From: Luis Henriques <luis.henriques@canonical.com>
To: Seiji Aguchi <seiji.aguchi@hds.com>
Cc: Lingzhu Xiang <lxiang@redhat.com>,
Ben Hutchings <ben@decadent.org.uk>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"kernel-team@lists.ubuntu.com" <kernel-team@lists.ubuntu.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Josh Boyer <jwboyer@redhat.com>, Michael Schroeder <mls@suse.com>,
"Lee, Chun-Yi" <jlee@suse.com>,
Matt Fleming <matt.fleming@intel.com>
Subject: Re: [PATCH 097/102] efivars: explicitly calculate length of VariableName
Date: Thu, 11 Apr 2013 10:12:56 +0100 [thread overview]
Message-ID: <20130411091256.GA11370@hercules> (raw)
In-Reply-To: <A5ED84D3BB3A384992CBB9C77DEDA4D41AF8D09E@USINDEM103.corp.hds.com>
On Wed, Apr 10, 2013 at 03:57:12PM +0000, Seiji Aguchi wrote:
>
>
> > -----Original Message-----
> > From: Luis Henriques [mailto:luis.henriques@canonical.com]
> > Sent: Wednesday, April 10, 2013 8:18 AM
> > To: Lingzhu Xiang
> > Cc: Ben Hutchings; Seiji Aguchi; linux-kernel@vger.kernel.org; stable@vger.kernel.org; kernel-team@lists.ubuntu.com; Matthew
> > Garrett; Josh Boyer; Michael Schroeder; Lee, Chun-Yi; Matt Fleming
> > Subject: Re: [PATCH 097/102] efivars: explicitly calculate length of VariableName
> >
> > On Wed, Apr 10, 2013 at 06:27:13PM +0800, Lingzhu Xiang wrote:
> > > On 04/10/2013 06:45 AM, Ben Hutchings wrote:
> > > >On Mon, 2013-04-08 at 10:50 +0100, Luis Henriques wrote:
> > > >>3.5.7.10 -stable review patch. If anyone has any objections, please let me know.
> > > >>
> > > >>------------------
> > > >>
> > > >>From: Matt Fleming <matt.fleming@intel.com>
> > > >>
> > > >>commit ec50bd32f1672d38ddce10fb1841cbfda89cfe9a upstream.
> > > >>
> > > >>It's not wise to assume VariableNameSize represents the length of
> > > >>VariableName, as not all firmware updates VariableNameSize in the
> > > >>same way (some don't update it at all if EFI_SUCCESS is returned).
> > > >>There are even implementations out there that update
> > > >>VariableNameSize with values that are both larger than the string
> > > >>returned in VariableName and smaller than the buffer passed to
> > > >>GetNextVariableName(), which resulted in the following bug report
> > > >>from Michael Schroeder,
> > > >>
> > > >> > On HP z220 system (firmware version 1.54), some EFI variables are
> > > >> > incorrectly named :
> > > >> >
> > > >> > ls -d /sys/firmware/efi/vars/*8be4d* | grep -v -- -8be returns
> > > >> > /sys/firmware/efi/vars/dbxDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
> > > >> > /sys/firmware/efi/vars/KEKDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
> > > >> > /sys/firmware/efi/vars/SecureBoot-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
> > > >> >
> > > >> /sys/firmware/efi/vars/SetupMode-Information8be4df61-93ca-11d2-aa0d
> > > >> -00e098032b8c
> > > >>
> > > >>The issue here is that because we blindly use VariableNameSize
> > > >>without verifying its value, we can potentially read garbage values
> > > >>from the buffer containing VariableName if VariableNameSize is
> > > >>larger than the length of VariableName.
> > > >>
> > > >>Since VariableName is a string, we can calculate its size by
> > > >>searching for the terminating NULL character.
> > > >>
> > > >>Reported-by: Frederic Crozat <fcrozat@suse.com>
> > > >>Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > > >>Cc: Josh Boyer <jwboyer@redhat.com>
> > > >>Cc: Michael Schroeder <mls@suse.com>
> > > >>Cc: Lee, Chun-Yi <jlee@suse.com>
> > > >>Cc: Lingzhu Xiang <lxiang@redhat.com>
> > > >>Cc: Seiji Aguchi <seiji.aguchi@hds.com>
> > > >>Signed-off-by: Matt Fleming <matt.fleming@intel.com> [ Backported
> > > >>for 3.4-stable. Removed workqueue code added in a93bc0c 3.9-rc1. ]
> > > >[...]
> > > >
> > > >I thought the workqueue addition was a worthwhile fix in its own
> > > >right, so for 3.2.y I cherry-picked that as well.
> > >
> > > FWIW, the workqueue patch is 1/2 of this patchset[1] fixing closely
> > > related problems. The other one is 81fa4e58.
> > >
> > > [1]: http://article.gmane.org/gmane.linux.kernel/1439570
> > >
> > > I tried to avoid pulling too much for stable because the patchset is
> > > quite large and I suspect the problem it fixes is only theoretical.
> > > I reported the original bug but was unable to break anything except
> > > getting call traces with various CONFIG_DEBUG_*.
> > >
> > > What's your opinion, Seiji?
> >
> > Ok, so just to clarify: you're suggesting me to pick the following commits:
> >
> > 81fa4e581d9283f7992a0d8c534bb141eb840a14 efivars: Disable external interrupt while holding efivars->lock
> > a93bc0c6e07ed9bac44700280e65e2945d864fd4 efi_pstore: Introducing workqueue updating sysfs
> > ec50bd32f1672d38ddce10fb1841cbfda89cfe9a efivars: explicitly calculate length of VariableName
> > e971318bbed610e28bb3fde9d548e6aaf0a6b02e efivars: Handle duplicate names from get_next_variable()
>
> I agree to add these commits to a stable tree.
>
Thank you Seiji. I'll queue these for the next 3.5 kernel.
Cheers,
--
Luis
next prev parent reply other threads:[~2013-04-11 9:13 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 9:49 [ 3.5.y.z extended stable ] Linux 3.5.7.10 stable review Luis Henriques
2013-04-08 9:49 ` [PATCH 001/102] clockevents: Don't allow dummy broadcast timers Luis Henriques
2013-04-08 9:49 ` [PATCH 002/102] Bluetooth: Add support for Dell[QCA 0cf3:0036] Luis Henriques
2013-04-08 9:49 ` [PATCH 003/102] Bluetooth: Add support for Dell[QCA 0cf3:817a] Luis Henriques
2013-04-08 9:49 ` [PATCH 004/102] ath9k_hw: revert chainmask to user configuration after calibration Luis Henriques
2013-04-08 9:49 ` [PATCH 005/102] ath9k: limit tx path hang check to normal data queues Luis Henriques
2013-04-08 9:49 ` [PATCH 006/102] rtlwifi: usb: add missing freeing of skbuff Luis Henriques
2013-04-08 9:49 ` [PATCH 007/102] net/irda: add missing error path release_sock call Luis Henriques
2013-04-08 9:49 ` [PATCH 008/102] NFSv4: Fix the string length returned by the idmapper Luis Henriques
2013-04-08 9:49 ` [PATCH 009/102] pnfs-block: removing DM device maybe cause oops when call dev_remove Luis Henriques
2013-04-08 9:49 ` [PATCH 010/102] NFSv4.1: Fix a race in pNFS layoutcommit Luis Henriques
2013-04-08 9:49 ` [PATCH 011/102] IPoIB: Fix send lockup due to missed TX completion Luis Henriques
2013-04-08 9:49 ` [PATCH 012/102] SUNRPC: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked Luis Henriques
2013-04-08 9:49 ` [PATCH 013/102] Nest rename_lock inside vfsmount_lock Luis Henriques
2013-04-08 9:49 ` [PATCH 014/102] vt: synchronize_rcu() under spinlock is not nice Luis Henriques
2013-04-08 9:49 ` [PATCH 015/102] iommu/amd: Make sure dma_ops are set for hotplug devices Luis Henriques
2013-04-08 9:49 ` [PATCH 016/102] i915: initialize CADL in opregion Luis Henriques
2013-04-08 9:49 ` [PATCH 017/102] tracing: Protect tracer flags with trace_types_lock Luis Henriques
2013-04-08 9:49 ` [PATCH 018/102] tracing: Prevent buffer overwrite disabled for latency tracers Luis Henriques
2013-04-08 9:49 ` [PATCH 019/102] nohz: Make tick_nohz_irq_exit() irq safe Luis Henriques
2013-04-08 9:49 ` [PATCH 020/102] udf: Fix bitmap overflow on large filesystems with small block size Luis Henriques
2013-04-08 9:49 ` [PATCH 021/102] xen/blkback: correctly respond to unknown, non-native requests Luis Henriques
2013-04-08 9:49 ` [PATCH 022/102] tty: atmel_serial_probe(): index of atmel_ports[] fix Luis Henriques
2013-04-08 9:49 ` [PATCH 023/102] HID: usbhid: quirk for Realtek Multi-card reader Luis Henriques
2013-04-08 9:49 ` [PATCH 024/102] HID: usbhid: quirk for MSI GX680R led panel Luis Henriques
2013-04-08 9:49 ` [PATCH 025/102] xen-blkback: fix dispatch_rw_block_io() error path Luis Henriques
2013-04-08 9:49 ` [PATCH 026/102] sysfs: handle failure path correctly for readdir() Luis Henriques
2013-04-08 9:49 ` [PATCH 027/102] usb: xhci: Fix TRB transfer length macro used for Event TRB Luis Henriques
2013-04-08 9:49 ` [PATCH 028/102] staging: comedi: s626: fix continuous acquisition Luis Henriques
2013-04-08 9:49 ` [PATCH 029/102] USB: serial: fix hang when opening port Luis Henriques
2013-04-08 9:49 ` [PATCH 030/102] Btrfs: fix race between mmap writes and compression Luis Henriques
2013-04-08 9:49 ` [PATCH 031/102] Btrfs: fix space leak when we fail to reserve metadata space Luis Henriques
2013-04-08 9:49 ` [PATCH 032/102] Btrfs: limit the global reserve to 512mb Luis Henriques
2013-04-08 9:49 ` [PATCH 033/102] usb: ftdi_sio: Add support for Mitsubishi FX-USB-AW/-BD Luis Henriques
2013-04-08 9:49 ` [PATCH 034/102] Btrfs: don't drop path when printing out tree errors in scrub Luis Henriques
2013-04-08 9:49 ` [PATCH 035/102] USB: serial: add modem-status-change wait queue Luis Henriques
2013-04-08 10:01 ` Johan Hovold
2013-04-08 10:15 ` Luis Henriques
2013-04-08 9:49 ` [PATCH 036/102] USB: ark3116: fix use-after-free in TIOCMIWAIT Luis Henriques
2013-04-08 9:49 ` [PATCH 037/102] USB: ch341: " Luis Henriques
2013-04-08 9:49 ` [PATCH 038/102] USB: cypress_m8: " Luis Henriques
2013-04-08 9:49 ` [PATCH 039/102] USB: f81232: " Luis Henriques
2013-04-08 9:49 ` [PATCH 040/102] USB: ftdi_sio: " Luis Henriques
2013-04-08 9:49 ` [PATCH 041/102] USB: io_edgeport: " Luis Henriques
2013-04-08 9:49 ` [PATCH 042/102] USB: io_ti: " Luis Henriques
2013-04-08 9:49 ` [PATCH 043/102] USB: mct_u232: " Luis Henriques
2013-04-08 9:49 ` [PATCH 044/102] USB: mos7840: fix broken TIOCMIWAIT Luis Henriques
2013-04-08 9:50 ` [PATCH 045/102] USB: mos7840: fix use-after-free in TIOCMIWAIT Luis Henriques
2013-04-08 9:50 ` [PATCH 046/102] USB: oti6858: " Luis Henriques
2013-04-08 9:50 ` [PATCH 047/102] USB: pl2303: " Luis Henriques
2013-04-08 9:50 ` [PATCH 048/102] USB: quatech2: " Luis Henriques
2013-04-08 9:50 ` [PATCH 049/102] USB: spcp8x5: " Luis Henriques
2013-04-08 9:50 ` [PATCH 050/102] USB: ssu100: " Luis Henriques
2013-04-08 9:50 ` [PATCH 051/102] USB: ti_usb_3410_5052: " Luis Henriques
2013-04-08 9:50 ` [PATCH 052/102] Btrfs: use set_nlink if our i_nlink is 0 Luis Henriques
2013-04-08 9:50 ` [PATCH 053/102] Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state Luis Henriques
2013-04-08 9:50 ` [PATCH 054/102] mwifiex: cancel cmd timer and free curr_cmd in shutdown process Luis Henriques
2013-04-08 18:03 ` Bing Zhao
2013-04-09 8:51 ` Luis Henriques
2013-04-08 9:50 ` [PATCH 055/102] HID: usbhid: fix build problem Luis Henriques
2013-04-08 9:50 ` [PATCH 056/102] sysfs: fix race between readdir and lseek Luis Henriques
2013-04-08 9:50 ` [PATCH 057/102] net: remove a WARN_ON() in net_enable_timestamp() Luis Henriques
2013-04-08 9:50 ` [PATCH 058/102] sky2: Receive Overflows not counted Luis Henriques
2013-04-08 9:50 ` [PATCH 059/102] sky2: Threshold for Pause Packet is set wrong Luis Henriques
2013-04-08 9:50 ` [PATCH 060/102] tcp: preserve ACK clocking in TSO Luis Henriques
2013-04-08 9:50 ` [PATCH 061/102] tcp: undo spurious timeout after SACK reneging Luis Henriques
2013-04-08 9:50 ` [PATCH 062/102] 8021q: fix a potential use-after-free Luis Henriques
2013-04-08 9:50 ` [PATCH 063/102] thermal: shorten too long mcast group name Luis Henriques
2013-04-08 9:50 ` [PATCH 064/102] genetlink: trigger BUG_ON if a group name is too long Luis Henriques
2013-04-08 9:50 ` [PATCH 065/102] unix: fix a race condition in unix_release() Luis Henriques
2013-04-08 9:50 ` [PATCH 066/102] bonding: remove already created master sysfs link on failure Luis Henriques
2013-04-08 9:50 ` [PATCH 067/102] bonding: fix miimon and arp_interval delayed work race conditions Luis Henriques
2013-04-08 9:50 ` [PATCH 068/102] bonding: fix disabling of arp_interval and miimon Luis Henriques
2013-04-08 9:50 ` [PATCH 069/102] drivers: net: ethernet: davinci_emac: use netif_wake_queue() while restarting tx queue Luis Henriques
2013-04-08 9:50 ` [PATCH 070/102] drivers: net: ethernet: cpsw: " Luis Henriques
2013-04-08 9:50 ` [PATCH 071/102] net: fix *_DIAG_MAX constants Luis Henriques
2013-04-08 9:50 ` [PATCH 072/102] aoe: reserve enough headroom on skbs Luis Henriques
2013-04-08 9:50 ` [PATCH 073/102] atl1e: drop pci-msi support because of packet corruption Luis Henriques
2013-04-08 9:50 ` [PATCH 074/102] DM9000B: driver initialization upgrade Luis Henriques
2013-04-08 9:50 ` [PATCH 075/102] ipv6: don't accept multicast traffic with scope 0 Luis Henriques
2013-04-08 9:50 ` [PATCH 076/102] ipv6: fix bad free of addrconf_init_net Luis Henriques
2013-04-08 9:50 ` [PATCH 077/102] ipv6: don't accept node local multicast traffic from the wire Luis Henriques
2013-04-08 9:50 ` [PATCH 078/102] ks8851: Fix interpretation of rxlen field Luis Henriques
2013-04-08 9:50 ` [PATCH 079/102] net: add a synchronize_net() in netdev_rx_handler_unregister() Luis Henriques
2013-04-08 9:50 ` [PATCH 080/102] pch_gbe: fix ip_summed checksum reporting on rx Luis Henriques
2013-04-08 9:50 ` [PATCH 081/102] smsc75xx: fix jumbo frame support Luis Henriques
2013-04-08 9:50 ` [PATCH 082/102] bonding: get netdev_rx_handler_unregister out of locks Luis Henriques
2013-04-08 9:50 ` [PATCH 083/102] mac80211: always synchronize_net() during station removal Luis Henriques
2013-04-08 9:50 ` [PATCH 084/102] regmap: cache Fix regcache-rbtree sync Luis Henriques
2013-04-08 9:50 ` [PATCH 085/102] iwlwifi: dvm: don't send HCMD in restart flow Luis Henriques
2013-04-08 9:50 ` [PATCH 086/102] nfsd4: reject "negative" acl lengths Luis Henriques
2013-04-08 9:50 ` [PATCH 087/102] can: sja1000: fix define conflict on SH Luis Henriques
2013-04-08 9:50 ` [PATCH 088/102] b43: N-PHY: increase initial value of "mind" in RSSI calibration Luis Henriques
2013-04-08 9:50 ` [PATCH 089/102] b43: A fix for DMA transmission sequence errors Luis Henriques
2013-04-08 9:50 ` [PATCH 090/102] b43: N-PHY: use more bits for offset in RSSI calibration Luis Henriques
2013-04-08 9:50 ` [PATCH 091/102] tg3: fix length overflow in VPD firmware parsing Luis Henriques
2013-04-08 9:50 ` [PATCH 092/102] tile: expect new initramfs name from hypervisor file system Luis Henriques
2013-04-08 9:50 ` [PATCH 093/102] virtio: console: rename cvq_lock to c_ivq_lock Luis Henriques
2013-04-08 9:50 ` [PATCH 094/102] virtio: console: add locking around c_ovq operations Luis Henriques
2013-04-08 9:50 ` [PATCH 095/102] ARM: cns3xxx: fix mapping of private memory region Luis Henriques
2013-04-08 9:50 ` [PATCH 096/102] loop: prevent bdev freeing while device in use Luis Henriques
2013-04-08 9:50 ` [PATCH 097/102] efivars: explicitly calculate length of VariableName Luis Henriques
2013-04-09 22:45 ` Ben Hutchings
2013-04-10 9:35 ` Luis Henriques
2013-04-10 10:27 ` Lingzhu Xiang
2013-04-10 12:17 ` Luis Henriques
2013-04-10 15:57 ` Seiji Aguchi
2013-04-11 9:12 ` Luis Henriques [this message]
2013-04-16 10:33 ` Luis Henriques
2013-04-17 4:37 ` Lingzhu Xiang
2013-04-17 11:56 ` Andy Whitcroft
2013-04-17 12:13 ` Lingzhu Xiang
2013-04-17 13:28 ` Luis Henriques
2013-04-18 3:27 ` Lingzhu Xiang
2013-04-18 8:58 ` Luis Henriques
2013-04-08 9:50 ` [PATCH 098/102] efivars: Handle duplicate names from get_next_variable() Luis Henriques
2013-04-08 9:50 ` [PATCH 099/102] thermal: return an error on failure to register thermal class Luis Henriques
2013-04-08 9:50 ` [PATCH 100/102] UBIFS: make space fixup work in the remount case Luis Henriques
2013-04-08 9:50 ` [PATCH 101/102] reiserfs: Fix warning and inode leak when deleting inode with xattrs Luis Henriques
2013-04-08 9:50 ` [PATCH 102/102] mm: prevent mmap_cache race in find_vma() Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130411091256.GA11370@hercules \
--to=luis.henriques@canonical.com \
--cc=ben@decadent.org.uk \
--cc=jlee@suse.com \
--cc=jwboyer@redhat.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lxiang@redhat.com \
--cc=matt.fleming@intel.com \
--cc=mjg59@srcf.ucam.org \
--cc=mls@suse.com \
--cc=seiji.aguchi@hds.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).