Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2119690ioo; Mon, 23 May 2022 10:29:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyP6XA32IPoLL20lkyyUBibSRdhnmR0JtIKKVQTt7Y1tMfx1scM3tSpsyfCbEdZiNcCtSgQ X-Received: by 2002:a63:834a:0:b0:3fa:a040:e408 with SMTP id h71-20020a63834a000000b003faa040e408mr331834pge.36.1653326943647; Mon, 23 May 2022 10:29:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653326943; cv=none; d=google.com; s=arc-20160816; b=v+uurQAqDl0TG6jFilEyA/aCHtZkBL3kM05gz731Tp2qDyAUGdnp71Jqfyod3MbMsq OonM5P6FYZMJ5WuM1ZqI3KhkGPB/eCK0mNexILm37yxqs7U/Y2LqFVotAEAep1RTjKOM S1u7pp5aSxLSuhSLgE7DpmjOE7/7/hL2Pb2S9e4GXaW3zKmkQhcDJx9hJUGaX6WWTe2n RFQVX5t4WQ+jgl8CqZPcQiabEXmR5C3ZH9efHVQn3N9rQ3reykyzQfQHJzDYV0EDQl7G +PqeDf6IFqWyrx2EbYZIOXSF9Cj32mR3OfxR6dQlbzJ4pK2BNYfy0x1Qz4MRp0Y6zQyn zHiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VDjJVy6JvAoP5IfmZCgIkLorxVjcFkuBJwNsnbIFNHk=; b=c0qwTemlB7O87lZl9GRr0pxNyJufxWxQe3hMLaCVXDMMm9K1feJ5OoIn4VuJuYV4mn vUNOptyeWY/MxndWKfVUSXs+sfY/8jgNx/K1PWJQUv3SPI3IA+pAw1DY1fZG/nhL0gZb INw9+Zv2P3Yscwt5JhZPvXa/GBAZzT8PKlb6IiWkJJ0+XDLTm3SI39ZM77Jq12d0b98f GQ/fM91IrpXVE02zmGv9gnfj2eT8gEFrqbngYE1UVna78p+cXAUabrm/wojC5Q3ICml8 vA875YIfvUR+HsVmU4YiKpWbtfXKm0F/E3531nLeuyp0vMyctBx07d57KdYqAzjWVprf Qnzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w0FSZH3t; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id e71-20020a63694a000000b003faa25932e6si70470pgc.368.2022.05.23.10.29.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 10:29:03 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w0FSZH3t; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 543ED85ED3; Mon, 23 May 2022 10:28:52 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240284AbiEWRZZ (ORCPT + 99 others); Mon, 23 May 2022 13:25:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240681AbiEWRQk (ORCPT ); Mon, 23 May 2022 13:16:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4079C24BDE; Mon, 23 May 2022 10:16:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7B7F16154B; Mon, 23 May 2022 17:15:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BC7EC385AA; Mon, 23 May 2022 17:15:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1653326139; bh=RaNlFUjv0TFp2hHX+lkMm9182OhYT6A9LuUMpysS5hE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w0FSZH3tvRkucWkKQOj32hQ6qZxvGrnPouaewmrUlIhXXuY+LYEC4x4FieoiUUmAD awV/hkgB1I6RqLUemG6c5oFa8YBhi9D1UyalDHK2ildMG8wsbISYzyWxUjJ1GsxQ8R prTCcYpzdmv9N91kR1wQqQT0lSdGfRNBOXaDtQ50= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= , Paul Moore , Luis Chamberlain Subject: [PATCH 5.4 62/68] firmware_loader: use kernel credentials when reading firmware Date: Mon, 23 May 2022 19:05:29 +0200 Message-Id: <20220523165812.702480937@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220523165802.500642349@linuxfoundation.org> References: <20220523165802.500642349@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: ThiƩbaud Weksteen commit 581dd69830341d299b0c097fc366097ab497d679 upstream. Device drivers may decide to not load firmware when probed to avoid slowing down the boot process should the firmware filesystem not be available yet. In this case, the firmware loading request may be done when a device file associated with the driver is first accessed. The credentials of the userspace process accessing the device file may be used to validate access to the firmware files requested by the driver. Ensure that the kernel assumes the responsibility of reading the firmware. This was observed on Android for a graphic driver loading their firmware when the device file (e.g. /dev/mali0) was first opened by userspace (i.e. surfaceflinger). The security context of surfaceflinger was used to validate the access to the firmware file (e.g. /vendor/firmware/mali.bin). Previously, Android configurations were not setting up the firmware_class.path command line argument and were relying on the userspace fallback mechanism. In this case, the security context of the userspace daemon (i.e. ueventd) was consistently used to read firmware files. More Android devices are now found to set firmware_class.path which gives the kernel the opportunity to read the firmware directly (via kernel_read_file_from_path_initns). In this scenario, the current process credentials were used, even if unrelated to the loading of the firmware file. Signed-off-by: ThiƩbaud Weksteen Cc: # 5.10 Reviewed-by: Paul Moore Acked-by: Luis Chamberlain Link: https://lore.kernel.org/r/20220502004952.3970800-1-tweek@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/base/firmware_loader/main.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -761,6 +761,8 @@ _request_firmware(const struct firmware enum fw_opt opt_flags) { struct firmware *fw = NULL; + struct cred *kern_cred = NULL; + const struct cred *old_cred; int ret; if (!firmware_p) @@ -776,6 +778,18 @@ _request_firmware(const struct firmware if (ret <= 0) /* error or already assigned */ goto out; + /* + * We are about to try to access the firmware file. Because we may have been + * called by a driver when serving an unrelated request from userland, we use + * the kernel credentials to read the file. + */ + kern_cred = prepare_kernel_cred(NULL); + if (!kern_cred) { + ret = -ENOMEM; + goto out; + } + old_cred = override_creds(kern_cred); + ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL); #ifdef CONFIG_FW_LOADER_COMPRESS if (ret == -ENOENT) @@ -792,6 +806,9 @@ _request_firmware(const struct firmware } else ret = assign_fw(fw, device, opt_flags); + revert_creds(old_cred); + put_cred(kern_cred); + out: if (ret < 0) { fw_abort_batch_reqs(fw);