From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Chris Coulson <chris.coulson@canonical.com>

Date: Fri, 29 Apr 2022 21:13:08 +0100

Subject: [PATCH] loader/efi/chainloader: simplify the loader state

When not using the shim lock protocol, the chainloader command retains

the source buffer and device path passed to LoadImage, requiring the

unload hook passed to grub_loader_set to free them. It isn't required

to retain this state though - they aren't required by StartImage or

anything else in the boot hook, so clean them up before

grub_cmd_chainloader finishes.

This also wraps the loader state when using the shim lock protocol

inside a struct.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>

(cherry picked from commit fa39862933b3be1553a580a3a5c28073257d8046)

(cherry picked from commit 0333343ee99c4e88f062789263c94291c057251b)

[rharwood: double-frees and uninitialized, verifying twice]

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

---

 grub-core/loader/efi/chainloader.c | 160 +++++++++++++++++++++++--------------

 1 file changed, 102 insertions(+), 58 deletions(-)

diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c

index 39158e679e..0717ce0478 100644

--- a/grub-core/loader/efi/chainloader.c

+++ b/grub-core/loader/efi/chainloader.c

@@ -48,38 +48,21 @@ GRUB_MOD_LICENSE ("GPLv3+");

 static grub_dl_t my_mod;

-static grub_efi_physical_address_t address;

-static grub_efi_uintn_t pages;

-static grub_ssize_t fsize;

-static grub_efi_device_path_t *file_path;

 static grub_efi_handle_t image_handle;

-static grub_efi_char16_t *cmdline;

-static grub_ssize_t cmdline_len;

-static grub_efi_handle_t dev_handle;

-static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);

+struct grub_secureboot_chainloader_context {

+  grub_efi_physical_address_t address;

+  grub_efi_uintn_t pages;

+  grub_ssize_t fsize;

+  grub_efi_device_path_t *file_path;

+  grub_efi_char16_t *cmdline;

+  grub_ssize_t cmdline_len;

+  grub_efi_handle_t dev_handle;

+};

+static struct grub_secureboot_chainloader_context *sb_context;

 static grub_err_t

-grub_chainloader_unload (void)

-{

-  grub_efi_boot_services_t *b;

-

-  b = grub_efi_system_table->boot_services;

-  efi_call_1 (b->unload_image, image_handle);

-  grub_efi_free_pages (address, pages);

-

-  grub_free (file_path);

-  grub_free (cmdline);

-  cmdline = 0;

-  file_path = 0;

-  dev_handle = 0;

-

-  grub_dl_unref (my_mod);

-  return GRUB_ERR_NONE;

-}

-

-static grub_err_t

-grub_chainloader_boot (void)

+grub_start_image (grub_efi_handle_t handle)

 {

   grub_efi_boot_services_t *b;

   grub_efi_status_t status;

@@ -87,7 +70,7 @@ grub_chainloader_boot (void)

   grub_efi_char16_t *exit_data = NULL;

   b = grub_efi_system_table->boot_services;

-  status = efi_call_3 (b->start_image, image_handle, &exit_data_size, &exit_data);

+  status = efi_call_3 (b->start_image, handle, &exit_data_size, &exit_data);

   if (status != GRUB_EFI_SUCCESS)

     {

       if (exit_data)

@@ -111,11 +94,37 @@ grub_chainloader_boot (void)

   if (exit_data)

     grub_efi_free_pool (exit_data);

-  grub_loader_unset ();

-

   return grub_errno;

 }

+static grub_err_t

+grub_chainloader_unload (void)

+{

+  grub_efi_loaded_image_t *loaded_image;

+  grub_efi_boot_services_t *b;

+

+  loaded_image = grub_efi_get_loaded_image (image_handle);

+  if (loaded_image != NULL)

+    grub_free (loaded_image->load_options);

+

+  b = grub_efi_system_table->boot_services;

+  efi_call_1 (b->unload_image, image_handle);

+

+  grub_dl_unref (my_mod);

+  return GRUB_ERR_NONE;

+}

+

+static grub_err_t

+grub_chainloader_boot (void)

+{

+  grub_err_t err;

+

+  err = grub_start_image (image_handle);

+

+  grub_loader_unset ();

+  return err;

+}

+

 static grub_err_t

 copy_file_path (grub_efi_file_path_device_path_t *fp,

 		const char *str, grub_efi_uint16_t len)

@@ -150,7 +159,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)

   char *dir_start;

   char *dir_end;

   grub_size_t size;

-  grub_efi_device_path_t *d;

+  grub_efi_device_path_t *d, *file_path;

   dir_start = grub_strchr (filename, ')');

   if (! dir_start)

@@ -526,10 +535,12 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)

 }

 static grub_efi_boolean_t

-handle_image (void *data, grub_efi_uint32_t datasize)

+handle_image (struct grub_secureboot_chainloader_context *load_context)

 {

   grub_efi_loaded_image_t *li, li_bak;

   grub_efi_status_t efi_status;

+  void *data = (void *)(unsigned long)load_context->address;

+  grub_efi_uint32_t datasize = load_context->fsize;

   void *buffer = NULL;

   char *buffer_aligned = NULL;

   grub_efi_uint32_t i;

@@ -540,6 +551,7 @@ handle_image (void *data, grub_efi_uint32_t datasize)

   grub_uint32_t buffer_size;

   int found_entry_point = 0;

   int rc;

+  grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);

   rc = read_header (data, datasize, &context);

   if (rc < 0)

@@ -797,10 +809,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)

   grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));

   li->image_base = buffer_aligned;

   li->image_size = context.image_size;

-  li->load_options = cmdline;

-  li->load_options_size = cmdline_len;

-  li->file_path = grub_efi_get_media_file_path (file_path);

-  li->device_handle = dev_handle;

+  li->load_options = load_context->cmdline;

+  li->load_options_size = load_context->cmdline_len;

+  li->file_path = grub_efi_get_media_file_path (load_context->file_path);

+  li->device_handle = load_context->dev_handle;

   if (!li->file_path)

     {

       grub_error (GRUB_ERR_UNKNOWN_DEVICE, "no matching file path found");

@@ -829,19 +841,22 @@ error_exit:

 static grub_err_t

 grub_secureboot_chainloader_unload (void)

 {

-  grub_efi_free_pages (address, pages);

-  grub_free (file_path);

-  grub_free (cmdline);

-  cmdline = 0;

-  file_path = 0;

-  dev_handle = 0;

+  grub_efi_free_pages (sb_context->address, sb_context->pages);

+  grub_free (sb_context->file_path);

+  grub_free (sb_context->cmdline);

+  grub_free (sb_context);

+

+  sb_context = 0;

   grub_dl_unref (my_mod);

   return GRUB_ERR_NONE;

 }

 static grub_err_t

-grub_load_image(void *boot_image)

+grub_load_image(grub_efi_device_path_t *file_path, void *boot_image,

+		grub_efi_uintn_t image_size, grub_efi_handle_t dev_handle,

+		grub_efi_char16_t *cmdline, grub_ssize_t cmdline_len,

+		grub_efi_handle_t *image_handle_out)

 {

   grub_efi_boot_services_t *b;

   grub_efi_status_t status;

@@ -850,7 +865,7 @@ grub_load_image(void *boot_image)

   b = grub_efi_system_table->boot_services;

   status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,

-		       boot_image, fsize, &image_handle);

+		       boot_image, image_size, image_handle_out);

   if (status != GRUB_EFI_SUCCESS)

     {

       if (status == GRUB_EFI_OUT_OF_RESOURCES)

@@ -863,7 +878,7 @@ grub_load_image(void *boot_image)

   /* LoadImage does not set a device handler when the image is

      loaded from memory, so it is necessary to set it explicitly here.

      This is a mess.  */

-  loaded_image = grub_efi_get_loaded_image (image_handle);

+  loaded_image = grub_efi_get_loaded_image (*image_handle_out);

   if (! loaded_image)

     {

       grub_error (GRUB_ERR_BAD_OS, "no loaded image available");

@@ -885,20 +900,25 @@ grub_secureboot_chainloader_boot (void)

 {

   grub_efi_boot_services_t *b;

   int rc;

+  grub_efi_handle_t handle = 0;

-  rc = handle_image ((void *)(unsigned long)address, fsize);

+  rc = handle_image (sb_context);

   if (rc == 0)

     {

       /* We weren't able to attempt to execute the image, so fall back

        * to LoadImage / StartImage.

        */

-      rc = grub_load_image((void *)(unsigned long)address);

+      rc = grub_load_image(sb_context->file_path,

+			   (void *)(unsigned long)sb_context->address,

+			   sb_context->fsize, sb_context->dev_handle,

+			   sb_context->cmdline, sb_context->cmdline_len,

+			   &handle);

       if (rc == 0)

-        grub_chainloader_boot ();

+	grub_start_image (handle);

     }

   b = grub_efi_system_table->boot_services;

-  efi_call_1 (b->unload_image, image_handle);

+  efi_call_1 (b->unload_image, handle);

   grub_loader_unset ();

   return grub_errno;

@@ -913,10 +933,16 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

   grub_efi_boot_services_t *b;

   grub_device_t dev = 0;

   grub_device_t orig_dev = 0;

-  grub_efi_device_path_t *dp = 0;

+  grub_efi_device_path_t *dp = 0, *file_path = 0;

   char *filename;

   void *boot_image = 0;

   int rc;

+  grub_efi_physical_address_t address = 0;

+  grub_ssize_t fsize;

+  grub_efi_uintn_t pages = 0;

+  grub_efi_char16_t *cmdline = 0;

+  grub_ssize_t cmdline_len = 0;

+  grub_efi_handle_t dev_handle = 0;

   if (argc == 0)

     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

@@ -924,12 +950,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

   grub_dl_ref (my_mod);

-  /* Initialize some global variables.  */

-  address = 0;

-  image_handle = 0;

-  file_path = 0;

-  dev_handle = 0;

-

   b = grub_efi_system_table->boot_services;

   if (argc > 1)

@@ -1096,17 +1116,35 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

   grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);

   if (rc > 0)

     {

+      sb_context = grub_malloc (sizeof (*sb_context));

+      if (sb_context == NULL)

+        goto fail;

+      sb_context->address = address;

+      sb_context->fsize = fsize;

+      sb_context->pages = pages;

+      sb_context->file_path = file_path;

+      sb_context->cmdline = cmdline;

+      sb_context->cmdline_len = cmdline_len;

+      sb_context->dev_handle = dev_handle;

+

       grub_file_close (file);

       grub_device_close (dev);

+

       grub_loader_set (grub_secureboot_chainloader_boot,

 		       grub_secureboot_chainloader_unload, 0);

       return 0;

     }

   else if (rc == 0)

     {

-      grub_load_image(boot_image);

+      grub_load_image(file_path, boot_image, fsize, dev_handle, cmdline,

+		      cmdline_len, &image_handle);

       grub_file_close (file);

       grub_device_close (dev);

+

+      /* We're finished with the source image buffer and file path now */

+      efi_call_2 (b->free_pages, address, pages);

+      grub_free (file_path);

+

       grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);

       return 0;

@@ -1134,6 +1172,12 @@ fail:

   if (cmdline)

     grub_free (cmdline);

+  if (image_handle != 0)

+    {

+      efi_call_1 (b->unload_image, image_handle);

+      image_handle = 0;

+    }

+

   grub_dl_unref (my_mod);

   return grub_errno;