| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 May 2016 09:56:09 +0200
From: jeremy.compostella@...el.com (Compostella, Jeremy)
To: Matt Fleming <matt@...eblueprint.co.uk>
Cc: Ingo Molnar <mingo@...nel.org>, <stefan.stanacar@...el.com>,
<peterz@...radead.org>, <linux-kernel@...r.kernel.org>,
<tglx@...utronix.de>, <hpa@...or.com>, <bp@...en8.de>,
<ard.biesheuvel@...aro.org>, <linux-tip-commits@...r.kernel.org>
Subject: Re: [tip:efi/core] efibc: Add EFI Bootloader Control module
Matt Fleming <matt@...eblueprint.co.uk> writes:
> On Fri, 29 Apr, at 03:53:39PM, Jeremy Compostella wrote:
>> From ef3a2941769e59b11d1ec36117209dc4c90c7cf9 Mon Sep 17 00:00:00 2001
>> From: Jeremy Compostella <jeremy.compostella@...el.com>
>> Date: Fri, 29 Apr 2016 15:29:59 +0200
>> Subject: [PATCH] efibc: fix excessive stack footprint warning
>>
>> Use dynamic memory allocation instead of stack memory for the entry
>> object.
>>
>> This patch also fixes a potential buffer override.
>>
>> Signed-off-by: Jeremy Compostella <jeremy.compostella@...el.com>
>> ---
>> drivers/firmware/efi/efibc.c | 36 ++++++++++++++++++++++++------------
>> 1 file changed, 24 insertions(+), 12 deletions(-)
>>
>> diff --git a/drivers/firmware/efi/efibc.c b/drivers/firmware/efi/efibc.c
>> index 2e0c7cc..dd6d1a6 100644
>> --- a/drivers/firmware/efi/efibc.c
>> +++ b/drivers/firmware/efi/efibc.c
>> @@ -17,6 +17,7 @@
>> #include <linux/efi.h>
>> #include <linux/module.h>
>> #include <linux/reboot.h>
>> +#include <linux/slab.h>
>>
>> static void efibc_str_to_str16(const char *str, efi_char16_t *str16)
>> {
>> @@ -28,42 +29,53 @@ static void efibc_str_to_str16(const char *str, efi_char16_t *str16)
>> str16[i] = '\0';
>> }
>>
>> -static void efibc_set_variable(const char *name, const char *value)
>> +static int efibc_set_variable(const char *name, const char *value)
>> {
>> int ret;
>> efi_guid_t guid = LINUX_EFI_LOADER_ENTRY_GUID;
>> - struct efivar_entry entry;
>> + struct efivar_entry *entry;
>> size_t size = (strlen(value) + 1) * sizeof(efi_char16_t);
>>
>> - if (size > sizeof(entry.var.Data))
>> + if (size > sizeof(entry->var.Data)) {
>> pr_err("value is too large");
>> + return -1;
>> + }
>
> This isn't right. The usual return value for this scenario would be
> either -ENOMEM or -EINVAL. Personally I'd lean towards -EINVAL.
Right. Done.
>>
>> - efibc_str_to_str16(name, entry.var.VariableName);
>> - efibc_str_to_str16(value, (efi_char16_t *)entry.var.Data);
>> - memcpy(&entry.var.VendorGuid, &guid, sizeof(guid));
>> + entry = kmalloc(sizeof(*entry), GFP_KERNEL);
>> + if (!entry) {
>> + pr_err("failed to allocate efivar entry");
>> + return -1;
>> + }
>
> This should be -ENOMEM.
Done.
>>
>> - ret = efivar_entry_set(&entry,
>> + efibc_str_to_str16(name, entry->var.VariableName);
>> + efibc_str_to_str16(value, (efi_char16_t *)entry->var.Data);
>> + memcpy(&entry->var.VendorGuid, &guid, sizeof(guid));
>> +
>> + ret = efivar_entry_set(entry,
>> EFI_VARIABLE_NON_VOLATILE
>> | EFI_VARIABLE_BOOTSERVICE_ACCESS
>> | EFI_VARIABLE_RUNTIME_ACCESS,
>> - size, entry.var.Data, NULL);
>> + size, entry->var.Data, NULL);
>> if (ret)
>> pr_err("failed to set %s EFI variable: 0x%x\n",
>> name, ret);
>> +
>> + kfree(entry);
>> + return ret;
>> }
>>
>> static int efibc_reboot_notifier_call(struct notifier_block *notifier,
>> unsigned long event, void *data)
>> {
>> const char *reason = "shutdown";
>> + int ret;
>>
>> if (event == SYS_RESTART)
>> reason = "reboot";
>>
>> - efibc_set_variable("LoaderEntryRebootReason", reason);
>> -
>> - if (!data)
>> - return NOTIFY_DONE;
>> + ret = efibc_set_variable("LoaderEntryRebootReason", reason);
>> + if (ret || !data)
>> + return NOTIFY_DONE;
>>
>> efibc_set_variable("LoaderEntryOneShot", (char *)data);
>
> You need to check this return value too now.
We are leaving this function returning NOTIFY_DONE whatever the return
value of that last efibc_set_variable() call.
Please find the updated patch in attachment.
Also, thank you for answering Ard's questions. I promised I won't
look at my emails on Labor day ;)
Jérémy
View attachment "0001-efibc-fix-excessive-stack-footprint-warning.patch" of type "text/x-diff" (2847 bytes)
--
One Emacs to rule them all
Powered by blists - more mailing lists