From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>
Cc: Ard Biesheuvel <ardb@kernel.org>,
linux-kernel@vger.kernel.org,
Arvind Sankar <nivedita@alum.mit.edu>,
Christoph Hellwig <hch@lst.de>,
David Hildenbrand <david@redhat.com>,
Davidlohr Bueso <dave@stgolabs.net>,
Guenter Roeck <linux@roeck-us.net>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
Jonathan Corbet <corbet@lwn.net>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Masahiro Yamada <masahiroy@kernel.org>,
Nikolai Merinov <n.merinov@inango-systems.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH 23/28] efi: fix a race and a buffer overflow while reading efivars via sysfs
Date: Sun, 8 Mar 2020 09:08:54 +0100 [thread overview]
Message-ID: <20200308080859.21568-24-ardb@kernel.org> (raw)
In-Reply-To: <20200308080859.21568-1-ardb@kernel.org>
From: Vladis Dronov <vdronov@redhat.com>
There is a race and a buffer overflow corrupting a kernel memory while
reading an efi variable with a size more than 1024 bytes via the older
sysfs method. This happens because accessing struct efi_variable in
efivar_{attr,size,data}_read() and friends is not protected from
a concurrent access leading to a kernel memory corruption and, at best,
to a crash. The race scenario is the following:
CPU0: CPU1:
efivar_attr_read()
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
efivar_attr_read() // same efi var
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
virt_efi_get_variable()
// returns EFI_BUFFER_TOO_SMALL but
// var->DataSize is set to a real
// var size more than 1024 bytes
up(&efivars_lock)
virt_efi_get_variable()
// called with var->DataSize set
// to a real var size, returns
// successfully and overwrites
// a 1024-bytes kernel buffer
up(&efivars_lock)
This can be reproduced by concurrent reading of an efi variable which size
is more than 1024 bytes:
ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
Fix this by using a local variable for a var's data buffer size so it
does not get overwritten.
Fixes: e14ab23dde12b80d ("efivars: efivar_entry API")
Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
drivers/firmware/efi/efivars.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c
index d309abca5091..485c592d7990 100644
--- a/drivers/firmware/efi/efivars.c
+++ b/drivers/firmware/efi/efivars.c
@@ -83,13 +83,16 @@ static ssize_t
efivar_attr_read(struct efivar_entry *entry, char *buf)
{
struct efi_variable *var = &entry->var;
+ unsigned long size = sizeof(var->Data);
char *str = buf;
+ int ret;
if (!entry || !buf)
return -EINVAL;
- var->DataSize = 1024;
- if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
+ ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
+ var->DataSize = size;
+ if (ret)
return -EIO;
if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
@@ -116,13 +119,16 @@ static ssize_t
efivar_size_read(struct efivar_entry *entry, char *buf)
{
struct efi_variable *var = &entry->var;
+ unsigned long size = sizeof(var->Data);
char *str = buf;
+ int ret;
if (!entry || !buf)
return -EINVAL;
- var->DataSize = 1024;
- if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
+ ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
+ var->DataSize = size;
+ if (ret)
return -EIO;
str += sprintf(str, "0x%lx\n", var->DataSize);
@@ -133,12 +139,15 @@ static ssize_t
efivar_data_read(struct efivar_entry *entry, char *buf)
{
struct efi_variable *var = &entry->var;
+ unsigned long size = sizeof(var->Data);
+ int ret;
if (!entry || !buf)
return -EINVAL;
- var->DataSize = 1024;
- if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
+ ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
+ var->DataSize = size;
+ if (ret)
return -EIO;
memcpy(buf, var->Data, var->DataSize);
@@ -250,14 +259,16 @@ efivar_show_raw(struct efivar_entry *entry, char *buf)
{
struct efi_variable *var = &entry->var;
struct compat_efi_variable *compat;
+ unsigned long datasize = sizeof(var->Data);
size_t size;
+ int ret;
if (!entry || !buf)
return 0;
- var->DataSize = 1024;
- if (efivar_entry_get(entry, &entry->var.Attributes,
- &entry->var.DataSize, entry->var.Data))
+ ret = efivar_entry_get(entry, &var->Attributes, &datasize, var->Data);
+ var->DataSize = datasize;
+ if (ret)
return -EIO;
if (in_compat_syscall()) {
--
2.17.1
next prev parent reply other threads:[~2020-03-08 8:10 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-08 8:08 [GIT PULL 00/28] More EFI fixes for v5.7 Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 01/28] efi/x86: Add TPM related EFI tables to unencrypted mapping checks Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 02/28] efi/x86: Add RNG seed EFI table to unencrypted mapping check Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 03/28] efi: don't shadow i in efi_config_parse_tables() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 04/28] efi/arm: clean EFI stub exit code from cache instead of avoiding it Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 05/28] efi/arm64: " Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 06/28] efi: mark all EFI runtime services as unsupported on non-EFI boot Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 07/28] MAINTAINERS: adjust EFI entry to removing eboot.c Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 08/28] efi/libstub: add libstub/mem.c to documentation tree Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 09/28] efi/x86: Annotate the LOADED_IMAGE_PROTOCOL_GUID with SYM_DATA Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 10/28] efi/x86: Respect 32-bit ABI in efi32_pe_entry Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 11/28] efi/x86: Make efi32_pe_entry more readable Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 12/28] efi/x86: Avoid using code32_start Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 13/28] x86/boot: Use unsigned comparison for addresses Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 14/28] efi/libstub/x86: deal with exit() boot service returning Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 15/28] x86/boot/compressed/32: Save the output address instead of recalculating it Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 16/28] efi/x86: Decompress at start of PE image load address Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 17/28] efi/x86: Add kernel preferred address to PE header Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 18/28] efi/x86: Remove extra headroom for setup block Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 19/28] efi/x86: Don't relocate the kernel unless necessary Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 20/28] efi/x86: ignore memory attributes table on i386 Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 21/28] efi/x86: preserve %ebx correctly in efi_set_virtual_address_map() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 22/28] efi/libstub: avoid linking libstub/lib-ksyms.o into vmlinux Ard Biesheuvel
2020-03-08 8:08 ` Ard Biesheuvel [this message]
2020-03-08 8:08 ` [PATCH 24/28] efi: add a sanity check to efivar_store_raw() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 25/28] efi: fix a mistype in comments mentioning efivar_entry_iter_begin() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 26/28] efi/libstub/x86: use ULONG_MAX as upper bound for all allocations Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 27/28] efi/x86: Fix cast of image argument Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 28/28] partitions/efi: Fix partition name parsing in GUID partition entry Ard Biesheuvel
2020-03-08 9:00 ` [GIT PULL 00/28] More EFI fixes for v5.7 Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200308080859.21568-24-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=corbet@lwn.net \
--cc=dave@stgolabs.net \
--cc=david@redhat.com \
--cc=hch@lst.de \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=lukas.bulwahn@gmail.com \
--cc=masahiroy@kernel.org \
--cc=mingo@kernel.org \
--cc=n.merinov@inango-systems.com \
--cc=nivedita@alum.mit.edu \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=vdronov@redhat.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.