[Bug 1980023] Re: linux-azure-cvm: Properly reallocate the kernel image

Dimitri John Ledkov 1980023 at bugs.launchpad.net
Tue Jun 28 09:00:40 UTC 2022 

$ objdump -x ./usr/lib/linux/efi/kernel.efi-5.4.0-1085-azure-cvm

./usr/lib/linux/efi/kernel.efi-5.4.0-1085-azure-cvm:     file format pei-x86-64
./usr/lib/linux/efi/kernel.efi-5.4.0-1085-azure-cvm
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x0000000000004000

Characteristics 0x206
	executable
	line numbers stripped
	debugging information removed

Time/Date		Thu Jan  1 01:00:00 1970
Magic			020b	(PE32+)
MajorLinkerVersion	2
MinorLinkerVersion	34
SizeOfCode		0000000000007600
SizeOfInitializedData	000000000264e800
SizeOfUninitializedData	0000000000000000
AddressOfEntryPoint	0000000000004000
BaseOfCode		0000000000004000
ImageBase		0000000000000000
SectionAlignment	00001000
FileAlignment		00000200
MajorOSystemVersion	0
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	0
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		04c65000
SizeOfHeaders		00000400
CheckSum		0265f929
Subsystem		0000000a	(EFI application)
DllCharacteristics	00000000
SizeOfStackReserve	0000000000000000
SizeOfStackCommit	0000000000000000
SizeOfHeapReserve	0000000000000000
SizeOfHeapCommit	0000000000000000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010


Note that SizeOfUninitializedData	0000000000000000

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1980023

Title:
  linux-azure-cvm: Properly reallocate the kernel image

Status in linux-azure-cvm package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New
Status in linux-azure-cvm source package in Focal:
  Fix Committed
Status in systemd source package in Focal:
  New

Bug description:
  [Impact]

  The kernel header defines a field called init_size that specifies the
  amount of memory that the kernel requires for the in-place
  decompression, and the bootloader is expected to load the kernel into
  a buffer of this size. This doesn't happen when using the systemd EFI
  stub to load the kernel though - the kernel image is stored on disk in
  a PE section with a virtual size no larger than the compressed size,
  so it's loaded into memory by the bootloader into a buffer that's too
  small for the in-place decompression. The initrd is loaded into memory
  immediately after the kernel.

  To work around this, the kernel's EFI stub allocates a new buffer of
  init_size bytes and relocates the kernel image into it (21cb9b41:
  "efi/x86: Always relocate the kernel for EFI handover entry"), but
  this code has a bug - it copies init_size bytes from the source buffer
  (ie, where the kernel image was loaded into memory by the bootloader)
  to the new buffer. This ends up reading past the end of the .linux and
  .initrd PE sections and all of the memory regions allocated by the
  bootloader, resulting in an out of bounds read and causing problem
  with Confidential VMs.

  This is fixed by 688eb282: "efi/x86: Only copy the compressed kernel
  image in efi_relocate_kernel()", which needs to be backported to the
  kernel we provide for CVM. Ideally, this would have been fixed in
  systemd's EFI stub by setting the virtual size of the .linux PE
  section to init_size, which would cause the bootloader load the kernel
  into a buffer large enough, making this additional relocation
  unnecessary.

  [Test Plan]

  Tested by Microsoft and boot tested by me.

  [Where problems could occur]

  Decompression might fail if init_size is wrong causing the system to
  not boot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure-cvm/+bug/1980023/+subscriptions

More information about the foundations-bugs mailing list