fwts: efirtauthvar kernel NULL ptr dereference on 64 bit ARM
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Firmware Test Suite |
Fix Released
|
Critical
|
Colin Ian King | ||
fwts (Ubuntu) |
Fix Released
|
Critical
|
Colin Ian King |
Bug Description
LuvOs is reporting:
[ 21.568148] EFI_RUNTIME Driver Exit.
[ 21.660784] EFI_RUNTIME Driver v0.1
passed
[+] uefirtauthvar... [ 21.999131] EFI_RUNTIME Driver Exit.
[ 22.081342] EFI_RUNTIME Driver v0.1
[ 22.104727] Unable to handle kernel NULL pointer dereference at virtual address 00000010
[ 22.128946] pgd = ffffffc83bab6000
[ 22.139105] [00000010] *pgd=00000008f9
[ 22.163851] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 22.180504] Modules linked in: efi_runtime(O) [last unloaded: efi_runtime]
[ 22.201105] CPU: 7 PID: 1375 Comm: fwts Tainted: G O 3.19.0 #1
[ 22.221656] Hardware name: FVP Foundation (DT)
[ 22.234954] task: ffffffc83b83e0c0 ti: ffffffc83b954000 task.ti: ffffffc83b954000
[ 22.257340] PC is at 0xffffffc87ffa562c
[ 22.268798] LR is at 0xffffffc87ffa5ef4
[ 22.280264] pc : [<ffffffc87ffa5
[ 22.302387] sp : ffffffc83b957bc0
[ 22.312284] x29: ffffffc83b957cf0 x28: ffffffc83b954000
[ 22.328170] x27: ffffffc000a3e000 x26: 000000000000001d
[ 22.344056] x25: ffffffc87ffa9988 x24: 0000000000000010
[ 22.359942] x23: ffffffc83b957de8 x22: 0000000000000010
[ 22.375827] x21: ffffffc87ffa9988 x20: 0000000000000010
[ 22.391712] x19: 0000000000000000 x18: 00000000000007de
[ 22.407599] x17: 0000007fb19a9550 x16: ffffffc0001bc558
[ 22.423485] x15: ffffffffffffffff x14: ffffffffffffffff
[ 22.439369] x13: 0000000000000030 x12: 0000000000000020
[ 22.455256] x11: 0101010101010101 x10: 7f7f7f7f7f7f7fff
[ 22.471141] x9 : 0000007fb1a2d588 x8 : 0000000000000000
[ 22.487026] x7 : 0000007fac000028 x6 : 0000007fac008cf0
[ 22.502910] x5 : 0000000000000000 x4 : 0000000000000000
[ 22.518799] x3 : ffffffc87fffec18 x2 : ffffffc83b957c78
[ 22.534684] x1 : ffffffc83b957de8 x0 : 0000000000000010
[ 22.550561]
[ 22.555004] Process fwts (pid: 1375, stack limit = 0xffffffc83b954058)
[ 22.574537] Stack: (0xffffffc83b957bc0 to 0xffffffc83b958000)
[ 22.591764] 7bc0: 00000000 00000000 00000010 00000000 7ffa9988 ffffffc8 3b957da8 ffffffc8
[ 22.616248] 7be0: 3b957de8 ffffffc8 7ffa5ef4 ffffffc8 3b957c20 ffffffc8 000d6990 ffffffc0
[ 22.640724] 7c00: 00000000 00000000 7ffa5edc ffffffc8 00b09fe0 ffffffc0 7ffa5e90 ffffffc8
passed
[ 22.665202] 7c20: 00000140 00000000 3b957da8 ffffffc8 3b957db8 ffffffc8 00000010 00000000
[+] uefibootpat[ 22.691765] 7c40: 0000011a 00000000 0000001d 00000000 00a3e000 ffffffc0 0061b388 ffffffc0
h... [ 22.721713] 7c60: 7f7f7fff 7f7f7f7f 01010101 01010101 00000020 00000000 00000030 00000000
[ 22.747497] 7c80: ffffffff ffffffff ffffffff ffffffff 001bc558 ffffffc0 b19a9550 0000007f
[+] securebootcert[ 22.771977] 7ca0: 3b957cd0 ffffffc8 001a31a8 ffffffc0 d651ce50 0000007f 00a34000 ffffffc0
... [ 22.802706] 7cc0: 79044838 ffffffc8 000000d0 00000000 3b957cf0 ffffffc8 0061b378 ffffffc0
[+] uefirtmisc... [ 22.834479] 7ce0: 00b09fe0 ffffffc0 00a34000 ffffffc0 3b957d30 ffffffc8 fc00aac8 ffffffbf
[ 22.858955] 7d00: d651ce50 0000007f 00a34000 ffffffc0 3b957df8 ffffffc8 00000000 00000000
[ 22.883436] 7d20: 00000010 00000000 3b957de8 ffffffc8 3b957e10 ffffffc8 001bc30c ffffffc0
[ 22.907916] 7d40: c0207007 00000000 3baff400 ffffffc8 d651ce30 0000007f 79044838 ffffffc8
[ 22.932394] 7d60: d651ce30 0000007f c0207007 00000000 0000011a 00000000 001ea490 ffffffc0
[ 22.956872] 7d80: 00000002 00000000 00000001 00000000 b13ab000 0000007f 3b957ec8 ffffffc8
[ 22.981351] 7da0: 3b957e40 ffffffc8 00000000 00000000 00000049 00000000 d651ce18 0000007f
[ 23.005832] 7dc0: d651ce50 0000007f d651ce20 0000007f d651ce10 0000007f 00000015 00000000
[ 23.030312] 7de0: 0000011a 00000000 b1a95e88 0000007f b1a96860 0000007f b1a95e88 0000007f
[ 23.054794] 7e00: b1a96860 0000007f dc8cb100 cb88537f 3b957e90 ffffffc8 001bc5e8 ffffffc0
passed
[ 23.079270] 7e20: 00000000 00000000 3baff400 ffffffc8 3baff400 ffffffc8 00000003 00000000
[+] uefirtvar[ 23.105835] 7e40: 3b957e70 ffffffc8 00000003 00000000 3b957e60 ffffffc8 003ed67c ffffffc0
iable... [ 23.135262] 7e60: 3b957e90 ffffffc8 001bc5a4 ffffffc0 00000000 00000000 001bc588 ffffffc0
[ 23.162084] 7e80: c0207007 00000000 d651ce30 0000007f d651cdc0 0000007f 00086430 ffffffc0
[ 23.186564] 7ea0: 00000000 00000000 d651ce18 0000007f ffffffff ffffffff b19a955c 0000007f
[ 23.211041] 7ec0: 60000000 00000000 00000015 00000000 00000003 00000000 c0207007 00000000
[ 23.235521] 7ee0: d651ce30 0000007f 0000000e 00000000 ffffffff 00000000 ac000950 0000007f
[ 23.260002] 7f00: ac008cf0 0000007f ac000028 0000007f 0000001d 00000000 b1a2d588 0000007f
[ 23.284482] 7f20: 7f7f7fff 7f7f7f7f 01010101 01010101 00000020 00000000 00000030 00000000
[ 23.308963] 7f40: ffffffff ffffffff ffffffff ffffffff 0045f7b0 00000000 b19a9550 0000007f
[ 23.333440] 7f60: 000007de 00000000 d651ce10 0000007f d651ce18 0000007f ffffffff 00000000
[ 23.357918] 7f80: 00000000 00000000 00000003 00000000 334619d0 00000000 d651ce50 0000007f
[ 23.382397] 7fa0: 00000000 00000000 00000000 00000000 00000003 00000000 d651cdc0 0000007f
[ 23.406879] 7fc0: 004201a8 00000000 d651cdc0 0000007f b19a955c 0000007f 60000000 00000000
[ 23.431354] 7fe0: 00000003 00000000 0000001d 00000000 00000000 00000000 00000000 00000000
[ 23.455783] Call trace:
[ 23.463093] [<ffffffc87ffa5
[ 23.477697] [<ffffffbffc00a
[ 23.499038] [<ffffffc0001bc
[ 23.515182] [<ffffffc0001bc
[ 23.530039] Code: a9015bf5 a90053f3 a9027bf7 aa0003f6 (79400000)
[ 23.548358] ---[ end trace a75e310956868172 ]---
[ 23.562084] note: fwts[1375] exited with preempt_count 2
/etc/luv/
Related branches
Changed in fwts (Ubuntu): | |
importance: | Undecided → Critical |
summary: |
- fwts: efirtauthvar kernel NULL ptr derefernce on 64 bit ARM + fwts: efirtauthvar kernel NULL ptr dereference on 64 bit ARM |
Changed in fwts: | |
status: | Fix Committed → Fix Released |
Changed in fwts (Ubuntu): | |
status: | Fix Committed → Fix Released |
I've given this some thought and I believe it's because we're doing zero byte efivars and the efi driver does a zero byte kmalloc which does not return NULL and we then scribble over memory that is not actually allocated.