From patchwork Wed Oct 25 10:04:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 117088 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp661547qgn; Wed, 25 Oct 2017 03:09:52 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TZf/2H9bfXArmgBctnaiclKFPLfCS5Detf8rbeI7PrgVIbHtNPx1tSINQm2JsJthiYVKOn X-Received: by 10.84.128.73 with SMTP id 67mr1330940pla.96.1508926192259; Wed, 25 Oct 2017 03:09:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508926192; cv=none; d=google.com; s=arc-20160816; b=YIGMsR7T7afkCyPO7EkjofjYA3522bfgJAf6RzZbpj33dPvMuFM7naUapTD6NGISD+ z2bxeFaFS7mZr2bEGPWWykYjTbL7aWvQMDqJ5kA3KJXWDnL6Tr+WJ9fZPm7qBK1H7A3Q eAdYTEu/1XE80fD/rPJisl87jg26v9mbaEatiVM3SE9N8KYTG2FEaWHrtSKhhHiDKMZq 4XG/bOKUxEQAB9ZeKLc3YnKOsx3ha8u7/UqL1ldjqQoWCtzj1FaeWBe7RDmA24uebv2A DpLsHrSm55s8mNeRZarKC9bHwoOB/ODQMp82PFjkVRRPdnv1eCETo5pfG63K+BP1QrS7 jt0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=20ARED45JFrXf0um/eh6CbKsbrL2fIAHoaKlj/YRH8o=; b=DCefW73TdxdSam2UyDJlecjIhUqgfahkGf+1Ia6OFM8lzoAzqQterWpTuxpvO00Jhc FNJp6bhEttDRVwsXdMKG2KyZpajsyE3BVDBKzDzyhG8ZrpWHNtGzK5Q++FTuOEmINCXC paOIXqBghr7ogQ+a11UEStUIteOzVFIV/wFqjDIQiW/MAMdJnFKLSCmAy/90Gp9UPHB1 WN4kWXxvb4ooLQaNKBcYMseKpa0yEzAN4bUvk+kLAq4CgmlP4/t/9DqKpq+tdnew8TOQ NL3oMa3dAw6nxYh4k7mW9DSs7lqUXJVCvlkcqlHAuvIMMyz8oyrgU79FldLlTjxGJT0H Vtiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=O++Y6EfN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2si1419698plr.422.2017.10.25.03.09.51; Wed, 25 Oct 2017 03:09:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=O++Y6EfN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932586AbdJYKJu (ORCPT + 27 others); Wed, 25 Oct 2017 06:09:50 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:56546 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932419AbdJYKFD (ORCPT ); Wed, 25 Oct 2017 06:05:03 -0400 Received: by mail-wr0-f193.google.com with SMTP id r79so23417429wrb.13 for ; Wed, 25 Oct 2017 03:05:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=20ARED45JFrXf0um/eh6CbKsbrL2fIAHoaKlj/YRH8o=; b=O++Y6EfNMLn+QU4nuVX6EXNk0PYOQrp5q5qf0O0OTYXLdhh9vLwNRzieUzMb2asrxu 0RZVAOWe03FyjtT2saRYE7BiFzqL/Hn5I/vquAqIFA+F2EGMGSJVsVEQrGiNh3PNdOsn j6Y3dk6TRytABoyQvcFYqIQV++ANQA5sq3qD8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=20ARED45JFrXf0um/eh6CbKsbrL2fIAHoaKlj/YRH8o=; b=m7SUSNgLie781FFxM1H39w0V0Sj3qb6JU37uj3D6xQoSVjlQvua7vrGEXCbkW0oVTW v7tGGFFn4pdlbMopmypIp61IAMQmyEbRMyyPVHL/PfzjVpM8yw8PF71b1mWq5hJIoh+3 aPduAMI2OpLxU+Zkpl7UyH2P7l0l1seuCXLmq26bbvP10AvRqcLRqLei9iKX/uiDVrHB QbVHekk6YMJmLl8hcQ6pDx+mn2u1Sh/DxMwkY6ZQewFqrZWNfnM3bfLLfum/yTlrNt4Q nprEX99MOFM58GzVWNtL50pPkDVmTfIWWyaLNhT9PXpvAPgpOgZysEzuBS5e4syUFX/m sRqg== X-Gm-Message-State: AMCzsaWUlrQ3g5/RMnqEVDDpZO8we+A427E6YAzUuZjC6XFrE6OXnWDn q2Pzva2of50+F0rhZ++YD3hMCg== X-Received: by 10.223.186.201 with SMTP id w9mr1604656wrg.230.1508925901976; Wed, 25 Oct 2017 03:05:01 -0700 (PDT) Received: from localhost.localdomain ([160.161.173.60]) by smtp.gmail.com with ESMTPSA id n30sm2089657wra.39.2017.10.25.03.05.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2017 03:05:01 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org, Ingo Molnar , Thomas Gleixner , "H . Peter Anvin" Cc: Dan Carpenter , Ard Biesheuvel , linux-kernel@vger.kernel.org, Matt Fleming Subject: [PATCH 1/2] efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps() Date: Wed, 25 Oct 2017 11:04:47 +0100 Message-Id: <20171025100448.26056-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171025100448.26056-1-ard.biesheuvel@linaro.org> References: <20171025100448.26056-1-ard.biesheuvel@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1" will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR. We try to dereference it inside the loop and crash. Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces") Signed-off-by: Dan Carpenter Acked-by: Ivan Hu Cc: Ard Biesheuvel Signed-off-by: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/test/efi_test.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.11.0 diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index 08129b7b80ab..41c48a1e8baa 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -593,6 +593,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg) if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps))) return -EFAULT; + if (qcaps.capsule_count == ULONG_MAX) + return -EINVAL; + capsules = kcalloc(qcaps.capsule_count + 1, sizeof(efi_capsule_header_t), GFP_KERNEL); if (!capsules) From patchwork Wed Oct 25 10:04:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 117083 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp657277qgn; Wed, 25 Oct 2017 03:05:15 -0700 (PDT) X-Google-Smtp-Source: ABhQp+T56ETY3UMyoTtYuB4O3/gVnBYih18CRBvi/ds8V0eq+va4MyUyI72+mnlxuUq8C0u2Jf9j X-Received: by 10.159.242.137 with SMTP id u9mr1330812plr.243.1508925915713; Wed, 25 Oct 2017 03:05:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508925915; cv=none; d=google.com; s=arc-20160816; b=VnoouLs0qO9dKPrGh79Bc12L4b1m2/Y/ZMO3V7s/MItmpK8WIrVJJb8uj3jeLhtxmx FMVCE3bvfZNdDCsaeFB1PMdnOCeJtwd0jAQJl0vmIar3tTSmcxgaK/99rQsHelzdHwse hxHKzk9KX/bPaSNDYWEoROApTDCntgHy8Dzun+GrZZVbky2PPtIyCnCLAmLfTn+vqq99 yjAkfgWWIj1S0msAcXp2y+VKgxTYqZZHQX8JB/wOzHfG/GWiOaPyVHzkysm3zBv4y2kj xyXYvC3lljkqRTvq8+iAqp8rFmT5qICRnWR/VHsJQYPjPvPy1cYb4ExnSVAADCVYWXCG xxyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=; b=WDzX8WV3kwuG8L0Kq5KeXFVD03G1ufDazFTPkbR5e6W7ic1OHwIqGZmZD7k1r+w+YJ AtwYJGUiPBiR1BweuLRUMm/a+h6/WRjSe3NayrL6HKi7MiY+fct9YF7KvwNQjudxVcQf tqKjLhbUniNbrqMq2uPED/f71zADHD2EWrKdRMTenc0k44g3clU8qm9DEk+Uy93hWSJM f245B1i97vb1YS+DL6SdDS/6K2DB3/ugHrM/R5DXbhuHUYJmy6suHFUiJeZ/3IA4IuPg FetaWska6pz0vv4ge2PhxKmJvf1phLW8ASIMlcCOih7aBh/AETlOMqvb4aK7A98ZAPZs QKKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YVYd3p5G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s18si1780355pfg.199.2017.10.25.03.05.15; Wed, 25 Oct 2017 03:05:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YVYd3p5G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932486AbdJYKFO (ORCPT + 27 others); Wed, 25 Oct 2017 06:05:14 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:54696 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932399AbdJYKFF (ORCPT ); Wed, 25 Oct 2017 06:05:05 -0400 Received: by mail-wr0-f195.google.com with SMTP id o44so23390945wrf.11 for ; Wed, 25 Oct 2017 03:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=; b=YVYd3p5GzrP+fjHSsBw9CS5farJrcHP3EMvRoMUF9gIJdLyumws6VMRtzkVttjYoW/ UO5f8+9SSlAUg1Y0xLjDycNA6e/tMhd+iHdfy8b/zWLE1oFNVNKU9p2wgrlhWNdRwvGo b/0/6AJ6kD5qGXPPmYn7WVOkMyzLzxdUrSIZ8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=; b=iAxc9VJ76P4JmOJQ+JVmwVv/x7ec05YOXaI0Fyul2fAUocl0a7q8wO0jQ+Iih/d2Q9 txSRXIKCzAaWuRjOxukHAtNn5DCvqdoJlJXZrCJcbXJohQXmSvidfyFjSJ1umrrYeSj1 VUpUZ/YWS/APk5nBJxvp6VvYvZrwk7r9EKsWU9Wk2aVKbbUKC1MKw6oj0iwtnvmCoorA n1ZfRr1Cpe9x5h2wwfqHHSaEJhCcdaXYEot12kJH625KRU9jnr1IzinrmMCEczJK7ots 8tOJMKAz4jjlVHWLXETuejrpk3eI0nGD/6u2ekh41UipPxpvdETZCsl2WQXcNKAas4bE HW0A== X-Gm-Message-State: AMCzsaW4iAUk9I49rDMUdChYNfHA8blY5cZX9fMP/WekizjZb0kQuLrq N0yaDkwLOcnlmNUfzPswFaRx5/aFTkw= X-Received: by 10.223.139.85 with SMTP id v21mr1711136wra.70.1508925904530; Wed, 25 Oct 2017 03:05:04 -0700 (PDT) Received: from localhost.localdomain ([160.161.173.60]) by smtp.gmail.com with ESMTPSA id n30sm2089657wra.39.2017.10.25.03.05.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2017 03:05:03 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org, Ingo Molnar , Thomas Gleixner , "H . Peter Anvin" Cc: Ard Biesheuvel , linux-kernel@vger.kernel.org, James Morse , Matt Fleming Subject: [PATCH 2/2] efi/libstub: arm: don't randomize runtime regions when CONFIG_HIBERNATION=y Date: Wed, 25 Oct 2017 11:04:48 +0100 Message-Id: <20171025100448.26056-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171025100448.26056-1-ard.biesheuvel@linaro.org> References: <20171025100448.26056-1-ard.biesheuvel@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit e69176d68d26 ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region implemented randomization of the virtual mapping that the OS chooses for the UEFI runtime services. This was motivated by the fact that UEFI usually does not bother to specify any permission restrictions for those regions, making them prime real estate for exploitation now that the OS is getting more and more careful not to leave any R+W+X mapped regions lying around. However, this randomization breaks assumptions in the resume from hibernation code, which expects all memory regions populated by UEFI to remain in the same place, including their virtual mapping into the OS memory space. While this assumption may not be entirely reasonable in the first place, breaking it deliberately does not make a lot of sense either. So let's refrain from this randomization pass if CONFIG_HIBERNATION=y. Cc: James Morse Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/arm-stub.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.11.0 diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index 1cb2d1c070c3..a94601d5939e 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -238,7 +238,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, efi_random_get_seed(sys_table); - if (!nokaslr()) { + /* hibernation expects the runtime regions to stay in the same place */ + if (!IS_ENABLED(CONFIG_HIBERNATION) && !nokaslr()) { /* * Randomize the base of the UEFI runtime services region. * Preserve the 2 MB alignment of the region by taking a