Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp107798imm; Thu, 2 Aug 2018 14:59:35 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcynP8wcTKLkuHAdWvHdoWK99KlICkGWMtSX0S4/fdE433DPvMn/td/5cF2vIE2a1R+mszf X-Received: by 2002:a62:ccd0:: with SMTP id j77-v6mr1337815pfk.22.1533247175122; Thu, 02 Aug 2018 14:59:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533247175; cv=none; d=google.com; s=arc-20160816; b=O4r8/MVFKWBxm2RM0DIPhEPr7xfWQx3Ny2z+Qk36FkUMytEYOVP41mDoZbCjr2u8RR M7sRLWoh/2wDdzmlKpL/ABWIjmounF47s7jrkwmif7zalWNsUxr6pmRPCIqKjjtHbH2v aZaSh9fThuOKDc32lzx3hRr68ZzgwU08vnEoFIoaVb9+yOifWKSgckAq/H0Gh08OOOaM ibhJhI9dyFcjPS4sQl8sThuF3Ryl50cUTqe+D/I8kn9VlndPpB7HatvBVwR0qH/7mgMG CD+wsdGTPQyzyMoPkIFfB0CHs9/z5HIuMJE8+7V5AS8sIqVXvq/l3R9K91V64ud3M53G JCKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=lZoXoCjhluTonOoqdhV6Nm6tZqEE60eT6JxdcCWxRCM=; b=r7fADw5iKEQw6JyNOB38jKAtn+cFyO0jhHzcMt/0wyjrBlwA4B+3ttYRHzyhl8zuv6 LA+9zHzn6fK7W1r1LAojt3/HEFP6ijVtHMynbukMzyO6yqyp6qw0aY03b/3Ha9OrStbo MppNt1Z0xa7Wn5ibHVwMdKdatb66duvEoqNxXxEhLLowc80Y0QEIFYdHF3YjydqZxoMY X/G1wriInNo4GLwgrnpDnXzqo35f/8V0aA6ZYIBiIeBwcmEOgpNST/gJyIQ73KNcOrZU SUKeKRWDrqIK8FHA6TcBnzhIiPe51RfJWM/bE4OETXKklo//xQYcmv18pTz8FyYoSeWe l3mQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=i4eQi7tv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q7-v6si2408785pll.142.2018.08.02.14.59.19; Thu, 02 Aug 2018 14:59:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=i4eQi7tv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732391AbeHBXvY (ORCPT + 99 others); Thu, 2 Aug 2018 19:51:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:49892 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731993AbeHBXvY (ORCPT ); Thu, 2 Aug 2018 19:51:24 -0400 Received: from mail-ua0-f180.google.com (mail-ua0-f180.google.com [209.85.217.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0DD24215A5 for ; Thu, 2 Aug 2018 21:58:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1533247099; bh=QiuJhli4BHzGR6J/+S50jblvyMhFbNi+cdPQ+6o6+Cs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=i4eQi7tv/ZmbfSQBBfV8GHmR946lbsy9jAgFXJ3oU66TnWPiSF8dBqJ2jGhpXtkdl WYNxgNfKtrsqawfFYlEx8vjzVj3HR5KO1BCb6WDDCnu0RgVpRhOs+5j+hI0lQpv0+z 6n9P3qUIMZ5rILI087kbKejhfMjQANpwGEJqMi5A= Received: by mail-ua0-f180.google.com with SMTP id g18-v6so2514992uam.6 for ; Thu, 02 Aug 2018 14:58:19 -0700 (PDT) X-Gm-Message-State: AOUpUlHrrNraQCSiow+IYs2WZrQFjrPRWCePylAy9rblajzQTpT7uLML HM6UIx1rjx/Zk8DPUhpdbaH1qy9nPm9K0w2ovf8= X-Received: by 2002:ab0:240b:: with SMTP id f11-v6mr902246uan.137.1533247098185; Thu, 02 Aug 2018 14:58:18 -0700 (PDT) MIME-Version: 1.0 References: <1533165956-23727-1-git-send-email-rishabhb@codeaurora.org> In-Reply-To: <1533165956-23727-1-git-send-email-rishabhb@codeaurora.org> From: Luis Chamberlain Date: Thu, 2 Aug 2018 14:58:05 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] firmware: Fix security issue with request_firmware_into_buf() To: Rishabh Bhatnagar Cc: Mimi Zohar , Bjorn Andersson , ard.biesheuvel@linaro.org, vbabka@suse.cz, riel@surriel.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, ckadabi@codeaurora.org, tsoni@codeaurora.org, psodagud@codeaurora.org, Vikram Mulukutla Content-Type: multipart/alternative; boundary="000000000000a3f1fa05727ae85c" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000a3f1fa05727ae85c Content-Type: text/plain; charset="UTF-8" On Wed, Aug 1, 2018, 4:26 PM Rishabh Bhatnagar wrote: > When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag > it is expected that firmware is loaded into buffer from memory. > But inside alloc_lookup_fw_priv every new firmware that is loaded is > added to the firmware cache (fwc) list head. So if any driver requests > a firmware that is already loaded the code iterates over the above > mentioned list and it can end up giving a pointer to other device driver's > firmware buffer. > Also the existing copy may either be modified by drivers, remote processors > or even freed. This causes a potential security issue with batched requests > when using request_firmware_into_buf. > > Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE > is set, and also don't do the lookup in the list. > > Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw caching > optional") > > Signed-off-by: Vikram Mulukutla > Signed-off-by: Rishabh Bhatnagar > --- Did you test with the tools/testing/selftests/firmware/ scripts? If not please do so and report back and confirm no regressions are found. Brownie points for you to add a test case to show the issue highlighted in this patch, and which it fixes. I believe this fix should be pushed to stable, so I'll do that after you confirm no regressions were found. The new selftests changed you'd make would not go to stable, however there are Linux distributions and 0day that test the latest tools directory against older kernels. So this test would help capture gaps later. Luis --000000000000a3f1fa05727ae85c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


= On Wed, Aug 1, 2018, 4:26 PM Rishabh Bhatnagar <rishabhb@codeaurora.org> wrote:
When calling request_firmware_into_buf() with the FW= _OPT_NOCACHE flag
it is expected that firmware is loaded into buffer from memory.
But inside alloc_lookup_fw_priv every new firmware that is loaded is
added to the firmware cache (fwc) list head. So if any driver requests
a firmware that is already loaded the code iterates over the above
mentioned list and it can end up giving a pointer to other device driver= 9;s
firmware buffer.
Also the existing copy may either be modified by drivers, remote processors=
or even freed. This causes a potential security issue with batched requests=
when using request_firmware_into_buf.

Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE<= br> is set, and also don't do the lookup in the list.

Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw cachin= g optional")

Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> ---

D= id you test with the tools/testing/selftests/firmware/ scripts? If not plea= se do so and report back and confirm no regressions are found.

Brownie points for you to add a test= case to show the issue highlighted in this patch, and which it fixes. I be= lieve this fix should be pushed to stable, so I'll do that after you co= nfirm no regressions were found.

The new selftests changed you'd make would not go to stable, = however there are Linux distributions and 0day that test the latest tools d= irectory against older kernels. So this test would help capture gaps later.=

=C2=A0 Luis
--000000000000a3f1fa05727ae85c--