Comments (7)
@yeggor, could you please provide clarification for this check:
// volumeHeader->ExtHeaderOffset should be aligned to 4 bytes if (volumeHeader->ExtHeaderOffset % 4) { msg(usprintf("%s: ExtHeaderOffset %04Xh (%hu) is not aligned by 4 bytes", __FUNCTION__, volumeHeader->ExtHeaderOffset, volumeHeader->ExtHeaderOffset)); return U_INVALID_VOLUME; }
It is currently buggy as is because in FFSv2 Revision 1 volumes that field was Reserved, but can contain any bytes, so the field only has meaning after checking that Resivision is greater than 1, as it is done is all other places in the same function.
However, I don't really see a good reason for this check, i.e. is that "must be aligned to 4" a PI spec requirement?
hi, the check was added to get rid of the following libFuzzer's UndefinedBehavior finding:
$ ./ffsparser_fuzzer crash-3cc848b650549660a77d498c7a6b50b756ca9b2f new_engine
ffsparser_fuzzer(68650,0x1fdd95e00) malloc: nano zone abandoned due to inability to reserve vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3844664712
INFO: Loaded 1 modules (45799 inline 8-bit counters): 45799 [0x101318440, 0x101323727),
INFO: Loaded 1 PC tables (45799 PCs): 45799 [0x101323728,0x1013d6598),
./ffsparser_fuzzer: Running 1 inputs 1 time(s) each.
Running: crash-3cc848b650549660a77d498c7a6b50b756ca9b2f
/Users/yv/github/uefitool/common/ffsparser.cpp:1168:120: runtime error: reference binding to misaligned address 0x60b000000261 for type 'const EFI_GUID' (aka 'const EFI_GUID_'), which requires 4 byte alignment
0x60b000000261: note: pointer points here
01 00 00 01 aa 55 00 00 00 00 01 00 00 00 01 d7 d7 d7 01 6c 00 00 00 00 00 00 00 5f 46 56 48 11
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/yv/github/uefitool/common/ffsparser.cpp:1168:120 in
==68650== ERROR: libFuzzer: deadly signal
#0 0x1019bfea4 in __sanitizer_print_stack_trace+0x28 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x5bea4) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#1 0x101221140 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:210
#2 0x101203600 in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:233
#3 0x1a2deea20 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3a20) (BuildId: f80c6971c08031f5ab6ebe01311154af32000000200000000100000000040d00)
#4 0x92438001a2dbfc24 (<unknown module>)
#5 0x256e8001a2ccdae4 (<unknown module>)
#6 0x212b0001019d89b4 (<unknown module>)
#7 0x1019d8120 in __sanitizer::Die()+0xcc (libclang_rt.asan_osx_dynamic.dylib:arm64+0x74120) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#8 0x1019ea9d4 in __ubsan_handle_type_mismatch_v1_abort+0x24 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x869d4) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
#9 0x100f8b3a8 in FfsParser::parseVolumeHeader(UByteArray const&, unsigned int, UModelIndex const&, UModelIndex&) ffsparser.cpp:1168
#10 0x100f7be08 in FfsParser::parseRawArea(UModelIndex const&) ffsparser.cpp:915
#11 0x100f7a060 in FfsParser::parseGenericImage(UByteArray const&, unsigned int, UModelIndex const&, UModelIndex&) ffsparser.cpp:139
#12 0x100f691b0 in FfsParser::performFirstPass(UByteArray const&, UModelIndex&) ffsparser.cpp:124
#13 0x100f687d4 in FfsParser::parse(UByteArray const&) ffsparser.cpp:92
#14 0x100ed081c in LLVMFuzzerTestOneInput ffsparser_fuzzer.cpp:28
#15 0x101204a4c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:617
#16 0x1011f0b70 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
#17 0x1011f5e18 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:860
#18 0x1012224b8 in main FuzzerMain.cpp:20
#19 0x1a2a67f24 (<unknown module>)
#20 0xf5567ffffffffffc (<unknown module>)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
But I realized now that I overdid it
from uefitool.
Most likely a regression after this commit: d9e1fe5
CC @yeggor
from uefitool.
Yep, A65 works as expected, will be fixed in A68.
from uefitool.
when is the A68 cycle release ?
from uefitool.
In 2-3 weeks.
from uefitool.
@yeggor, could you please provide clarification for this check:
// volumeHeader->ExtHeaderOffset should be aligned to 4 bytes
if (volumeHeader->ExtHeaderOffset % 4) {
msg(usprintf("%s: ExtHeaderOffset %04Xh (%hu) is not aligned by 4 bytes", __FUNCTION__, volumeHeader->ExtHeaderOffset, volumeHeader->ExtHeaderOffset));
return U_INVALID_VOLUME;
}
It is currently buggy as is because in FFSv2 Revision 1 volumes that field was Reserved, but can contain any bytes, so the field only has meaning after checking that Resivision is greater than 1, as it is done is all other places in the same function.
However, I don't really see a good reason for this check, i.e. is that "must be aligned to 4" a PI spec requirement?
from uefitool.
The whole alignment of GUID type is unfortunate, because it's definitely not aligned to anything in the UEFI image, being raw 16 bytes, The fact it's defined that U32-U16-U16-U8x8 only means it needs to be 4-byte aligned in C++, but the whole UEFI is written in C where no such requirement exists. Closing this as resolved.
from uefitool.
Related Issues (20)
- Compressed sections unsupported HOT 2
- Off-by-one error preventing parsing of Boot5 partition in IFWI 1.6 and 1.7 regions HOT 2
- Extract bitmap image HOT 8
- Question but no discussion forum for these HOT 3
- Lenovo P520 BIOS file has DXE section compressed? HOT 2
- modifying images UEFITool NE HOT 1
- are all the Micron SPI parts mis-identified? HOT 4
- UEFITool is unable to find DXE volume in the image HOT 1
- Can not extract VBIOS and GOP HOT 9
- uefitool: Add option to calculate hashes of selected tree item (header/body/whole) HOT 1
- Bricked after replacing module with UEFITool (ASRock X79 Extreme6/GB) HOT 1
- UEFITool doesn't recognize lzma compressed section in latest bios HOT 1
- qt.qpa.plugin: Could not find the Qt platform plugin "xcb" in "" HOT 5
- Cant parse image, weird errors. HOT 1
- Selected file is not a proper bios! HOT 1
- Modded BIOS file fails to flash, "Selected file is not a proper BIOS!" HOT 4
- Please help GUID defined section with unknown processing method errors HOT 10
- Tools won't open when run HOT 1
- How to modify bios firmware image version?
- The Replacer don't work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uefitool.