Hi Vincent, > -----Original Message----- > From: Vincent Stehlé <[email protected]> > Sent: Wednesday, January 28, 2026 1:19 AM > Subject: [PATCH v2] efi_loader: fix use after free in efi_exit() with tcg2 > > The efi_exit() function frees the loaded image memory by calling > efi_delete_image(). However, when CONFIG_EFI_TCG2_PROTOCOL is > enabled, the > image_obj->image_type structure member is accessed after the memory has > been freed. > > Fix this by performing the tcg2 measurement before the image deletion. > > Fixes: 8fc4e0b4273a ("efi_loader: add boot variable measurement") > Suggested-by: Ilias Apalodimas <[email protected]> > Signed-off-by: Vincent Stehlé <[email protected]> > Cc: Heinrich Schuchardt <[email protected]> > Cc: Tom Rini <[email protected]> > Cc: Masahisa Kojima <[email protected]> > --- > > Hi, > > Here is a respin after feedbacks. [1] > > Changes for v2: > - Move the event measurement before image deletion instead of keeping a > copy of image_type (thanks Ilias!) > > This can be verified with sandbox_defconfig + CONFIG_VALGRIND=y and the > following command: > > valgrind --suppressions=scripts/u-boot.supp \ > ./u-boot -T -c "setenv efi_selftest start image return; \ > bootefi selftest" > > This was lightly tested for regression with sandbox_defconfig and the > following commands: > > ./u-boot -T -c "ut measurement" > > ./test/py/test.py --build-dir="$PWD" -s -k "test_efi_bootmgr \ > or test_efi_loader or test_efi_selftest or test_efi_secboot" > > Adding some instrumentation in efi_exit() and tcg2_log_append() shows no > change in the event measurements sequence. > > [1] > https://lore.kernel.org/u-boot/20260123105814.1083834-1-vincent.stehle@ar > m.com/ > > lib/efi_loader/efi_boottime.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c > index ddc935d2240..b424d924896 100644 > --- a/lib/efi_loader/efi_boottime.c > +++ b/lib/efi_loader/efi_boottime.c > @@ -3494,12 +3494,6 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t > image_handle, > if (ret != EFI_SUCCESS) > EFI_PRINT("%s: out of memory\n", __func__); > } > - /* efi_delete_image() frees image_obj. Copy before the call. */ > - exit_jmp = image_obj->exit_jmp; > - *image_obj->exit_status = exit_status; > - if (image_obj->image_type == > IMAGE_SUBSYSTEM_EFI_APPLICATION || > - exit_status != EFI_SUCCESS) > - efi_delete_image(image_obj, loaded_image_protocol); > > if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { > if (image_obj->image_type == > IMAGE_SUBSYSTEM_EFI_APPLICATION) { > @@ -3510,6 +3504,13 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t > image_handle, > } > } > > + /* efi_delete_image() frees image_obj. Copy before the call. */ > + exit_jmp = image_obj->exit_jmp; > + *image_obj->exit_status = exit_status; > + if (image_obj->image_type == > IMAGE_SUBSYSTEM_EFI_APPLICATION || > + exit_status != EFI_SUCCESS) > + efi_delete_image(image_obj, loaded_image_protocol); > + > /* Make sure entry/exit counts for EFI world cross-overs match */ > EFI_EXIT(exit_status);
Thanks for the fix. Acked-by: Masahisa Kojima <[email protected]> Best Regards, Masahisa Kojima > > -- > 2.51.0
