boot: Fix UKI boot for kernels with non-zero ImageBase

The current code incorrectly subtracts ImageBase from section
VirtualAddress values when loading sections into memory. This is based
on a misunderstanding of the PE specification.

VirtualAddress in section headers is the address of the first byte of
the section relative to the image base when the section is loaded into
memory. In other words, VirtualAddress is already an RVA measured from
the image base, it is definitely NOT an absolute address that needs to
be adjusted.

So when loading a PE image into a newly allocated buffer, sections
should be copied to buffer + VirtualAddress, regardless of what
ImageBase says. The ImageBase field merely indicates the *preferred*
load address, it does not affect how section RVAs are interpreted.

This happens to not cause issues when ImageBase was 0 (since
VirtualAddress - 0 = VirtualAddress), which is why this bug went
undetected on modern kernels. However, it fails with kernels that have
non-zero ImageBase values.

So let's remove the nonsensical VirtualAddress < ImageBase check, and
remove the ImageBase subtractions from section loading offsets. This
lets all kernel UKIs work properly again.

Fixes: #40342

diff --git a/src/boot/linux.c b/src/boot/linux.c
index 22b758b8e641c30ae6193b83cc8c0688ee42e4a4..3d20258ddc530f3d9b80954ffdc1243964f59d22 100644 (file)
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@@ -161,14 +161,13 @@ EFI_STATUS linux_exec(
 
         size_t kernel_size_in_memory = 0;
         uint32_t compat_entry_point, entry_point;
-        uint64_t image_base;
         EFI_STATUS err;
 
         assert(parent_image);
         assert(iovec_is_set(kernel));
         assert(iovec_is_valid(initrd));
 
-        err = pe_kernel_info(kernel->iov_base, &entry_point, &compat_entry_point, &image_base, &kernel_size_in_memory);
+        err = pe_kernel_info(kernel->iov_base, &entry_point, &compat_entry_point, /* ret_image_base= */ NULL, &kernel_size_in_memory);
 #if defined(__i386__) || defined(__x86_64__)
         if (err == EFI_UNSUPPORTED)
                 /* Kernel is too old to support LINUX_INITRD_MEDIA_GUID, try the deprecated EFI handover
@@ -276,10 +275,9 @@ EFI_STATUS linux_exec(
                 if (h->SizeOfRawData == 0)
                         continue;
 
-                if ((h->VirtualAddress < image_base)
-                    || (h->VirtualAddress - image_base + h->SizeOfRawData > kernel_size_in_memory))
+                if (h->VirtualAddress + h->SizeOfRawData > kernel_size_in_memory)
                         return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory");
-                memcpy(loaded_kernel + h->VirtualAddress - image_base,
+                memcpy(loaded_kernel + h->VirtualAddress,
                        (const uint8_t*)kernel->iov_base + h->PointerToRawData,
                        h->SizeOfRawData);
                 memzero(loaded_kernel + h->VirtualAddress + h->SizeOfRawData,
@@ -288,7 +286,7 @@ EFI_STATUS linux_exec(
                 /* Not a code section? Nothing to do, leave as-is. */
                 if (memory_proto && (h->Characteristics & (PE_CODE|PE_EXECUTE))) {
                         nx_sections = xrealloc(nx_sections, n_nx_sections * sizeof(struct iovec), (n_nx_sections + 1) * sizeof(struct iovec));
-                        nx_sections[n_nx_sections].iov_base = loaded_kernel + h->VirtualAddress - image_base;
+                        nx_sections[n_nx_sections].iov_base = loaded_kernel + h->VirtualAddress;
                         nx_sections[n_nx_sections].iov_len = h->VirtualSize;
 
                         err = memory_mark_ro_x(memory_proto, &nx_sections[n_nx_sections]);