Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4639594ybf; Wed, 4 Mar 2020 07:50:22 -0800 (PST) X-Google-Smtp-Source: ADFU+vszfFqzWtl1v9OianZwq7/QLzP1+juDltm7tHkLzoB4Wkg44Hqs13/qcSXzIlmXC3ILMd6e X-Received: by 2002:a05:6830:46:: with SMTP id d6mr2894103otp.81.1583337022445; Wed, 04 Mar 2020 07:50:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583337022; cv=none; d=google.com; s=arc-20160816; b=jYBdDmsyl9FfzB232etGKoTycLYyfIUJ16Ge80FQUVUXbVnmBkeMyzSPx5qR+4jo+l N7pxkVYc4AQqP5C8t4/Rl4s0RMdt11TTiO6d7sD9MuvYZVOsJJ+rtjQ5UbYcYFr8nVrD vE/N7WvSxwX9PCa/hq7fafqztfYONMcDFI67eOQNJAukzbM5lYur3IbeciQSgbiH5s+v 4A/cWs2hVWHUWjBMfEWRvEb1NOq3ucCNGPyekDRTR+5AJhcAg3+rN65pxgCcUwVQuJvu gPdudUNFmD2xMzb+HdNHChGNlSXsGvkHDS+lwio1TKpekb0o9qz2kiuUFb2E5iJ9wTdu 6+WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=pgEu8A8FiWPzLf0KWg6FbMQx8pJX80XqDuYn9zCA2SU=; b=dHaaGVOWXeIQuMpd6g+2VQbSeTznquIpQn973lLzKxVxzWuctwwZsw4Gd/BrwkpVQT XLyRxDOFS7j2gXHlseoXCgNv1c0T7dcGrs40qhGL7ymFJG/zI9RoNNQMdkb9H/7nXO4E Co0Ct84v4wf89YW+7LVjcYk8gI/lwmzy2onRFvaizwbiX1GdTphoB0OnPI48GhIR500o G7ogLg1NA0+tlKgCDR18kIFBWsd/GjJrf/hKVXmA+KKp6f63vfdqEE90RMt2Uzx7rjcW EhqW1ldXS6Af9sdQ6THUJofqExp9+aebrUc95Nre5SCKFAQjoyD6UsmTIcpHmi2LEyxe IydQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YZ2EYc2X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x189si244775oia.270.2020.03.04.07.50.10; Wed, 04 Mar 2020 07:50:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YZ2EYc2X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729717AbgCDPuF (ORCPT + 99 others); Wed, 4 Mar 2020 10:50:05 -0500 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:22078 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726263AbgCDPuF (ORCPT ); Wed, 4 Mar 2020 10:50:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583337004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pgEu8A8FiWPzLf0KWg6FbMQx8pJX80XqDuYn9zCA2SU=; b=YZ2EYc2XdJVWuKR8pD3aY+iV/Se6nLkW+qePUEyr8tcmVt3/KDm29M1CZo359L6GtrTr0/ rJEJ2E/l2i0h+t8HVhNBca4fZcE/YSDiA5weWJ7B0jlMnEkhnnrqh4O9N4PXDfiqiH/L8K pL7GJjewD3l2FvvbOJsoM/ZU4O3eMHA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-467-2Zm1YcOwMs6pRN_n4Gy4pQ-1; Wed, 04 Mar 2020 10:50:00 -0500 X-MC-Unique: 2Zm1YcOwMs6pRN_n4Gy4pQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6A3C5A0CDE; Wed, 4 Mar 2020 15:49:59 +0000 (UTC) Received: from rules.brq.redhat.com (ovpn-204-205.brq.redhat.com [10.40.204.205]) by smtp.corp.redhat.com (Postfix) with ESMTP id 024C65DA85; Wed, 4 Mar 2020 15:49:55 +0000 (UTC) From: Vladis Dronov To: Ard Biesheuvel , linux-efi@vger.kernel.org, joeyli Cc: linux-kernel@vger.kernel.org Subject: [PATCH v2] efi: fix a race and a buffer overflow while reading efivars via sysfs Date: Wed, 4 Mar 2020 16:49:36 +0100 Message-Id: <20200304154936.24206-1-vdronov@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a race and a buffer overflow corrupting a kernel memory while reading an efi variable with a size more than 1024 bytes via the older sysfs method. This happens because accessing struct efi_variable in efivar_{attr,size,data}_read() and friends is not protected from a concurrent access leading to a kernel memory corruption and, at best, to a crash. The race scenario is the following: CPU0: CPU1: efivar_attr_read() var->DataSize =3D 1024; efivar_entry_get(... &var->DataSize) down_interruptible(&efivars_lock) efivar_attr_read() // same efi var var->DataSize =3D 1024; efivar_entry_get(... &var->DataSiz= e) down_interruptible(&efivars_lock= ) virt_efi_get_variable() // returns EFI_BUFFER_TOO_SMALL but // var->DataSize is set to a real // var size more than 1024 bytes up(&efivars_lock) virt_efi_get_variable() // called with var->DataSize set // to a real var size, returns // successfully and overwrites // a 1024-bytes kernel buffer up(&efivars_lock) This can be reproduced by concurrent reading of an efi variable which siz= e is more than 1024 bytes: ts# for cpu in $(seq 0 $(nproc --ignore=3D1)); do ( taskset -c $cpu \ cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done Fix this by using a local variable for a var's data buffer size so it does not get overwritten. Also add a sanity check to efivar_store_raw(). Reported-by: Bob Sanders and the LTP testsuite Signed-off-by: Vladis Dronov --- drivers/firmware/efi/efi-pstore.c | 2 +- drivers/firmware/efi/efivars.c | 32 ++++++++++++++++++++++--------- drivers/firmware/efi/vars.c | 2 +- 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/drivers/firmware/efi/efi-pstore.c b/drivers/firmware/efi/efi= -pstore.c index 9ea13e8d12ec..e4767a7ce973 100644 --- a/drivers/firmware/efi/efi-pstore.c +++ b/drivers/firmware/efi/efi-pstore.c @@ -161,7 +161,7 @@ static int efi_pstore_scan_sysfs_exit(struct efivar_e= ntry *pos, * * @record: pstore record to pass to callback * - * You MUST call efivar_enter_iter_begin() before this function, and + * You MUST call efivar_entry_iter_begin() before this function, and * efivar_entry_iter_end() afterwards. * */ diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivar= s.c index 7576450c8254..16a617f9c5cf 100644 --- a/drivers/firmware/efi/efivars.c +++ b/drivers/firmware/efi/efivars.c @@ -83,13 +83,16 @@ static ssize_t efivar_attr_read(struct efivar_entry *entry, char *buf) { struct efi_variable *var =3D &entry->var; + unsigned long size =3D sizeof(var->Data); char *str =3D buf; + int ret; =20 if (!entry || !buf) return -EINVAL; =20 - var->DataSize =3D 1024; - if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data= )) + ret =3D efivar_entry_get(entry, &var->Attributes, &size, var->Data); + var->DataSize =3D size; + if (ret) return -EIO; =20 if (var->Attributes & EFI_VARIABLE_NON_VOLATILE) @@ -116,13 +119,16 @@ static ssize_t efivar_size_read(struct efivar_entry *entry, char *buf) { struct efi_variable *var =3D &entry->var; + unsigned long size =3D sizeof(var->Data); char *str =3D buf; + int ret; =20 if (!entry || !buf) return -EINVAL; =20 - var->DataSize =3D 1024; - if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data= )) + ret =3D efivar_entry_get(entry, &var->Attributes, &size, var->Data); + var->DataSize =3D size; + if (ret) return -EIO; =20 str +=3D sprintf(str, "0x%lx\n", var->DataSize); @@ -133,12 +139,15 @@ static ssize_t efivar_data_read(struct efivar_entry *entry, char *buf) { struct efi_variable *var =3D &entry->var; + unsigned long size =3D sizeof(var->Data); + int ret; =20 if (!entry || !buf) return -EINVAL; =20 - var->DataSize =3D 1024; - if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data= )) + ret =3D efivar_entry_get(entry, &var->Attributes, &size, var->Data); + var->DataSize =3D size; + if (ret) return -EIO; =20 memcpy(buf, var->Data, var->DataSize); @@ -199,6 +208,9 @@ efivar_store_raw(struct efivar_entry *entry, const ch= ar *buf, size_t count) u8 *data; int err; =20 + if (!entry || !buf) + return -EINVAL; + if (in_compat_syscall()) { struct compat_efi_variable *compat; =20 @@ -250,14 +262,16 @@ efivar_show_raw(struct efivar_entry *entry, char *b= uf) { struct efi_variable *var =3D &entry->var; struct compat_efi_variable *compat; + unsigned long datasize =3D sizeof(var->Data); size_t size; + int ret; =20 if (!entry || !buf) return 0; =20 - var->DataSize =3D 1024; - if (efivar_entry_get(entry, &entry->var.Attributes, - &entry->var.DataSize, entry->var.Data)) + ret =3D efivar_entry_get(entry, &var->Attributes, &datasize, var->Data)= ; + var->DataSize =3D size; + if (ret) return -EIO; =20 if (in_compat_syscall()) { diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c index 436d1776bc7b..5f2a4d162795 100644 --- a/drivers/firmware/efi/vars.c +++ b/drivers/firmware/efi/vars.c @@ -1071,7 +1071,7 @@ EXPORT_SYMBOL_GPL(efivar_entry_iter_end); * entry on the list. It is safe for @func to remove entries in the * list via efivar_entry_delete(). * - * You MUST call efivar_enter_iter_begin() before this function, and + * You MUST call efivar_entry_iter_begin() before this function, and * efivar_entry_iter_end() afterwards. * * It is possible to begin iteration from an arbitrary entry within --=20 2.20.1