lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 2 Aug 2018 14:58:05 -0700
From:   Luis Chamberlain <mcgrof@...nel.org>
To:     Rishabh Bhatnagar <rishabhb@...eaurora.org>
Cc:     Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        ard.biesheuvel@...aro.org, vbabka@...e.cz, riel@...riel.com,
        akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        ckadabi@...eaurora.org, tsoni@...eaurora.org,
        psodagud@...eaurora.org, Vikram Mulukutla <markivx@...eaurora.org>
Subject: Re: [PATCH] firmware: Fix security issue with request_firmware_into_buf()

On Wed, Aug 1, 2018, 4:26 PM Rishabh Bhatnagar <rishabhb@...eaurora.org>
wrote:

> When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag
> it is expected that firmware is loaded into buffer from memory.
> But inside alloc_lookup_fw_priv every new firmware that is loaded is
> added to the firmware cache (fwc) list head. So if any driver requests
> a firmware that is already loaded the code iterates over the above
> mentioned list and it can end up giving a pointer to other device driver's
> firmware buffer.
> Also the existing copy may either be modified by drivers, remote processors
> or even freed. This causes a potential security issue with batched requests
> when using request_firmware_into_buf.
>
> Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE
> is set, and also don't do the lookup in the list.
>
> Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw caching
> optional")
>
> Signed-off-by: Vikram Mulukutla <markivx@...eaurora.org>
> Signed-off-by: Rishabh Bhatnagar <rishabhb@...eaurora.org>
> ---


Did you test with the tools/testing/selftests/firmware/ scripts? If not
please do so and report back and confirm no regressions are found.

Brownie points for you to add a test case to show the issue highlighted in
this patch, and which it fixes. I believe this fix should be pushed to
stable, so I'll do that after you confirm no regressions were found.

The new selftests changed you'd make would not go to stable, however there
are Linux distributions and 0day that test the latest tools directory
against older kernels. So this test would help capture gaps later.

  Luis

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ