* [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-20 20:57 ` Wenwen Wang
0 siblings, 0 replies; 6+ messages in thread
From: Wenwen Wang @ 2018-10-20 20:57 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Alex Deucher, Christian König,
David (ChunMing) Zhou, David Airlie, Ken Wang,
open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
open list
In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
to 'header' from an IO memory region through
amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
it is a valid header. If yes, the whole VBIOS, including the header, is
then copied to 'adev->bios'. The problem here is that no check is enforced
on the header after the second copy. Given that the device also has the
permission to access the IO memory region, it is possible for a malicious
device controlled by an attacker to modify the header between these two
copies. By doing so, the attacker can supply compromised VBIOS, which can
cause undefined behavior of the kernel and introduce potential security
issues.
This patch rewrites the header in 'adev->bios' using the header acquired in
the first copy.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
index a5df80d..ac701f4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
@@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
/* read complete BIOS */
amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
+ memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
+
if (!check_atom_bios(adev->bios, len)) {
kfree(adev->bios);
return false;
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-20 20:57 ` Wenwen Wang
0 siblings, 0 replies; 6+ messages in thread
From: Wenwen Wang @ 2018-10-20 20:57 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Alex Deucher, Christian König,
David (ChunMing) Zhou, David Airlie, Ken Wang,
open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
open list
In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
to 'header' from an IO memory region through
amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
it is a valid header. If yes, the whole VBIOS, including the header, is
then copied to 'adev->bios'. The problem here is that no check is enforced
on the header after the second copy. Given that the device also has the
permission to access the IO memory region, it is possible for a malicious
device controlled by an attacker to modify the header between these two
copies. By doing so, the attacker can supply compromised VBIOS, which can
cause undefined behavior of the kernel and introduce potential security
issues.
This patch rewrites the header in 'adev->bios' using the header acquired in
the first copy.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
index a5df80d..ac701f4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
@@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
/* read complete BIOS */
amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
+ memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
+
if (!check_atom_bios(adev->bios, len)) {
kfree(adev->bios);
return false;
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-22 6:55 ` Koenig, Christian
0 siblings, 0 replies; 6+ messages in thread
From: Koenig, Christian @ 2018-10-22 6:55 UTC (permalink / raw)
To: Wenwen Wang
Cc: Kangjie Lu, Deucher, Alexander, Zhou, David(ChunMing),
David Airlie, Wang, Ken, open list:RADEON and AMDGPU DRM DRIVERS,
open list:DRM DRIVERS, open list
Am 20.10.18 um 22:57 schrieb Wenwen Wang:
> In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
> to 'header' from an IO memory region through
> amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
> it is a valid header. If yes, the whole VBIOS, including the header, is
> then copied to 'adev->bios'. The problem here is that no check is enforced
> on the header after the second copy. Given that the device also has the
> permission to access the IO memory region, it is possible for a malicious
> device controlled by an attacker to modify the header between these two
> copies. By doing so, the attacker can supply compromised VBIOS, which can
> cause undefined behavior of the kernel and introduce potential security
> issues.
>
> This patch rewrites the header in 'adev->bios' using the header acquired in
> the first copy.
As already answered previously this is completely superfluous.
We are not mapping VRAM here, but a flash ROM (Read Only Memory). The
flash rom is not changeable through the mapping.
Additional to that the length check is just to confirm that the rom is
correctly mapped, it doesn't validate the rom in any way.
Regards,
Christian.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> index a5df80d..ac701f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> @@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
> /* read complete BIOS */
> amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
>
> + memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
> +
> if (!check_atom_bios(adev->bios, len)) {
> kfree(adev->bios);
> return false;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-22 6:55 ` Koenig, Christian
0 siblings, 0 replies; 6+ messages in thread
From: Koenig, Christian @ 2018-10-22 6:55 UTC (permalink / raw)
To: Wenwen Wang
Cc: Zhou, David(ChunMing),
David Airlie, Kangjie Lu, open list,
open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
Deucher, Alexander, Wang, Ken
Am 20.10.18 um 22:57 schrieb Wenwen Wang:
> In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
> to 'header' from an IO memory region through
> amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
> it is a valid header. If yes, the whole VBIOS, including the header, is
> then copied to 'adev->bios'. The problem here is that no check is enforced
> on the header after the second copy. Given that the device also has the
> permission to access the IO memory region, it is possible for a malicious
> device controlled by an attacker to modify the header between these two
> copies. By doing so, the attacker can supply compromised VBIOS, which can
> cause undefined behavior of the kernel and introduce potential security
> issues.
>
> This patch rewrites the header in 'adev->bios' using the header acquired in
> the first copy.
As already answered previously this is completely superfluous.
We are not mapping VRAM here, but a flash ROM (Read Only Memory). The
flash rom is not changeable through the mapping.
Additional to that the length check is just to confirm that the rom is
correctly mapped, it doesn't validate the rom in any way.
Regards,
Christian.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> index a5df80d..ac701f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> @@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
> /* read complete BIOS */
> amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
>
> + memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
> +
> if (!check_atom_bios(adev->bios, len)) {
> kfree(adev->bios);
> return false;
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-22 17:51 ` Kuehling, Felix
0 siblings, 0 replies; 6+ messages in thread
From: Kuehling, Felix @ 2018-10-22 17:51 UTC (permalink / raw)
To: Wenwen Wang
Cc: Zhou, David(ChunMing),
David Airlie, Kangjie Lu, open list,
open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
Deucher, Alexander, Wang, Ken, Koenig, Christian
The BIOS signature check does not guarantee integrity of the BIOS image
either way. As I understand it, the signature is just a magic number.
It's not a cryptographic signature. The check is just a sanity check.
Therefore this change doesn't add any meaningful protection against the
scenario you described.
Regards,
Felix
On 2018-10-20 4:57 p.m., Wenwen Wang wrote:
> In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
> to 'header' from an IO memory region through
> amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
> it is a valid header. If yes, the whole VBIOS, including the header, is
> then copied to 'adev->bios'. The problem here is that no check is enforced
> on the header after the second copy. Given that the device also has the
> permission to access the IO memory region, it is possible for a malicious
> device controlled by an attacker to modify the header between these two
> copies. By doing so, the attacker can supply compromised VBIOS, which can
> cause undefined behavior of the kernel and introduce potential security
> issues.
>
> This patch rewrites the header in 'adev->bios' using the header acquired in
> the first copy.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> index a5df80d..ac701f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> @@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
> /* read complete BIOS */
> amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
>
> + memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
> +
> if (!check_atom_bios(adev->bios, len)) {
> kfree(adev->bios);
> return false;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] drm/amdgpu: fix a missing-check bug
@ 2018-10-22 17:51 ` Kuehling, Felix
0 siblings, 0 replies; 6+ messages in thread
From: Kuehling, Felix @ 2018-10-22 17:51 UTC (permalink / raw)
To: Wenwen Wang
Cc: Zhou, David(ChunMing),
David Airlie, Kangjie Lu, open list, open list:DRM DRIVERS,
open list:RADEON and AMDGPU DRM DRIVERS, Deucher, Alexander,
Wang, Ken, Koenig, Christian
The BIOS signature check does not guarantee integrity of the BIOS image
either way. As I understand it, the signature is just a magic number.
It's not a cryptographic signature. The check is just a sanity check.
Therefore this change doesn't add any meaningful protection against the
scenario you described.
Regards,
Felix
On 2018-10-20 4:57 p.m., Wenwen Wang wrote:
> In amdgpu_read_bios_from_rom(), the header of the VBIOS is firstly copied
> to 'header' from an IO memory region through
> amdgpu_asic_read_bios_from_rom(). Then the header is checked to see whether
> it is a valid header. If yes, the whole VBIOS, including the header, is
> then copied to 'adev->bios'. The problem here is that no check is enforced
> on the header after the second copy. Given that the device also has the
> permission to access the IO memory region, it is possible for a malicious
> device controlled by an attacker to modify the header between these two
> copies. By doing so, the attacker can supply compromised VBIOS, which can
> cause undefined behavior of the kernel and introduce potential security
> issues.
>
> This patch rewrites the header in 'adev->bios' using the header acquired in
> the first copy.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> index a5df80d..ac701f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
> @@ -181,6 +181,8 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
> /* read complete BIOS */
> amdgpu_asic_read_bios_from_rom(adev, adev->bios, len);
>
> + memcpy(adev->bios, header, AMD_VBIOS_SIGNATURE_END);
> +
> if (!check_atom_bios(adev->bios, len)) {
> kfree(adev->bios);
> return false;
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-22 17:51 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-20 20:57 [PATCH] drm/amdgpu: fix a missing-check bug Wenwen Wang
2018-10-20 20:57 ` Wenwen Wang
2018-10-22 6:55 ` Koenig, Christian
2018-10-22 6:55 ` Koenig, Christian
2018-10-22 17:51 ` Kuehling, Felix
2018-10-22 17:51 ` Kuehling, Felix
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.