[MIR] fwupdate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fwupdate (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
fwupdate-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
fwupdate is available in universe and builds on all the architectures it is designed to work on (amd64, i386, armhf, arm64)
[Rationale]
fwupdate is a new EFI component for processing firmware updates for systems which support it. It will be used to allow users to run these upgrades, if their EFI BIOS allows, without the need to boot into Windows since it might not be available to them. This is only available for users with UEFI.
[Security]
There are no security reports open for fwupdate. However, fwupdate also ships an EFI binary and as such requires careful security review. Moreover, the fwupdate userland binary writes to ESRT tables in order to speak to the fwupdate EFI binary, so should benefit a security review of its own.
[Quality assurance]
Meets requirements. The package currently has bugs filed, but they are already handled although must wait to be fixed as they would require another round of signing of the EFI binary by Microsoft.
[UI Standards]
The application is translatable, although currently lacking is translations due to its relative newness.
[Dependencies]
All build and binary dependencies are in main.
[Standards compliance]
The package meets standards.
[Maintenance]
The package is quite small and does not require much effort on our part to maintain, aside from the occasional signing for the fwupdate EFI binary. It is maintained by the Debian EFI team in Debian; and subscribed to by foundations-bugs for Ubuntu.
[Background information]
fwupdate is a command-line too as well as an EFI binary for use to enable and apply firmware updates using the UEFI Capsule Update specification, which allows for flashing new firmware on BIOS or system components without requiring the use of a specific operating system, given that it can be done directly from the EFI firmware interfaces.
Changed in fwupdate (Ubuntu): | |
status: | New → Incomplete |
description: | updated |
tags: | added: gnome-software-ubuntu |
Changed in fwupdate (Ubuntu): | |
status: | Incomplete → In Progress |
My review from mid-september. I'd also like to suggest using Coverity on this codebase. The 'delete_variable()' portion was handled upstream already: /github. com/rhinstaller /fwupdate/ commit/ 8139030084c5141 8778815ed283237 553b1cec47
https:/
I also understand that Microsoft is the correct signing entity, so feel free to ignore that too.
But fwup_set_ up_update( ) and fwup_strerror_r() absolutely must be addressed before we move fwupdate to main.
Thanks.
========
I reviewed fwupdate version 0.4-4 as checked into wily. This shouldn't be
considered a full security audit; I also did not investigate the EFI
specification or systems to validate the EFI code.
- fwupdate provides a shim to update EFI boot order and an EFI program to
install firmware updates.
- Build-Depends: debhelper, pkg-config, libpopt-dev, libefivar-dev,
lsb-release, gnu-efi, pesign, elfutils
- Does not daemonize
- pre/post inst/rm scripts are boilerplate
- No initscripts
- No Dbus services
- No setuid
- Provides /usr/bin/fwupdate
- No sudo fragments
- No udev rules
- No test suite; one test executable ./linux/tester.c exercises very
little of the library/application
- No cronjobs
- Clean build logs
I'm skipping the usual summary-of-code to include only the errors and
oddities I discovered while reading the code:
- needs pesign from universe up_update( ) calls free(relpath) after calling relpath = relpath, ...). This is a severe error. up_update( ) calls open(O_CREAT) without specifying permissions, up_update( ) fullpath memory leak via open(fullpath...) error up_update( ) mkostemps() call does not need O_CREAT or O_RDWR up_update( ) nested read()/write() loop is intricate; stdio.h up_update( ) probably needs a rewrite -- it is doing too much variable( ) returns success but data_size < sizeof(*local) iter_create( ) memory leak if opendir() or dirfd() fail resources( ) and main() have user-visible strings that aren't
- fwup_strerror_r() has unreachable statements, looks very buggy. Needs
rewrite.
- fwup_set_
onstack(
- fwup_set_
the permissions will be set to garbage
- fwup_set_
- fwup_set_
- fwup_set_
fgetc() and fputc() loop with final fflush() might be easier to reason
about and probably no less efficient.
- fwup_set_
and its memory management is too confused which leads to a severe bug.
- extensive use of stack for storage; is stack able to handle the largest
EFI variables?
- put_info() does ssize_t arithmetic without checking for overflows -- how
large will efidp_size() ever grow?
- get_info() free(local) may be called on uninitialized pointer if
efi_get_
- fwup_resource_
- utf8len() and ucs2len() handle limit=0 differently, > vs >=
- utf8len() may read beyond the end of a malformed utf8 string that is
shorter than limit
- utf8_to_ucs2() may read beyond the end of a malformed utf8 string that
is shorter than max or may read beyond the end of utf8+max.
- print_system_
localized
- delete_variable() contains unreachable code, is this a patch failure?
- All the signed files are signed by 'Red Hat Test Certificate" -- is this
suitable for deployment?
Most of the code is written in a defensive style; however, there are
significantly troubling bugs and poorly writte...