mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 01:57:06 +07:00
286d3250c9
There is a race and a buffer overflow corrupting a kernel memory while
reading an EFI variable with a size more than 1024 bytes via the older
sysfs method. This happens because accessing struct efi_variable in
efivar_{attr,size,data}_read() and friends is not protected from
a concurrent access leading to a kernel memory corruption and, at best,
to a crash. The race scenario is the following:
CPU0: CPU1:
efivar_attr_read()
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
efivar_attr_read() // same EFI var
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
virt_efi_get_variable()
// returns EFI_BUFFER_TOO_SMALL but
// var->DataSize is set to a real
// var size more than 1024 bytes
up(&efivars_lock)
virt_efi_get_variable()
// called with var->DataSize set
// to a real var size, returns
// successfully and overwrites
// a 1024-bytes kernel buffer
up(&efivars_lock)
This can be reproduced by concurrent reading of an EFI variable which size
is more than 1024 bytes:
ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
Fix this by using a local variable for a var's data buffer size so it
does not get overwritten.
Fixes:
|
||
|---|---|---|
| .. | ||
| libstub | ||
| test | ||
| apple-properties.c | ||
| arm-init.c | ||
| arm-runtime.c | ||
| capsule-loader.c | ||
| capsule.c | ||
| cper-arm.c | ||
| cper-x86.c | ||
| cper.c | ||
| dev-path-parser.c | ||
| earlycon.c | ||
| efi-bgrt.c | ||
| efi-pstore.c | ||
| efi.c | ||
| efibc.c | ||
| efivars.c | ||
| esrt.c | ||
| fake_mem.c | ||
| fake_mem.h | ||
| Kconfig | ||
| Makefile | ||
| memattr.c | ||
| memmap.c | ||
| rci2-table.c | ||
| reboot.c | ||
| runtime-map.c | ||
| runtime-wrappers.c | ||
| tpm.c | ||
| vars.c | ||
| x86_fake_mem.c | ||