[tboot-devel] null pointer dereference bug in tboot Linux loader

Mon, 12 Dec 2016 09:57:06 -0800 

In a previous thread, I was given this patch by Dr. Wettstein.  I was trying to 
integrate it into our test build of tboot, but we like to leave a commment that 
shows a trail with regards to where it came from. (we want to make it clear why 
a patch is being done, where it came from, how official it is, etc.)

I can't seem to find this in the tboot code tree.  Is it there and I'm missing 
it?  If it is not there, does the trunk need to be updated with this patch?

=================================================================
"There is a null-pointer dereference bug in the tboot Linux loader
which manifests itself as a system reset after the following is
displayed:

TBOOT: transferring control to kernel @0x100000

We picked up on this issue since our embedded systems boot without an
external initramfs.  The loader doesn't check the multiboot module
count and as a result uses the value of an uninitialized variable to
copy a random amount of material into kernel memory.

Here is a patch against 1.9.4 which corrects the problem:

---------------------------------------------------------------------------
diff -urNp v1.9.4/tboot-1.9.4/tboot/common/loader.c 
tboot-1.9.4/tboot/common/loader.c
--- v1.9.4/tboot-1.9.4/tboot/common/loader.c    Wed May 18 12:20:26 2016
+++ tboot-1.9.4/tboot/common/loader.c   Sat Sep  3 08:45:55 2016
@@ -1272,10 +1272,19 @@ bool launch_kernel(bool is_measured_laun
                                MB_MAGIC : MB2_LOADER_MAGIC);
      }
      else if ( kernel_type == LINUX ) {
-        m = get_module(g_ldr_ctx,0);
-        void *initrd_image = (void *)m->mod_start;
-        size_t initrd_size = m->mod_end - m->mod_start;
+        void *initrd_image;
+        size_t initrd_size;
  
+        if ( get_module_count(g_ldr_ctx) == 0 ) {
+            initrd_size = 0;
+            initrd_image = 0;
+        }
+        else {
+            m = get_module(g_ldr_ctx,0);
+            initrd_image = (void *)m->mod_start;
+            initrd_size = m->mod_end - m->mod_start;
+        }
+
          expand_linux_image(kernel_image, kernel_size,
                             initrd_image, initrd_size,
                             &kernel_entry_point, is_measured_launch);"


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to