Public bug reported:
The bsearch() function signature is:
void *bsearch(const void *key, const void *base,
size_t nmemb, size_t size,
int (*compar)(const void *, const void *));
In drivers/firmware/efi/efi.c, the efi_status_to_err() and
efi_status_to_str() functions call bsearch() with swapped 3rd and 4th
arguments:
Current (buggy):
found = bsearch((void *)(uintptr_t)status, efi_error_codes,
sizeof(struct efi_error_code), num, // WRONG ORDER
efi_status_cmp_bsearch);
Correct:
found = bsearch((void *)(uintptr_t)status, efi_error_codes,
num, sizeof(struct efi_error_code), // CORRECT ORDER
efi_status_cmp_bsearch);
== Impact ==
With swapped arguments:
- bsearch thinks there are 24 elements of 12 bytes each (on 64-bit)
- Correct: 12 elements of 24 bytes each
- This causes bsearch to read at wrong offsets, potentially returning
incorrect error codes or failing to find valid status codes
== Root Cause ==
The bug was introduced in the SAUCE patch cherry-picked from kernel-ark:
commit 2ae9082db0b5 ("Add efi_status_to_str() and rework
efi_status_to_err().")
from https://gitlab.com/cki-project/kernel-ark
== Fix ==
The fix has been merged in kernel-ark upstream:
https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141276
Title:
efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE
patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141276/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
