From patchwork Fri Mar 17 18:45:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 95435
Delivered-To: patch@linaro.org
Received: by 10.140.89.134 with SMTP id v6csp432393qgd;
 Fri, 17 Mar 2017 11:45:42 -0700 (PDT)
X-Received: by 10.107.133.224 with SMTP id p93mr19628385ioi.175.1489776341935; 
 Fri, 17 Mar 2017 11:45:41 -0700 (PDT)
Return-Path: <linaro-uefi-bounces@lists.linaro.org>
Received: from lists.linaro.org (lists.linaro.org. [54.225.227.206])
 by mx.google.com with ESMTP id
 78si10078651ior.244.2017.03.17.11.45.40; 
 Fri, 17 Mar 2017 11:45:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 linaro-uefi-bounces@lists.linaro.org designates
 54.225.227.206 as permitted sender) client-ip=54.225.227.206; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of linaro-uefi-bounces@lists.linaro.org
 designates 54.225.227.206 as permitted sender)
 smtp.mailfrom=linaro-uefi-bounces@lists.linaro.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 7071863DFE; Fri, 17 Mar 2017 18:45:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, 
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,
 URIBL_BLOCKED autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 5074D62EB2;
 Fri, 17 Mar 2017 18:45:37 +0000 (UTC)
X-Original-To: linaro-uefi@lists.linaro.org
Delivered-To: linaro-uefi@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 5C2EF63DF9; Fri, 17 Mar 2017 18:45:35 +0000 (UTC)
Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46])
 by lists.linaro.org (Postfix) with ESMTPS id 13FEC60CA1
 for <linaro-uefi@lists.linaro.org>;
 Fri, 17 Mar 2017 18:45:34 +0000 (UTC)
Received: by mail-wm0-f46.google.com with SMTP id n11so22840652wma.0
 for <linaro-uefi@lists.linaro.org>;
 Fri, 17 Mar 2017 11:45:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=FyosLzh48PYxT+QuHn1QPQZoe+tOIBsZoTr5WiH/Y1o=;
 b=RY1mOWsB+7TwBUU9PM5h6aJIZG9lX4ycTPoAj9MYlOEU/BqbsugmSwrpz2BG0XjAod
 V+JTvA+M+PBCZXWG5k+u2AyJHX3lsVIHcSJ2jF75KNzfoqN0i8S532okyZTZ30HjvJEp
 lVbn2kHYaP6G0c5nvgRYoadh7kWQVdMxyUi93pD11V8CdAw7Tl0PpUWk4f0mzlj4zpzb
 Opb7cYtGJJN2DyoCZcM0Iebcr948M9nyHLyTXWl/FdpciXnRR+kX7ONpQDx6+PYEYq2R
 ejt7A7zkUecDlHWJQUDZj8iTjn4pymiFSVt4qHBh0BDuxkz2gMaP5Yd+ekX56JWdPS7E
 WiqQ==
X-Gm-Message-State: AFeK/H0Q0O+sVM0z51fcDWqKdTeL/iLHmo9IrHl/3KiDYeeDVnSbPTTE/0kvXFnc7cRSaOPJqQk=
X-Received: by 10.28.28.69 with SMTP id c66mr4343681wmc.28.1489776333107;
 Fri, 17 Mar 2017 11:45:33 -0700 (PDT)
Received: from localhost.localdomain ([105.144.205.163])
 by smtp.gmail.com with ESMTPSA id
 s17sm10958048wrc.25.2017.03.17.11.45.30
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Fri, 17 Mar 2017 11:45:31 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linaro-uefi@lists.linaro.org
Date: Fri, 17 Mar 2017 18:45:22 +0000
Message-Id: <1489776322-6551-1-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
Cc: alan@softiron.co.uk
Subject: [Linaro-uefi] [PATCH] Platforms/StyxSpiFvDxe: fix potential boot
 crash on varstore write
X-BeenThere: linaro-uefi@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <linaro-uefi.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/linaro-uefi>,
 <mailto:linaro-uefi-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/linaro-uefi/>
List-Post: <mailto:linaro-uefi@lists.linaro.org>
List-Help: <mailto:linaro-uefi-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/linaro-uefi>,
 <mailto:linaro-uefi-request@lists.linaro.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: linaro-uefi-bounces@lists.linaro.org
Sender: "Linaro-uefi" <linaro-uefi-bounces@lists.linaro.org>

The varstore shadow FV is kept in sync with actual SPI flash read,
write and erase operations. Since we only expose a small slice of
the SPI flash for the variable store, we keep an internal LBA offset
and take it into account when translating shadow FV LBAs to actual
LBAs.

As it turns out, the erase routine applies the LBA offset incorrectly,
resulting in the wrong flash block being erased, and the wrong range
to be erased in the shadow FV, which could result in a crash if the
memory access is out of bounds.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
---
 Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c b/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c
index 03fd9e816b96..f544af3eeb2d 100644
--- a/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c
+++ b/Platforms/AMD/Styx/Drivers/StyxSpiFvDxe/StyxSpiFvDxe.c
@@ -439,7 +439,6 @@ StyxSpiFvDxeErase (
   for (Start = VA_ARG (Args, EFI_LBA);
        Start != EFI_LBA_LIST_TERMINATOR;
        Start = VA_ARG (Args, EFI_LBA)) {
-    Start += mNvStorageLbaOffset;
     Length = VA_ARG (Args, UINTN);
     Status = mIscpDxeProtocol->AmdExecuteEraseFvBlockDxe (mIscpDxeProtocol,
                                  (Start + mNvStorageLbaOffset) * BLOCK_SIZE,