All of lore.kernel.org
 help / color / mirror / Atom feed
* [GIT PULL 0/2] EFI fixes for v4.14
@ 2017-10-25 10:04 ` Ard Biesheuvel
  0 siblings, 0 replies; 6+ messages in thread
From: Ard Biesheuvel @ 2017-10-25 10:04 UTC (permalink / raw)
  To: linux-efi, Ingo Molnar, Thomas Gleixner, H . Peter Anvin
  Cc: Ard Biesheuvel, linux-kernel, Dan Carpenter, Ivan Hu,
	James Morse, Matt Fleming

The following changes since commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f:

  Linux 4.14-rc4 (2017-10-08 20:53:29 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git tags/efi-urgent

for you to fetch changes up to 8509c79af61fc8066fc21c01a0a9403ef2af7397:

  efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y (2017-10-24 21:53:49 +0100)

----------------------------------------------------------------
Two EFI fixes for v4.14:
- avoid OOPSing on a capsule count overflow in the EFI test ioctl interface
- avoid crashing on UEFI runtime services invocations after resume from
  hibernation on ARM

----------------------------------------------------------------
Ard Biesheuvel (1):
      efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y

Dan Carpenter (1):
      efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()

 drivers/firmware/efi/libstub/arm-stub.c | 3 ++-
 drivers/firmware/efi/test/efi_test.c    | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [GIT PULL 0/2] EFI fixes for v4.14
@ 2017-10-25 10:04 ` Ard Biesheuvel
  0 siblings, 0 replies; 6+ messages in thread
From: Ard Biesheuvel @ 2017-10-25 10:04 UTC (permalink / raw)
  To: linux-efi-u79uwXL29TY76Z2rM5mHXA, Ingo Molnar, Thomas Gleixner,
	H . Peter Anvin
  Cc: Ard Biesheuvel, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	Dan Carpenter, Ivan Hu, James Morse, Matt Fleming

The following changes since commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f:

  Linux 4.14-rc4 (2017-10-08 20:53:29 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git tags/efi-urgent

for you to fetch changes up to 8509c79af61fc8066fc21c01a0a9403ef2af7397:

  efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y (2017-10-24 21:53:49 +0100)

----------------------------------------------------------------
Two EFI fixes for v4.14:
- avoid OOPSing on a capsule count overflow in the EFI test ioctl interface
- avoid crashing on UEFI runtime services invocations after resume from
  hibernation on ARM

----------------------------------------------------------------
Ard Biesheuvel (1):
      efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y

Dan Carpenter (1):
      efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()

 drivers/firmware/efi/libstub/arm-stub.c | 3 ++-
 drivers/firmware/efi/test/efi_test.c    | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()
  2017-10-25 10:04 ` Ard Biesheuvel
  (?)
@ 2017-10-25 10:04 ` Ard Biesheuvel
  2017-10-25 11:09   ` [tip:efi/urgent] " tip-bot for Dan Carpenter
  -1 siblings, 1 reply; 6+ messages in thread
From: Ard Biesheuvel @ 2017-10-25 10:04 UTC (permalink / raw)
  To: linux-efi, Ingo Molnar, Thomas Gleixner, H . Peter Anvin
  Cc: Dan Carpenter, Ard Biesheuvel, linux-kernel, Matt Fleming

From: Dan Carpenter <dan.carpenter@oracle.com>

If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1"
will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR.  We
try to dereference it inside the loop and crash.

Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Ivan Hu <ivan.hu@canonical.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 drivers/firmware/efi/test/efi_test.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 08129b7b80ab..41c48a1e8baa 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -593,6 +593,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg)
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 		return -EFAULT;
 
+	if (qcaps.capsule_count == ULONG_MAX)
+		return -EINVAL;
+
 	capsules = kcalloc(qcaps.capsule_count + 1,
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 	if (!capsules)
-- 
2.11.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/2] efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y
  2017-10-25 10:04 ` Ard Biesheuvel
  (?)
  (?)
@ 2017-10-25 10:04 ` Ard Biesheuvel
  2017-10-25 11:10   ` [tip:efi/urgent] efi/libstub/arm: Don't " tip-bot for Ard Biesheuvel
  -1 siblings, 1 reply; 6+ messages in thread
From: Ard Biesheuvel @ 2017-10-25 10:04 UTC (permalink / raw)
  To: linux-efi, Ingo Molnar, Thomas Gleixner, H . Peter Anvin
  Cc: Ard Biesheuvel, linux-kernel, James Morse, Matt Fleming

Commit

  e69176d68d26 ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region

implemented randomization of the virtual mapping that the OS chooses for
the UEFI runtime services. This was motivated by the fact that UEFI usually
does not bother to specify any permission restrictions for those regions,
making them prime real estate for exploitation now that the OS is getting
more and more careful not to leave any R+W+X mapped regions lying around.

However, this randomization breaks assumptions in the resume from
hibernation code, which expects all memory regions populated by UEFI to
remain in the same place, including their virtual mapping into the OS
memory space. While this assumption may not be entirely reasonable in the
first place, breaking it deliberately does not make a lot of sense either.
So let's refrain from this randomization pass if CONFIG_HIBERNATION=y.

Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 drivers/firmware/efi/libstub/arm-stub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index 1cb2d1c070c3..a94601d5939e 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -238,7 +238,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
 
 	efi_random_get_seed(sys_table);
 
-	if (!nokaslr()) {
+	/* hibernation expects the runtime regions to stay in the same place */
+	if (!IS_ENABLED(CONFIG_HIBERNATION) && !nokaslr()) {
 		/*
 		 * Randomize the base of the UEFI runtime services region.
 		 * Preserve the 2 MB alignment of the region by taking a
-- 
2.11.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [tip:efi/urgent] efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()
  2017-10-25 10:04 ` [PATCH 1/2] efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps() Ard Biesheuvel
@ 2017-10-25 11:09   ` tip-bot for Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: tip-bot for Dan Carpenter @ 2017-10-25 11:09 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, ard.biesheuvel, mingo, torvalds, peterz, hpa,
	dan.carpenter, ivan.hu, matt, tglx

Commit-ID:  092e72c9edab16d4d6ad10c683a95047d53b6db4
Gitweb:     https://git.kernel.org/tip/092e72c9edab16d4d6ad10c683a95047d53b6db4
Author:     Dan Carpenter <dan.carpenter@oracle.com>
AuthorDate: Wed, 25 Oct 2017 11:04:47 +0100
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 25 Oct 2017 12:10:59 +0200

efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()

If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1"
will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR.  We
try to dereference it inside the loop and crash.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Ivan Hu <ivan.hu@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces")
Link: http://lkml.kernel.org/r/20171025100448.26056-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 drivers/firmware/efi/test/efi_test.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 08129b7..41c48a1 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -593,6 +593,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg)
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 		return -EFAULT;
 
+	if (qcaps.capsule_count == ULONG_MAX)
+		return -EINVAL;
+
 	capsules = kcalloc(qcaps.capsule_count + 1,
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 	if (!capsules)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [tip:efi/urgent] efi/libstub/arm: Don't randomize runtime regions when CONFIG_HIBERNATION=y
  2017-10-25 10:04 ` [PATCH 2/2] efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y Ard Biesheuvel
@ 2017-10-25 11:10   ` tip-bot for Ard Biesheuvel
  0 siblings, 0 replies; 6+ messages in thread
From: tip-bot for Ard Biesheuvel @ 2017-10-25 11:10 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: hpa, matt, peterz, torvalds, tglx, james.morse, ard.biesheuvel,
	mingo, linux-kernel

Commit-ID:  38fb6652229c2149e8694d57db442878fdf8a1bd
Gitweb:     https://git.kernel.org/tip/38fb6652229c2149e8694d57db442878fdf8a1bd
Author:     Ard Biesheuvel <ard.biesheuvel@linaro.org>
AuthorDate: Wed, 25 Oct 2017 11:04:48 +0100
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 25 Oct 2017 12:10:59 +0200

efi/libstub/arm: Don't randomize runtime regions when CONFIG_HIBERNATION=y

Commit:

  e69176d68d26 ("ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region")

implemented randomization of the virtual mapping that the OS chooses for
the UEFI runtime services. This was motivated by the fact that UEFI usually
does not bother to specify any permission restrictions for those regions,
making them prime real estate for exploitation now that the OS is getting
more and more careful not to leave any R+W+X mapped regions lying around.

However, this randomization breaks assumptions in the resume from
hibernation code, which expects all memory regions populated by UEFI to
remain in the same place, including their virtual mapping into the OS
memory space. While this assumption may not be entirely reasonable in the
first place, breaking it deliberately does not make a lot of sense either.
So let's refrain from this randomization pass if CONFIG_HIBERNATION=y.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: James Morse <james.morse@arm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171025100448.26056-3-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 drivers/firmware/efi/libstub/arm-stub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index 1cb2d1c..a94601d 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -238,7 +238,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
 
 	efi_random_get_seed(sys_table);
 
-	if (!nokaslr()) {
+	/* hibernation expects the runtime regions to stay in the same place */
+	if (!IS_ENABLED(CONFIG_HIBERNATION) && !nokaslr()) {
 		/*
 		 * Randomize the base of the UEFI runtime services region.
 		 * Preserve the 2 MB alignment of the region by taking a

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-10-25 11:15 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-25 10:04 [GIT PULL 0/2] EFI fixes for v4.14 Ard Biesheuvel
2017-10-25 10:04 ` Ard Biesheuvel
2017-10-25 10:04 ` [PATCH 1/2] efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps() Ard Biesheuvel
2017-10-25 11:09   ` [tip:efi/urgent] " tip-bot for Dan Carpenter
2017-10-25 10:04 ` [PATCH 2/2] efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y Ard Biesheuvel
2017-10-25 11:10   ` [tip:efi/urgent] efi/libstub/arm: Don't " tip-bot for Ard Biesheuvel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.