LKML Archive on lore.kernel.org
 help / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: linux-efi <linux-efi@vger.kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Andy Lutomirski <luto@kernel.org>,
	Arend Van Spriel <arend.vanspriel@broadcom.com>,
	Bhupesh Sharma <bhsharma@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@intel.com>,
	Eric Snowberg <eric.snowberg@oracle.com>,
	Hans de Goede <hdegoede@redhat.com>,
	Joe Perches <joe@perches.com>, Jon Hunter <jonathanh@nvidia.com>,
	Julien Thierry <julien.thierry@arm.com>,
	Marc Zyngier <marc.zyngier@arm.com>,
	Nathan Chancellor <natechancellor@gmail.com>,
	Peter Zijlstra <peterz@infradead.org>,
	"Prakhya, Sai Praneeth" <sai.praneeth.prakhya@intel.com>,
	Sedat Dilek <sedat.dilek@gmail.com>,
	YiFei Zhu <zhuyifei1999@gmail.com>
Subject: Re: [PATCH 08/11] firmware: efi: add NULL pointer checks in efivars api functions
Date: Fri, 30 Nov 2018 09:37:44 +0100
Message-ID: <CAKv+Gu8VeYbna2ZSo=sVQEahrKnkHE5HySag1kR4nLpNBBuN9A@mail.gmail.com> (raw)
In-Reply-To: <20181130081159.GD16084@gmail.com>

On Fri, 30 Nov 2018 at 09:12, Ingo Molnar <mingo@kernel.org> wrote:
>
>
> * Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> > From: Arend van Spriel <arend.vanspriel@broadcom.com>
> >
> > Since commit:
> >
> >    ce2e6db554fa ("brcmfmac: Add support for getting nvram contents from
> >                  EFI variables")
>
> This commit ID is not upstream AFAICS. Which tree is it from? Mentioning
> non-upstream sha1's is discouraged in changelogs, as there's no guarantee
> that the sha1 will make it upstream.
>

This is a commit ID from Arend's own tree which is pulled into -next,
so I assumed that he'd only include commit IDs like this if they are
stable.

In any case, the fix itself is rather obvious, so much of the context
provided by the commit log could be summarized as '__efivars may be
NULL so check for that before you dereference it'

> > we have a device driver accessing the efivars API. Several functions in
> > the efivars API assume __efivars is set, i.e., that they will be accessed
> > only after efivars_register() has been called. However, the following NULL
> > pointer access was reported calling efivar_entry_size() from the brcmfmac
> > device driver.
> >
> >   Unable to handle kernel NULL pointer dereference at virtual address 00000008
> >   pgd = 60bfa5f1
> >   [00000008] *pgd=00000000
> >   Internal error: Oops: 5 [#1] SMP ARM
> >   ...
> >   Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
> >   Workqueue: events request_firmware_work_func
> >   PC is at efivar_entry_size+0x28/0x90
> >   LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]
> >   pc : [<c0c40718>]    lr : [<bf2a3ef4>]    psr: a00d0113
> >   sp : ede7fe28  ip : ee983410  fp : c1787f30
> >   r10: 00000000  r9 : 00000000  r8 : bf2b2258
> >   r7 : ee983000  r6 : c1604c48  r5 : ede7fe88  r4 : edf337c0
> >   r3 : 00000000  r2 : 00000000  r1 : ede7fe88  r0 : c17712c8
> >   Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
> >   Control: 10c5387d  Table: ad16804a  DAC: 00000051
> >
> > Disassembly showed that the local static variable __efivars is NULL,
> > which is not entirely unexpected given that it is a non-EFI platform.
> > So add a NULL pointer check to efivar_entry_size(), and to related
> > functions while at it. In efivars_register() a couple of sanity checks
> > are added as well.
> >
> > Cc: Hans de Goede <hdegoede@redhat.com>
> > Reported-by: Jon Hunter <jonathanh@nvidia.com>
> > Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
> Will that new commit be backported? If yes I suppose we could mark this
> fix -stable too? If not then it's fine for a v4.21 merge.
>

That commit is not -stable material at all, as far as I can tell.

  reply index

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-29 17:12 [GIT PULL 00/11] EFI updates Ard Biesheuvel
2018-11-29 17:12 ` [PATCH 01/11] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service Ard Biesheuvel
2018-11-30  7:29   ` Ingo Molnar
2018-11-30  8:26     ` Ard Biesheuvel
2018-11-30  8:36       ` Ingo Molnar
2018-11-30  9:55   ` [tip:efi/core] " tip-bot for Eric Snowberg
2018-11-29 17:12 ` [PATCH 02/11] efi/fdt: Indentation fix Ard Biesheuvel
2018-11-30  7:56   ` [PATCH] efi/fdt: More cleanups Ingo Molnar
2018-11-30  8:31     ` Ard Biesheuvel
2018-11-30  9:48       ` Ingo Molnar
2018-11-30  9:56   ` [tip:efi/core] efi/fdt: Indentation fix tip-bot for Julien Thierry
2018-11-29 17:12 ` [PATCH 03/11] efi/fdt: Simplify get_fdt flow Ard Biesheuvel
2018-11-30  9:57   ` [tip:efi/core] efi/fdt: Simplify the get_fdt() flow tip-bot for Julien Thierry
2018-11-29 17:12 ` [PATCH 04/11] x86/mm/pageattr: Introduce helper function to unmap EFI boot services Ard Biesheuvel
2018-11-30  9:58   ` [tip:efi/core] " tip-bot for Sai Praneeth Prakhya
2018-11-29 17:12 ` [PATCH 05/11] x86/efi: Unmap EFI boot services code/data regions from efi_pgd Ard Biesheuvel
2018-11-30  9:58   ` [tip:efi/core] " tip-bot for Sai Praneeth Prakhya
2018-12-17 18:06     ` Prakhya, Sai Praneeth
2018-12-17 18:10       ` Ard Biesheuvel
2018-12-17 18:42         ` Prakhya, Sai Praneeth
2018-12-17 19:35           ` Ard Biesheuvel
2018-12-17 19:48             ` Prakhya, Sai Praneeth
2018-12-21 17:02               ` Ard Biesheuvel
2018-12-21 17:13                 ` Borislav Petkov
2018-12-21 17:26                   ` Ard Biesheuvel
2018-12-21 19:29                     ` Borislav Petkov
2018-12-22 11:07                       ` Ard Biesheuvel
2019-01-07 15:57                         ` Matt Fleming
2018-12-21 17:52                 ` Prakhya, Sai Praneeth
2018-11-29 17:12 ` [PATCH 06/11] x86/efi: Move efi_<reserve/free>_boot_services() to arch/x86 Ard Biesheuvel
2018-11-30  9:59   ` [tip:efi/core] " tip-bot for Sai Praneeth Prakhya
2018-11-29 17:12 ` [PATCH 07/11] efi/libstub: Disable some warnings for x86{,_64} Ard Biesheuvel
2018-11-30  9:59   ` [tip:efi/core] " tip-bot for Nathan Chancellor
2018-11-29 17:12 ` [PATCH 08/11] firmware: efi: add NULL pointer checks in efivars api functions Ard Biesheuvel
2018-11-30  8:11   ` Ingo Molnar
2018-11-30  8:37     ` Ard Biesheuvel [this message]
2018-11-30  9:56   ` [tip:efi/core] firmware/efi: Add NULL pointer checks in efivars API functions tip-bot for Arend van Spriel
2018-11-29 17:12 ` [PATCH 09/11] efi: permit multiple entries in persistent memreserve data structure Ard Biesheuvel
2018-11-30 10:00   ` [tip:efi/core] efi: Permit " tip-bot for Ard Biesheuvel
2018-11-29 17:12 ` [PATCH 10/11] efi: reduce the amount of memblock reservations for persistent allocations Ard Biesheuvel
2018-11-30  8:38   ` Ingo Molnar
2018-11-30  8:39     ` Ard Biesheuvel
2018-11-30 10:00   ` [tip:efi/core] efi: Reduce " tip-bot for Ard Biesheuvel
2018-11-29 17:12 ` [PATCH 11/11] efi/x86: earlyprintk - Fix infinite loop on some screen widths Ard Biesheuvel
2018-11-30  8:05   ` Ingo Molnar
2018-11-30  8:32     ` Ard Biesheuvel
2018-11-30  9:55   ` [tip:efi/core] x86/earlyprintk/efi: " tip-bot for YiFei Zhu
2018-11-29 18:27 ` [GIT PULL 00/11] EFI updates Prakhya, Sai Praneeth
2018-11-30 12:01   ` Ard Biesheuvel
2018-11-30 18:01     ` Prakhya, Sai Praneeth

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKv+Gu8VeYbna2ZSo=sVQEahrKnkHE5HySag1kR4nLpNBBuN9A@mail.gmail.com' \
    --to=ard.biesheuvel@linaro.org \
    --cc=arend.vanspriel@broadcom.com \
    --cc=bhsharma@redhat.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@intel.com \
    --cc=eric.snowberg@oracle.com \
    --cc=hdegoede@redhat.com \
    --cc=joe@perches.com \
    --cc=jonathanh@nvidia.com \
    --cc=julien.thierry@arm.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=marc.zyngier@arm.com \
    --cc=mingo@kernel.org \
    --cc=natechancellor@gmail.com \
    --cc=peterz@infradead.org \
    --cc=sai.praneeth.prakhya@intel.com \
    --cc=sedat.dilek@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=zhuyifei1999@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox