From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Chris Coulson <chris.coulson@canonical.com>

Date: Mon, 2 May 2022 17:04:23 +0200

Subject: [PATCH] loader/i386/efi/linux: Use grub_loader_set_ex

This ports the linuxefi loader to use grub_loader_set_ex in order to fix

a use-after-fre bug that occurs when grub_cmd_linux is executed more than

once before a boot attempt is performed.

This is more complicated than for the chainloader command, as the initrd

command needs access to the loader state. To solve this, the linuxefi

module registers a dummy initrd command at startup that returns an error.

The linuxefi command then registers a proper initrd command with a higher

priority that is passed the loader state.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>

(cherry picked from commit 7cf736436b4c934df5ddfa6f44b46a7e07d99fdc)

[rharwood/pjones: set kernel_size in context]

(cherry picked from commit 9c056391f7a36ea480de9a759c12e55a90f2040a)

[rharwood: verifying twice]

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

(cherry picked from commit df804892f1a754d88a9779320f9429bf40d2a1b3)

---

 grub-core/loader/i386/efi/linux.c | 146 +++++++++++++++++++++++---------------

 1 file changed, 87 insertions(+), 59 deletions(-)

diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c

index c9a2b47370..77a0734786 100644

--- a/grub-core/loader/i386/efi/linux.c

+++ b/grub-core/loader/i386/efi/linux.c

@@ -34,13 +34,19 @@

 GRUB_MOD_LICENSE ("GPLv3+");

 static grub_dl_t my_mod;

-static int loaded;

-static void *kernel_mem;

-static grub_uint64_t kernel_size;

-static void *initrd_mem;

-static grub_uint32_t handover_offset;

-struct linux_kernel_params *params;

-static char *linux_cmdline;

+

+static grub_command_t cmd_linux, cmd_initrd;

+static grub_command_t cmd_linuxefi, cmd_initrdefi;

+

+struct grub_linuxefi_context {

+  void *kernel_mem;

+  grub_uint64_t kernel_size;

+  grub_uint32_t handover_offset;

+  struct linux_kernel_params *params;

+  char *cmdline;

+

+  void *initrd_mem;

+};

 #define MIN(a, b) \

   ({ typeof (a) _a = (a); \

@@ -123,25 +129,32 @@ kernel_alloc(grub_efi_uintn_t size, const char * const errmsg)

 }

 static grub_err_t

-grub_linuxefi_boot (void)

+grub_linuxefi_boot (void *data)

 {

+  struct grub_linuxefi_context *context = (struct grub_linuxefi_context *) data;

+

   asm volatile ("cli");

-  return grub_efi_linux_boot ((char *)kernel_mem,

-			      handover_offset,

-			      params);

+  return grub_efi_linux_boot ((char *)context->kernel_mem,

+			      context->handover_offset,

+			      context->params);

 }

 static grub_err_t

-grub_linuxefi_unload (void)

+grub_linuxefi_unload (void *data)

 {

+  struct grub_linuxefi_context *context = (struct grub_linuxefi_context *) data;

+  struct linux_kernel_params *params = context->params;

+

   grub_dl_unref (my_mod);

-  loaded = 0;

-  kernel_free(initrd_mem, params->ramdisk_size);

-  kernel_free(linux_cmdline, params->cmdline_size + 1);

-  kernel_free(kernel_mem, kernel_size);

-  kernel_free(params, sizeof(*params));

+  kernel_free (context->initrd_mem, params->ramdisk_size);

+  kernel_free (context->cmdline, params->cmdline_size + 1);

+  kernel_free (context->kernel_mem, context->kernel_size);

+  kernel_free (params, sizeof(*params));

+  cmd_initrd->data = 0;

+  cmd_initrdefi->data = 0;

+  grub_free (context);

   return GRUB_ERR_NONE;

 }

@@ -188,13 +201,14 @@ read(grub_file_t file, grub_uint8_t *bufp, grub_size_t len)

 #define HIGH_U32(val) ((grub_uint32_t)(((grub_addr_t)(val) >> 32) & 0xffffffffull))

 static grub_err_t

-grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

-                 int argc, char *argv[])

+grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])

 {

   grub_file_t *files = 0;

   int i, nfiles = 0;

   grub_size_t size = 0;

   grub_uint8_t *ptr;

+  struct grub_linuxefi_context *context = (struct grub_linuxefi_context *) cmd->data;

+  struct linux_kernel_params *params;

   if (argc == 0)

     {

@@ -202,12 +216,14 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

       goto fail;

     }

-  if (!loaded)

+  if (!context)

     {

       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("you need to load the kernel first"));

       goto fail;

     }

+  params = context->params;

+

   files = grub_calloc (argc, sizeof (files[0]));

   if (!files)

     goto fail;

@@ -226,19 +242,19 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

 	}

     }

-  initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));

-  if (initrd_mem == NULL)

+  context->initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));

+  if (context->initrd_mem == NULL)

     goto fail;

-  grub_dprintf ("linux", "initrd_mem = %p\n", initrd_mem);

+  grub_dprintf ("linux", "initrd_mem = %p\n", context->initrd_mem);

   params->ramdisk_size = LOW_U32(size);

-  params->ramdisk_image = LOW_U32(initrd_mem);

+  params->ramdisk_image = LOW_U32(context->initrd_mem);

 #if defined(__x86_64__)

   params->ext_ramdisk_size = HIGH_U32(size);

-  params->ext_ramdisk_image = HIGH_U32(initrd_mem);

+  params->ext_ramdisk_image = HIGH_U32(context->initrd_mem);

 #endif

-  ptr = initrd_mem;

+  ptr = context->initrd_mem;

   for (i = 0; i < nfiles; i++)

     {

@@ -264,8 +280,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

     grub_file_close (files[i]);

   grub_free (files);

-  if (initrd_mem && grub_errno)

-    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)initrd_mem,

+  if (context->initrd_mem && grub_errno)

+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)context->initrd_mem,

 			 BYTES_TO_PAGES(size));

   return grub_errno;

@@ -281,6 +297,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

   void *kernel = NULL;

   int setup_header_end_offset;

   int rc;

+  void *kernel_mem = 0;

+  grub_uint64_t kernel_size = 0;

+  grub_uint32_t handover_offset;

+  struct linux_kernel_params *params = 0;

+  char *cmdline = 0;

+  struct grub_linuxefi_context *context = 0;

   grub_dl_ref (my_mod);

@@ -407,27 +429,27 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

   grub_dprintf ("linux", "new lh is at %p\n", lh);

   grub_dprintf ("linux", "setting up cmdline\n");

-  linux_cmdline = kernel_alloc (lh->cmdline_size + 1, N_("can't allocate cmdline"));

-  if (!linux_cmdline)

+  cmdline = kernel_alloc (lh->cmdline_size + 1, N_("can't allocate cmdline"));

+  if (!cmdline)

     goto fail;

-  grub_dprintf ("linux", "linux_cmdline = %p\n", linux_cmdline);

+  grub_dprintf ("linux", "cmdline = %p\n", cmdline);

-  grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));

+  grub_memcpy (cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));

   grub_create_loader_cmdline (argc, argv,

-                              linux_cmdline + sizeof (LINUX_IMAGE) - 1,

+                              cmdline + sizeof (LINUX_IMAGE) - 1,

 			      lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1),

 			      GRUB_VERIFY_KERNEL_CMDLINE);

-  grub_dprintf ("linux", "cmdline:%s\n", linux_cmdline);

+  grub_dprintf ("linux", "cmdline:%s\n", cmdline);

   grub_dprintf ("linux", "setting lh->cmd_line_ptr to 0x%08x\n",

-		LOW_U32(linux_cmdline));

-  lh->cmd_line_ptr = LOW_U32(linux_cmdline);

+		LOW_U32(cmdline));

+  lh->cmd_line_ptr = LOW_U32(cmdline);

 #if defined(__x86_64__)

-  if ((grub_efi_uintn_t)linux_cmdline > 0xffffffffull)

+  if ((grub_efi_uintn_t)cmdline > 0xffffffffull)

     {

       grub_dprintf ("linux", "setting params->ext_cmd_line_ptr to 0x%08x\n",

-		    HIGH_U32(linux_cmdline));

-      params->ext_cmd_line_ptr = HIGH_U32(linux_cmdline);

+		    HIGH_U32(cmdline));

+      params->ext_cmd_line_ptr = HIGH_U32(cmdline);

     }

 #endif

@@ -452,16 +474,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

     }

   max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;

   max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;

-  kernel_mem = kernel_alloc (lh->init_size, N_("can't allocate kernel"));

+  kernel_size = lh->init_size;

+  kernel_mem = kernel_alloc (kernel_size, N_("can't allocate kernel"));

   restore_addresses();

   if (!kernel_mem)

     goto fail;

   grub_dprintf("linux", "kernel_mem = %p\n", kernel_mem);

-  grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);

-

-  loaded = 1;

-

   grub_dprintf ("linux", "setting lh->code32_start to 0x%08x\n",

 		LOW_U32(kernel_mem));

   lh->code32_start = LOW_U32(kernel_mem);

@@ -478,33 +497,42 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

 		"setting lh->ext_loader_{type,ver} = {0x%02x,0x%02x}\n",

 		params->ext_loader_type, params->ext_loader_ver);

+  context = grub_zalloc (sizeof (*context));

+  if (!context)

+    goto fail;

+  context->kernel_mem = kernel_mem;

+  context->kernel_size = kernel_size;

+  context->handover_offset = handover_offset;

+  context->params = params;

+  context->cmdline = cmdline;

+

+  grub_loader_set_ex (grub_linuxefi_boot, grub_linuxefi_unload, context, 0);

+

+  cmd_initrd->data = context;

+  cmd_initrdefi->data = context;

+

+  grub_file_close (file);

+  grub_free (kernel);

+  return 0;

+

 fail:

   if (file)

     grub_file_close (file);

-  if (grub_errno != GRUB_ERR_NONE)

-    {

-      grub_dl_unref (my_mod);

-      loaded = 0;

-    }

+  grub_dl_unref (my_mod);

-  if (!loaded)

-    {

-      if (lh)

-	kernel_free (linux_cmdline, lh->cmdline_size + 1);

+  if (lh)

+    kernel_free (cmdline, lh->cmdline_size + 1);

-      kernel_free (kernel_mem, kernel_size);

-      kernel_free (params, sizeof(*params));

-    }

+  kernel_free (kernel_mem, kernel_size);

+  kernel_free (params, sizeof(*params));

+  grub_free (context);

   grub_free (kernel);

   return grub_errno;

 }

-static grub_command_t cmd_linux, cmd_initrd;

-static grub_command_t cmd_linuxefi, cmd_initrdefi;

-

 GRUB_MOD_INIT(linux)

 {

   cmd_linux =