* [GIT PULL] EFI urgent fix
@ 2016-04-25 11:26 ` Matt Fleming
0 siblings, 0 replies; 4+ messages in thread
From: Matt Fleming @ 2016-04-25 11:26 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, H . Peter Anvin
Cc: Matt Fleming, Ard Biesheuvel, linux-kernel, linux-efi,
Chris Wilson, Jani Nikula, Jason Andryuk, Laszlo Ersek,
Matthew Garrett, Peter Jones
Folks, please pull the following fix from Laszlo that ensures we don't
perform an out-of-bounds access when matching EFI variable names
against the variable protection whitelist.
The following changes since commit c3b46c73264b03000d1e18b22f5caf63332547c9:
Linux 4.6-rc4 (2016-04-17 19:13:32 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git tags/efi-urgent
for you to fetch changes up to 630ba0cc7a6dbafbdee43795617c872b35cde1b4:
efi: Fix out-of-bounds read in variable_matches() (2016-04-22 19:41:41 +0100)
----------------------------------------------------------------
* Avoid out-of-bounds access in the efivars code when performing
string matching on converted EFI variable names - Laszlo Ersek
----------------------------------------------------------------
Laszlo Ersek (1):
efi: Fix out-of-bounds read in variable_matches()
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [GIT PULL] EFI urgent fix
@ 2016-04-25 11:26 ` Matt Fleming
0 siblings, 0 replies; 4+ messages in thread
From: Matt Fleming @ 2016-04-25 11:26 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, H . Peter Anvin
Cc: Matt Fleming, Ard Biesheuvel,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, Chris Wilson, Jani Nikula,
Jason Andryuk, Laszlo Ersek, Matthew Garrett, Peter Jones
Folks, please pull the following fix from Laszlo that ensures we don't
perform an out-of-bounds access when matching EFI variable names
against the variable protection whitelist.
The following changes since commit c3b46c73264b03000d1e18b22f5caf63332547c9:
Linux 4.6-rc4 (2016-04-17 19:13:32 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git tags/efi-urgent
for you to fetch changes up to 630ba0cc7a6dbafbdee43795617c872b35cde1b4:
efi: Fix out-of-bounds read in variable_matches() (2016-04-22 19:41:41 +0100)
----------------------------------------------------------------
* Avoid out-of-bounds access in the efivars code when performing
string matching on converted EFI variable names - Laszlo Ersek
----------------------------------------------------------------
Laszlo Ersek (1):
efi: Fix out-of-bounds read in variable_matches()
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] efi: Fix out-of-bounds read in variable_matches()
2016-04-25 11:26 ` Matt Fleming
(?)
@ 2016-04-25 11:29 ` Matt Fleming
-1 siblings, 0 replies; 4+ messages in thread
From: Matt Fleming @ 2016-04-25 11:29 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, H . Peter Anvin
Cc: Laszlo Ersek, Ard Biesheuvel, linux-kernel, linux-efi,
Matt Fleming, Chris Wilson, Jani Nikula, Jason Andryuk,
Matthew Garrett, Peter Jones, stable
From: Laszlo Ersek <lersek@redhat.com>
The variable_matches() function can currently read "var_name[len]", for
example when:
- var_name[0] == 'a',
- len == 1
- match_name points to the NUL-terminated string "ab".
This function is supposed to accept "var_name" inputs that are not
NUL-terminated (hence the "len" parameter"). Document the function, and
access "var_name[*match]" only if "*match" is smaller than "len".
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Matthew Garrett <mjg59@coreos.com>
Cc: Jason Andryuk <jandryuk@gmail.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: <stable@vger.kernel.org> # v3.10+
Link: http://thread.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/86906
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
---
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
index 0ac594c0a234..34b741940494 100644
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = {
{ NULL_GUID, "", NULL },
};
+/*
+ * Check if @var_name matches the pattern given in @match_name.
+ *
+ * @var_name: an array of @len non-NUL characters.
+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
+ * final "*" character matches any trailing characters @var_name,
+ * including the case when there are none left in @var_name.
+ * @match: on output, the number of non-wildcard characters in @match_name
+ * that @var_name matches, regardless of the return value.
+ * @return: whether @var_name fully matches @match_name.
+ */
static bool
variable_matches(const char *var_name, size_t len, const char *match_name,
int *match)
{
for (*match = 0; ; (*match)++) {
char c = match_name[*match];
- char u = var_name[*match];
- /* Wildcard in the matching name means we've matched */
- if (c == '*')
+ switch (c) {
+ case '*':
+ /* Wildcard in @match_name means we've matched. */
return true;
- /* Case sensitive match */
- if (!c && *match == len)
- return true;
+ case '\0':
+ /* @match_name has ended. Has @var_name too? */
+ return (*match == len);
- if (c != u)
+ default:
+ /*
+ * We've reached a non-wildcard char in @match_name.
+ * Continue only if there's an identical character in
+ * @var_name.
+ */
+ if (*match < len && c == var_name[*match])
+ continue;
return false;
-
- if (!c)
- return true;
+ }
}
- return true;
}
bool
--
2.7.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [GIT PULL] EFI urgent fix
2016-04-25 11:26 ` Matt Fleming
(?)
(?)
@ 2016-04-25 15:29 ` Ingo Molnar
-1 siblings, 0 replies; 4+ messages in thread
From: Ingo Molnar @ 2016-04-25 15:29 UTC (permalink / raw)
To: Matt Fleming
Cc: Thomas Gleixner, H . Peter Anvin, Ard Biesheuvel, linux-kernel,
linux-efi, Chris Wilson, Jani Nikula, Jason Andryuk,
Laszlo Ersek, Matthew Garrett, Peter Jones
* Matt Fleming <matt@codeblueprint.co.uk> wrote:
> Folks, please pull the following fix from Laszlo that ensures we don't
> perform an out-of-bounds access when matching EFI variable names
> against the variable protection whitelist.
>
> The following changes since commit c3b46c73264b03000d1e18b22f5caf63332547c9:
>
> Linux 4.6-rc4 (2016-04-17 19:13:32 -0700)
>
> are available in the git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git tags/efi-urgent
>
> for you to fetch changes up to 630ba0cc7a6dbafbdee43795617c872b35cde1b4:
>
> efi: Fix out-of-bounds read in variable_matches() (2016-04-22 19:41:41 +0100)
>
> ----------------------------------------------------------------
> * Avoid out-of-bounds access in the efivars code when performing
> string matching on converted EFI variable names - Laszlo Ersek
>
> ----------------------------------------------------------------
> Laszlo Ersek (1):
> efi: Fix out-of-bounds read in variable_matches()
>
> drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
> 1 file changed, 26 insertions(+), 11 deletions(-)
Pulled into tip:efi/urgent, thanks Matt!
Ingo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-04-25 15:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-25 11:26 [GIT PULL] EFI urgent fix Matt Fleming
2016-04-25 11:26 ` Matt Fleming
2016-04-25 11:29 ` [PATCH] efi: Fix out-of-bounds read in variable_matches() Matt Fleming
2016-04-25 15:29 ` [GIT PULL] EFI urgent fix Ingo Molnar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.