[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/1] xen/efi: Config parsing: Free the same page count as allocated.

  • To: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 22 Apr 2026 10:20:07 +0200
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID"
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Wed, 22 Apr 2026 08:20:14 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 22.04.2026 08:48, Jan Beulich wrote:
> On 21.04.2026 18:13, Bernhard Kaindl wrote:
>> When reading the config file or the config section, we may need to append
>> a terminating NUL byte to the config buffer if the last byte is not a
>> control character.
>>
>> This may cause an additional page to be allocated by efi_bs->AllocatePages()
>> if the config file or config section size is a multiple of the page size.
>>
>> For this case, increment file->size by one so the number of pages to be
>> freed by efi_bs->FreePages() is the same as the number of pages allocated
>> by efi_bs->AllocatePages() when the additional byte is allocated.
>>
>> I moved the dcache flush after the NUL termination so the flushed range
>> covers the final buffer contents.
>>
>> I didn't add a dcache flush for the copied cfg buffer in read_section():
>> that buffer is created by memcpy() and then consumed only by normal CPU
>> reads in the EFI loader, so there is no non-coherent producer or other
>> observer that would require cache maintenance.
>>
>> Fixes: df75f77092c1 ("EFI: avoid OOB config file reads")
>> Signed-off-by: Bernhard Kaindl <bernhard.kaindl@xxxxxxxxxx>
>>
>> ----
>> PS: The same fix applies to its backport to 4.21 and other branches,
>> for example:
>>
>> stable-4.21:
>> Fixes: feb99494bf59 ("EFI: avoid OOB config file reads")
>>
>> stable-4.20:
>> Fixes: 05b8f716aa32 ("EFI: avoid OOB config file reads")
>>
>> PPS: A review using GPT-5.4 (just a data point for review) confirms what
>> I've found by manual code inspection:
>>
>>> The fix in boot.c:882-886 and boot.c:913-928 is consistent with the existing
>>> free sites at boot.c:790-797, boot.c:1564-1567, and boot.c:1638-1641: Once 
>>> the
>>> config buffer gets an extra terminating byte, using the incremented size for
>>> PFN_UP during FreePages is the right fix.
>>>
>>> I also checked the parser helpers at boot.c:584-641; they already operate on
>>> a bounded buffer and treat NUL/control bytes as terminators, so the 
>>> synthetic
>>> extra byte does not create an obvious parsing regression.
> 
> To avoid something non-obvious was why I deliberately left file->size
> un-incremented. But yes, I failed to recall that ->FreePages() takes a
> size.
> 
>> --- a/xen/common/efi/boot.c
>> +++ b/xen/common/efi/boot.c
>> @@ -858,7 +858,8 @@ static bool __init read_file(EFI_FILE_HANDLE dir_handle, 
>> CHAR16 *name,
>>      what = L"Allocation";
>>      file->addr = min(1UL << (32 + PAGE_SHIFT),
>>                       HYPERVISOR_VIRT_END - DIRECTMAP_VIRT_START);
>> -    /* For config files allocate an extra byte to put a NUL there. */
>> +
>> +    /* For config file buffers, allocate space for the terminating NUL byte 
>> */
>>      ret = efi_bs->AllocatePages(AllocateMaxAddress, EfiLoaderData,
>>                                  PFN_UP(size + (file == &cfg)), &file->addr);
>>      if ( EFI_ERROR(ret) )
> 
> I don't really see why this or the other comment you alter would need
> touching. But of course it'll be the EFI maintainers to judge.
> 
>> @@ -877,10 +878,12 @@ static bool __init read_file(EFI_FILE_HANDLE 
>> dir_handle, CHAR16 *name,
>>  
>>      FileHandle->Close(FileHandle);
>>  
>> -    efi_arch_flush_dcache_area(file->ptr, file->size);
>> -
>>      if ( file == &cfg )
>> -        file->str[file->size] = 0;
>> +    {
>> +        file->str[file->size] = 0; /* NUL-terminate the config data buffer. 
>> */
>> +        file->size += 1;           /* Free the same page count as 
>> allocated. */
> 
> _If_ we want to go with incrementing file->size, then I don't see why
> it can't be done using the increment operator. That specifically exists
> as a shorthand for "+= 1".
> 
> As indicated above, I'm not convinced though that we really want to
> alter file->size. I'd instead add 1 in the few instances of
> "efi_bs->FreePages(cfg.addr, PFN_UP(cfg.size))". Sadly the adding of 1
> is conditional in read_section(), so maybe a "need_to_increment"
> boolean wants adding next to the need_to_free one? Then a small helper
> function may be warranted for those few instances of freeing cfg.addr.

Actually, no separate flag looks to be needed. If for the cfg file we set
->need_to_free, we know we allocated the one extra byte.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.