** Description changed:
-
- The bsearch() function signature is:
- void *bsearch(const void *key, const void *base,
- size_t nmemb, size_t size,
- int (*compar)(const void *, const void *));
-
- In drivers/firmware/efi/efi.c, the efi_status_to_err() and
efi_status_to_str() functions call bsearch() with swapped 3rd and 4th
arguments:
-
- Current (buggy):
- found = bsearch((void *)(uintptr_t)status, efi_error_codes,
- sizeof(struct efi_error_code), num, // WRONG ORDER
- efi_status_cmp_bsearch);
-
- Correct:
- found = bsearch((void *)(uintptr_t)status, efi_error_codes,
- num, sizeof(struct efi_error_code), // CORRECT ORDER
- efi_status_cmp_bsearch);
-
- == Impact ==
- With swapped arguments:
- - bsearch thinks there are 24 elements of 12 bytes each (on 64-bit)
- - Correct: 12 elements of 24 bytes each
- - This causes bsearch to read at wrong offsets, potentially returning
incorrect error codes or failing to find valid status codes
-
- == Root Cause ==
- The bug was introduced in the SAUCE patch cherry-picked from kernel-ark:
- commit 2ae9082db0b5 ("Add efi_status_to_str() and rework
efi_status_to_err().")
- from https://gitlab.com/cki-project/kernel-ark
-
- == Fix ==
- The fix has been merged in kernel-ark upstream:
- https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
+
+ [Impact]
+ The swapped bsearch() arguments cause the function to calculate
incorrect
+ element offsets when searching the efi_error_codes array:
+
+ - Buggy behavior: bsearch thinks there are 24 elements of 12 bytes each
+ - Correct behavior: 12 elements of 24 bytes each (on 64-bit systems)
+
+ This causes efi_status_to_err() and efi_status_to_str() to read at wrong
+ memory offsets (every 12 bytes instead of every 24 bytes), potentially:
+ - Returning incorrect errno values for EFI status codes
+ - Returning wrong error description strings
+ - Failing to find valid status codes and returning default error values
+
+ These functions are used to translate EFI firmware error codes to Linux
+ errno values and human-readable strings, affecting error reporting for
+ EFI-related operations including secure boot and firmware variable
access.
+
+ [Test Plan]
+ 1. Build kernel with the fix applied
+ 2. Boot system with UEFI firmware
+ 3. Trigger EFI error conditions that exercise efi_status_to_err() and
+ efi_status_to_str(), such as:
+ - Secure boot signature verification failures
+ - EFI variable access errors
+ - MOK (Machine Owner Key) operations
+ 4. Verify dmesg shows correct EFI error messages
+ 5. Compare error messages before and after the fix to confirm correct
+ status code translation
+
+ Alternatively, a unit test can verify the bsearch returns correct
results:
+ - Call efi_status_to_err() with known EFI status codes (e.g.,
EFI_SUCCESS,
+ EFI_INVALID_PARAMETER, EFI_SECURITY_VIOLATION)
+ - Verify correct errno values are returned (-EINVAL, -EACCES, etc.)
+
+ [Where problems could occur]
+ The fix swaps two adjacent function arguments. Potential issues:
+
+ 1. The fix changes the search behavior, which could theoretically expose
+ latent bugs in code that was accidentally working due to the
incorrect
+ search. For example, if code was relying on the -EINVAL fallback when
+ bsearch failed to find a match, it might now receive a different
(correct)
+ errno value.
+
+ 2. Since this affects EFI error reporting, any issues would manifest as
+ incorrect error messages in dmesg or wrong return values from EFI
+ operations. This could affect debugging but should not cause system
+ instability.
+
+ [Other Info]
+ - Root cause: The bug was introduced in the SAUCE patch cherry-picked
from
+ kernel-ark commit 2ae9082db0b5:
+ https://gitlab.com/cki-project/kernel-ark/-/commit/2ae9082db0b5
+ - Upstream fix:
https://gitlab.com/cki-project/kernel-ark/-/commit/49bcc48074ba
+ - bsearch(3) man page:
https://man7.org/linux/man-pages/man3/bsearch.3.html
** Also affects: linux (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141276
Title:
efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE
patch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141276/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
