Public bug reported:

[Impact]
LP: #1811722 and LP: #1811901 describe situations where buggy EFI apps can 
corrupt the firmware flash volume by dereferencing NULL pointers because we map 
the NOR flash at 0x0.

Upstream has merged patches to make these inadvertent accesses fault
instead.

[Test Case]
Boot an arm64 guest w/ SecureBoot enabled using shim-signed 1.39, which is 
impacted by the bugs above. The guest will boot up into EFI, but crash in shim. 
Note that the checksum of the firmware flash volume (which should be RO) has 
changed from the system AAVMF_CODE.fd.

[Fix]
Backport the following patches from edk2 upstream:
51bb05c795 ArmVirtPkg/QemuVirtMemInfoLib: trim the MMIO region mapping
5e27deed43 ArmVirtPkg/NorFlashQemuLib: disregard our primary FV
aa1097921d ArmPkg/ArmMmuLib ARM: handle unmapped sections when updating 
permissions
36a87fec68 ArmPkg/ArmMmuLib ARM: handle unmapped section in GetMemoryRegion()

[Regression Risk]
It is possible that there are buggy VMs out there with EFI apps that happen to 
access the first page but do so without corrupting firmware (e.g. with "just" a 
read), but succeed in booting anyway. This would now cause these guests to 
crash.

** Affects: edk2 (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  [Impact]
  LP: #1811722 and LP: #1811901 describe situations where buggy EFI apps can 
corrupt the firmware flash volume by dereferencing NULL pointers because we map 
the NOR flash at 0x0.
  
  Upstream has merged patches to make these inadvertent accesses fault
  instead.
  
  [Test Case]
  Boot an arm64 guest w/ SecureBoot enabled using shim-signed 1.39, which is 
impacted by the bugs above. The guest will boot up into EFI, but crash in shim. 
Note that the checksum of the firmware flash volume (which should be RO) has 
changed from the system AAVMF_CODE.fd.
  
  [Fix]
  Backport the following patches from edk2 upstream:
  51bb05c795 ArmVirtPkg/QemuVirtMemInfoLib: trim the MMIO region mapping
  5e27deed43 ArmVirtPkg/NorFlashQemuLib: disregard our primary FV
  aa1097921d ArmPkg/ArmMmuLib ARM: handle unmapped sections when updating 
permissions
  36a87fec68 ArmPkg/ArmMmuLib ARM: handle unmapped section in GetMemoryRegion()
  
  [Regression Risk]
- It is possible that there are buggy VMs out there that happen to access the 
first page (e.g. with "just" a read), but succeed in booting anyway. This would 
now cause these guests to crash.
+ It is possible that there are buggy VMs out there with EFI apps that happen 
to access the first page but do so without corrupting firmware (e.g. with 
"just" a read), but succeed in booting anyway. This would now cause these 
guests to crash.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1812093

Title:
  qemu-efi: guest can corrupt its own firmware

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1812093/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to