Public bug reported:
[Impact]
LP: #1811722 and LP: #1811901 describe situations where buggy EFI apps can
corrupt the firmware flash volume by dereferencing NULL pointers because we map
the NOR flash at 0x0.
Upstream has merged patches to make these inadvertent accesses fault
instead.
[Test Case]
Boot an arm64 guest w/ SecureBoot enabled using shim-signed 1.39, which is
impacted by the bugs above. The guest will boot up into EFI, but crash in shim.
Note that the checksum of the firmware flash volume (which should be RO) has
changed from the system AAVMF_CODE.fd.
[Fix]
Backport the following patches from edk2 upstream:
51bb05c795 ArmVirtPkg/QemuVirtMemInfoLib: trim the MMIO region mapping
5e27deed43 ArmVirtPkg/NorFlashQemuLib: disregard our primary FV
aa1097921d ArmPkg/ArmMmuLib ARM: handle unmapped sections when updating
permissions
36a87fec68 ArmPkg/ArmMmuLib ARM: handle unmapped section in GetMemoryRegion()
[Regression Risk]
It is possible that there are buggy VMs out there with EFI apps that happen to
access the first page but do so without corrupting firmware (e.g. with "just" a
read), but succeed in booting anyway. This would now cause these guests to
crash.
** Affects: edk2 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
[Impact]
LP: #1811722 and LP: #1811901 describe situations where buggy EFI apps can
corrupt the firmware flash volume by dereferencing NULL pointers because we map
the NOR flash at 0x0.
Upstream has merged patches to make these inadvertent accesses fault
instead.
[Test Case]
Boot an arm64 guest w/ SecureBoot enabled using shim-signed 1.39, which is
impacted by the bugs above. The guest will boot up into EFI, but crash in shim.
Note that the checksum of the firmware flash volume (which should be RO) has
changed from the system AAVMF_CODE.fd.
[Fix]
Backport the following patches from edk2 upstream:
51bb05c795 ArmVirtPkg/QemuVirtMemInfoLib: trim the MMIO region mapping
5e27deed43 ArmVirtPkg/NorFlashQemuLib: disregard our primary FV
aa1097921d ArmPkg/ArmMmuLib ARM: handle unmapped sections when updating
permissions
36a87fec68 ArmPkg/ArmMmuLib ARM: handle unmapped section in GetMemoryRegion()
[Regression Risk]
- It is possible that there are buggy VMs out there that happen to access the
first page (e.g. with "just" a read), but succeed in booting anyway. This would
now cause these guests to crash.
+ It is possible that there are buggy VMs out there with EFI apps that happen
to access the first page but do so without corrupting firmware (e.g. with
"just" a read), but succeed in booting anyway. This would now cause these
guests to crash.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1812093
Title:
qemu-efi: guest can corrupt its own firmware
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1812093/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs