imx6dl-colibri-eval-v3.dtb 5675440 bytes read in 188 ms (28.8 MiB/s) Signed-off-by: Igor Opaniuk --- lib/efi_loader/efi_device_path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 53b40c8c3c..97b4356167 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part, buf = dp_part_fill(buf, desc, part); /* add file-path: */ - fp = buf; + fp = start; fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE; fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH; fp->dp.length = fpsize; -- 2.17.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot