Bug#799443: initramfs-tools: avoid executing firmware and maintain symlinks

To: Andy Whitcroft <apw@canonical.com>
Cc: 799443@bugs.debian.org
Subject: Bug#799443: initramfs-tools: avoid executing firmware and maintain symlinks
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 12 Dec 2015 18:54:45 +0000
Message-id: <[🔎] 1449946485.3836.23.camel@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 799443@bugs.debian.org
In-reply-to: <20150919090516.29495.10060.reportbug@bark>
References: <20150919090516.29495.10060.reportbug@bark>

On Sat, 19 Sep 2015 10:05:16 +0100 Andy Whitcroft <apw@canonical.com> wrote:
> Package: initramfs-tools
> Version: 0.120ubuntu5~rc2
> Severity: normal
> 
> When adding firmware to the initramfs we currently use copy_exec() this
> leads to us running ldd on the firmware, and effectivly attempting to
> executing the firmware.  As we have no control over the actual contents
> of this firmware this can lead to us actually executing it; in Ubuntu we
> have seen this with glibc.x32 installed and cirtain firmware leading to
> crashes in ldd and initramfs build failures.

I completely agree, so we should split the file copying logic from
walking library dependencies.

(It's surprising that firmware could be misdetected as an ELF x32
executable.  Anyway, I fixed the kernel bug that led to x32 executables
crashing when run on a kernel with the x32 ABI disabled.)

> Additionally using copy_exec() uses cp -aL which squashes any symlinks,
> while this ensures the firmware is available upstream firmware is starting
> to use the below idiom to represent preferred versions of firmware, and
> we will end up with multiple versions of the actual firmware in the
> initramfs:
> 
>     -rw-rw-r-- 1 apw apw   5872 Sep 19 08:51 bxt_dmc_ver1_04.bin
>     lrwxrwxrwx 1 apw apw     19 Sep 19 08:51 bxt_dmc_ver1.bin -> bxt_dmc_ver1_04.bin
>     -rw-rw-r-- 1 apw apw   8380 Sep 19 08:51 skl_dmc_ver1_19.bin
>     -rw-rw-r-- 1 apw apw   8380 Sep 19 08:51 skl_dmc_ver1_20.bin
>     -rw-rw-r-- 1 apw apw   8824 Sep 19 08:51 skl_dmc_ver1_21.bin
>     lrwxrwxrwx 1 apw apw     19 Sep 19 08:51 skl_dmc_ver1.bin -> skl_dmc_ver1_21.bin
>     -rw-rw-r-- 1 apw apw 109636 Sep 19 08:51 skl_guc_ver1_1059.bin
>     lrwxrwxrwx 1 apw apw     21 Sep 19 08:51 skl_guc_ver1.bin -> skl_guc_ver1_1059.bin
> 
> In Ubuntu we are using the combination of the two attached patches to
> solve these issues.

Thank you for the patches.   However, I'd like to solve the general
problem instead of adding more specific logic.  I'll follow up with my
patches for review.

Ben.

-- 
Ben Hutchings
Knowledge is power.  France is bacon.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#799443: [PATCH initramfs-tools 4/5] hook-functions: Preserve symlinks when copying files
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#799443: [PATCH initramfs-tools 2/5] Use copy_file to copy config files and firmware, instead of copy_exec
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#799443: [PATCH initramfs-tools 3/5] hook-functions: Use copy_file to install modules
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#799443: [PATCH initramfs-tools 1/5] hook-functions: Introduce copy_file function
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#799443: [PATCH initramfs-tools 5/5] hooks/fsck: Simplify by letting copy_exec handle symlinks
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: Bug#785590: ITP: freefall -- daemon to protect disk for laptops with supported sensors
Next by Date: Bug#799443: [PATCH initramfs-tools 4/5] hook-functions: Preserve symlinks when copying files
Previous by thread: Re: Bug#785590: ITP: freefall -- daemon to protect disk for laptops with supported sensors
Next by thread: Bug#799443: [PATCH initramfs-tools 4/5] hook-functions: Preserve symlinks when copying files
Index(es):
- Date
- Thread