On 1/27/26 17:18, Vincent Stehlé wrote:
The efi_exit() function frees the loaded image memory by calling efi_delete_image(). However, when CONFIG_EFI_TCG2_PROTOCOL is enabled, the image_obj->image_type structure member is accessed after the memory has been freed.Fix this by performing the tcg2 measurement before the image deletion. Fixes: 8fc4e0b4273a ("efi_loader: add boot variable measurement") Suggested-by: Ilias Apalodimas <[email protected]> Signed-off-by: Vincent Stehlé <[email protected]> Cc: Heinrich Schuchardt <[email protected]> Cc: Tom Rini <[email protected]> Cc: Masahisa Kojima <[email protected]> ---
Reviewed-by: Heinrich Schuchardt <[email protected]>
Hi, Here is a respin after feedbacks. [1] Changes for v2: - Move the event measurement before image deletion instead of keeping a copy of image_type (thanks Ilias!) This can be verified with sandbox_defconfig + CONFIG_VALGRIND=y and the following command: valgrind --suppressions=scripts/u-boot.supp \ ./u-boot -T -c "setenv efi_selftest start image return; \ bootefi selftest" This was lightly tested for regression with sandbox_defconfig and the following commands: ./u-boot -T -c "ut measurement" ./test/py/test.py --build-dir="$PWD" -s -k "test_efi_bootmgr \ or test_efi_loader or test_efi_selftest or test_efi_secboot" Adding some instrumentation in efi_exit() and tcg2_log_append() shows no change in the event measurements sequence. [1] https://lore.kernel.org/u-boot/[email protected]/ lib/efi_loader/efi_boottime.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index ddc935d2240..b424d924896 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -3494,12 +3494,6 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, if (ret != EFI_SUCCESS) EFI_PRINT("%s: out of memory\n", __func__); } - /* efi_delete_image() frees image_obj. Copy before the call. */ - exit_jmp = image_obj->exit_jmp; - *image_obj->exit_status = exit_status; - if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION || - exit_status != EFI_SUCCESS) - efi_delete_image(image_obj, loaded_image_protocol);if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) {if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { @@ -3510,6 +3504,13 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, } }+ /* efi_delete_image() frees image_obj. Copy before the call. */+ exit_jmp = image_obj->exit_jmp; + *image_obj->exit_status = exit_status; + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION || + exit_status != EFI_SUCCESS) + efi_delete_image(image_obj, loaded_image_protocol); + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status);
