Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp277597ybl; Sat, 18 Jan 2020 00:01:17 -0800 (PST) X-Google-Smtp-Source: APXvYqz2ATVVD5lN3y7HFMj998ZrLsmDki3Qp3hfVplvnMdZGF+GyMu0GfTN0bo+oZ5cUlZjG3zZ X-Received: by 2002:a9d:7501:: with SMTP id r1mr9265786otk.196.1579334477301; Sat, 18 Jan 2020 00:01:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579334477; cv=none; d=google.com; s=arc-20160816; b=ktdEhHESQpDCTbvUN2VyLfH1K6XfiZoN+YJy07bfOlU4pamot83/OzwPyUmXrd4zUA zX9A8kJMzekmQxIQGCKQcEpZD7uS0bn7x8Yq/05BRT6hL+/4NrVt0vO7qm3eClEZ2+xI jXrZwkhvBJPQF5Wpc58kWxoBrOAfop3ZhljocpsuPGamKWCVapWC2D+hFk6x0/K/uSS5 QVL5nctFEXuQ0wL2S1zKABrf64MPh9M4xQBenSO0BMML3GPkAjWnP+TmN3QEwAXlwWCt bEAzPHwCU66gJMusJtgN+fFkLBfQPml4xZJQwKRUa/uzOM9P4KA+tss7Y3C15/0vNaVB PA6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WFOEOXqnCDTTcDQn4El+71G/5ufyH8CwcIjRAHLYoAg=; b=d7GzAZ5PXhWhfr4W7FY7R7GYq/rLConTbWVj8xLyTSsJn2hUzRGkdOvD94X7u44iUz sidlHE3JXtJzvYqeZZUdxldwNwWZE1eny/nHbDo7XrnfJbIFQRuUuEWXwxDX8RZVe/4O S/xRXzk+Y7OKrqRN3Sr1wMKcfALM8F3DadweNLDIwXdrrbrn8A4ktNepK3GFBWyf7x76 5DOJF4zPmrjITBBNRHlbct+zaCYgmj+qKyO5P4uMiigrSLCcZbZXMKKlasUKrc/1gg6I r/PtWytHBdofluXbY5L2VF0RlUOsWQhr0BgvGrqg74oORT+U2Y8Zczz6pfqmQR2CThLQ hOzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="vG/c8xAM"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d20si14663594oic.40.2020.01.18.00.01.04; Sat, 18 Jan 2020 00:01:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="vG/c8xAM"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726563AbgARIAN (ORCPT + 99 others); Sat, 18 Jan 2020 03:00:13 -0500 Received: from mail-wr1-f67.google.com ([209.85.221.67]:40339 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726416AbgARIAN (ORCPT ); Sat, 18 Jan 2020 03:00:13 -0500 Received: by mail-wr1-f67.google.com with SMTP id c14so24730082wrn.7 for ; Sat, 18 Jan 2020 00:00:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WFOEOXqnCDTTcDQn4El+71G/5ufyH8CwcIjRAHLYoAg=; b=vG/c8xAMLKnw35yMwUcyERh82mgpWduiosJkl6ePJZx//bVHz6K/t81pdkparT0iXQ UqRivSuHguBripc8g2qmPENm7gWkXLsYSBGSWtqOINGdVHlVui62Dz1xLoKvU4LEXRAw +ONISHBcLa/DtBEWffemkC/VGWnm7AqBratbxOL2qerng8irHqsFLKyHWo0rUVepd1Et QVFmp4MVkmO+AE6gu0qswMtkByStwcQnyWA73tOnrEKr67BABarPpUVFlLIE5ubwnicX ZHUDe+nSnjQAHdsqkcIibgc0oXD5FltiBNKRvhUGxNtPyPs6bhcRH3gNA8K/FFBGF899 BdSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WFOEOXqnCDTTcDQn4El+71G/5ufyH8CwcIjRAHLYoAg=; b=m8y+LsJEoVxQik0ClCIyQWDQ6fUIz16F6RR1u05PMcQwynDf9St3XayPbvgRbvlGHk yBMcfyP33/dsBnUNpS5HpskSSiNlAxoAtYzcwB66APW+KUhOIlpStqU2awQFy3+Wrl/W u6IgM37bKTZZnQVonvKExu1+H4KUuX2LxPGpH95AFLVgiBCEK+4uo3Af4xykJKK+fmmu DBH7Kxaa1cps3I2s+grluRj7g4xE7jnI77V77p31vCYsm1P8VowJLVatnASnovzN0gaF 0Fc6bt2k7Y9yiwiFIsFNGMH39f1QywCEHTrfYSzlMVCU+4THjOTOCMstdGmeXbP5KB6n WVEw== X-Gm-Message-State: APjAAAW6dKLAADoetBwKlY2dq0LcB4SpfEF8E25tcyEasEANNCpjwcnT fR+niJrCwkJ1XV0xZW8ptEpwU+tiXG83RD1EtQ6kAg== X-Received: by 2002:adf:e3c1:: with SMTP id k1mr7276173wrm.151.1579334411045; Sat, 18 Jan 2020 00:00:11 -0800 (PST) MIME-Version: 1.0 References: <20200118063022.21743-1-cai@lca.pw> In-Reply-To: <20200118063022.21743-1-cai@lca.pw> From: Ard Biesheuvel Date: Sat, 18 Jan 2020 09:00:04 +0100 Message-ID: Subject: Re: [PATCH -next] x86/efi_64: fix a user-memory-access in runtime To: Qian Cai Cc: Ard Biesheuvel , Ingo Molnar , kasan-dev , linux-efi , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 18 Jan 2020 at 07:30, Qian Cai wrote: > > The commit 698294704573 ("efi/x86: Split SetVirtualAddresMap() wrappers > into 32 and 64 bit versions") introduced a KASAN error during boot, > > BUG: KASAN: user-memory-access in efi_set_virtual_address_map+0x4d3/0x574 > Read of size 8 at addr 00000000788fee50 by task swapper/0/0 > > Hardware name: HP ProLiant XL450 Gen9 Server/ProLiant XL450 Gen9 > Server, BIOS U21 05/05/2016 > Call Trace: > dump_stack+0xa0/0xea > __kasan_report.cold.8+0xb0/0xc0 > kasan_report+0x12/0x20 > __asan_load8+0x71/0xa0 > efi_set_virtual_address_map+0x4d3/0x574 > efi_enter_virtual_mode+0x5f3/0x64e > start_kernel+0x53a/0x5dc > x86_64_start_reservations+0x24/0x26 > x86_64_start_kernel+0xf4/0xfb > secondary_startup_64+0xb6/0xc0 > > It points to this line, > > status = efi_call(efi.systab->runtime->set_virtual_address_map, > > efi.systab->runtime's address is 00000000788fee18 which is an address in > EFI runtime service and does not have a KASAN shadow page. Fix it by > doing a copy_from_user() first instead. > Can't we just use READ_ONCE_NOCHECK() instead? > Fixes: 698294704573 ("efi/x86: Split SetVirtualAddresMap() wrappers into 32 and 64 bit versions") > Signed-off-by: Qian Cai > --- > arch/x86/platform/efi/efi_64.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c > index 515eab388b56..d6712c9cb9d8 100644 > --- a/arch/x86/platform/efi/efi_64.c > +++ b/arch/x86/platform/efi/efi_64.c > @@ -1023,6 +1023,7 @@ efi_status_t __init efi_set_virtual_address_map(unsigned long memory_map_size, > u32 descriptor_version, > efi_memory_desc_t *virtual_map) > { > + efi_runtime_services_t runtime; > efi_status_t status; > unsigned long flags; > pgd_t *save_pgd = NULL; > @@ -1041,13 +1042,15 @@ efi_status_t __init efi_set_virtual_address_map(unsigned long memory_map_size, > efi_switch_mm(&efi_mm); > } > > + if (copy_from_user(&runtime, efi.systab->runtime, sizeof(runtime))) > + return EFI_ABORTED; > + > kernel_fpu_begin(); > > /* Disable interrupts around EFI calls: */ > local_irq_save(flags); > - status = efi_call(efi.systab->runtime->set_virtual_address_map, > - memory_map_size, descriptor_size, > - descriptor_version, virtual_map); > + status = efi_call(runtime.set_virtual_address_map, memory_map_size, > + descriptor_size, descriptor_version, virtual_map); > local_irq_restore(flags); > > kernel_fpu_end(); > -- > 2.21.0 (Apple Git-122.2) >