Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2993458AbbHHW3o (ORCPT ); Sat, 8 Aug 2015 18:29:44 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:36549 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2993538AbbHHWSI (ORCPT ); Sat, 8 Aug 2015 18:18:08 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ricardo Neri , Dave Young , Matt Fleming Subject: [PATCH 4.1 092/123] efi: Check for NULL efi kernel parameters Date: Sat, 8 Aug 2015 15:09:30 -0700 Message-Id: <20150808220720.934974775@linuxfoundation.org> X-Mailer: git-send-email 2.5.0 In-Reply-To: <20150808220717.771230091@linuxfoundation.org> References: <20150808220717.771230091@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3262 Lines: 85 4.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ricardo Neri commit 9115c7589b11349a1c3099758b4bded579ff69e0 upstream. Even though it is documented how to specifiy efi parameters, it is possible to cause a kernel panic due to a dereference of a NULL pointer when parsing such parameters if "efi" alone is given: PANIC: early exception 0e rip 10:ffffffff812fb361 error 0 cr2 0 [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.2.0-rc1+ #450 [ 0.000000] ffffffff81fe20a9 ffffffff81e03d50 ffffffff8184bb0f 00000000000003f8 [ 0.000000] 0000000000000000 ffffffff81e03e08 ffffffff81f371a1 64656c62616e6520 [ 0.000000] 0000000000000069 000000000000005f 0000000000000000 0000000000000000 [ 0.000000] Call Trace: [ 0.000000] [] dump_stack+0x45/0x57 [ 0.000000] [] early_idt_handler_common+0x81/0xae [ 0.000000] [] ? parse_option_str+0x11/0x90 [ 0.000000] [] arch_parse_efi_cmdline+0x15/0x42 [ 0.000000] [] do_early_param+0x50/0x8a [ 0.000000] [] parse_args+0x1e3/0x400 [ 0.000000] [] parse_early_options+0x24/0x28 [ 0.000000] [] ? loglevel+0x31/0x31 [ 0.000000] [] parse_early_param+0x31/0x3d [ 0.000000] [] setup_arch+0x2de/0xc08 [ 0.000000] [] ? vprintk_default+0x1a/0x20 [ 0.000000] [] start_kernel+0x90/0x423 [ 0.000000] [] x86_64_start_reservations+0x2a/0x2c [ 0.000000] [] x86_64_start_kernel+0xeb/0xef [ 0.000000] RIP 0xffffffff81ba2efc This panic is not reproducible with "efi=" as this will result in a non-NULL zero-length string. Thus, verify that the pointer to the parameter string is not NULL. This is consistent with other parameter-parsing functions which check for NULL pointers. Signed-off-by: Ricardo Neri Cc: Dave Young Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman --- arch/x86/platform/efi/efi.c | 5 +++++ drivers/firmware/efi/efi.c | 5 +++++ 2 files changed, 10 insertions(+) --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phy static int __init arch_parse_efi_cmdline(char *str) { + if (!str) { + pr_warn("need at least one option\n"); + return -EINVAL; + } + if (parse_option_str(str, "old_map")) set_bit(EFI_OLD_MEMMAP, &efi.flags); if (parse_option_str(str, "debug")) --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -57,6 +57,11 @@ bool efi_runtime_disabled(void) static int __init parse_efi_cmdline(char *str) { + if (!str) { + pr_warn("need at least one option\n"); + return -EINVAL; + } + if (parse_option_str(str, "noruntime")) disable_runtime = true; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/