| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Apr 2016 21:08:44 +0100
From: Matt Fleming <matt@...eblueprint.co.uk>
To: "Compostella, Jeremy" <jeremy.compostella@...el.com>
Cc: Ingo Molnar <mingo@...nel.org>, stefan.stanacar@...el.com,
peterz@...radead.org, linux-kernel@...r.kernel.org,
tglx@...utronix.de, hpa@...or.com, bp@...en8.de,
ard.biesheuvel@...aro.org, linux-tip-commits@...r.kernel.org
Subject: Re: [tip:efi/core] efibc: Add EFI Bootloader Control module
On Fri, 29 Apr, at 03:53:39PM, Jeremy Compostella wrote:
> From ef3a2941769e59b11d1ec36117209dc4c90c7cf9 Mon Sep 17 00:00:00 2001
> From: Jeremy Compostella <jeremy.compostella@...el.com>
> Date: Fri, 29 Apr 2016 15:29:59 +0200
> Subject: [PATCH] efibc: fix excessive stack footprint warning
>
> Use dynamic memory allocation instead of stack memory for the entry
> object.
>
> This patch also fixes a potential buffer override.
>
> Signed-off-by: Jeremy Compostella <jeremy.compostella@...el.com>
> ---
> drivers/firmware/efi/efibc.c | 36 ++++++++++++++++++++++++------------
> 1 file changed, 24 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/firmware/efi/efibc.c b/drivers/firmware/efi/efibc.c
> index 2e0c7cc..dd6d1a6 100644
> --- a/drivers/firmware/efi/efibc.c
> +++ b/drivers/firmware/efi/efibc.c
> @@ -17,6 +17,7 @@
> #include <linux/efi.h>
> #include <linux/module.h>
> #include <linux/reboot.h>
> +#include <linux/slab.h>
>
> static void efibc_str_to_str16(const char *str, efi_char16_t *str16)
> {
> @@ -28,42 +29,53 @@ static void efibc_str_to_str16(const char *str, efi_char16_t *str16)
> str16[i] = '\0';
> }
>
> -static void efibc_set_variable(const char *name, const char *value)
> +static int efibc_set_variable(const char *name, const char *value)
> {
> int ret;
> efi_guid_t guid = LINUX_EFI_LOADER_ENTRY_GUID;
> - struct efivar_entry entry;
> + struct efivar_entry *entry;
> size_t size = (strlen(value) + 1) * sizeof(efi_char16_t);
>
> - if (size > sizeof(entry.var.Data))
> + if (size > sizeof(entry->var.Data)) {
> pr_err("value is too large");
> + return -1;
> + }
This isn't right. The usual return value for this scenario would be
either -ENOMEM or -EINVAL. Personally I'd lean towards -EINVAL.
>
> - efibc_str_to_str16(name, entry.var.VariableName);
> - efibc_str_to_str16(value, (efi_char16_t *)entry.var.Data);
> - memcpy(&entry.var.VendorGuid, &guid, sizeof(guid));
> + entry = kmalloc(sizeof(*entry), GFP_KERNEL);
> + if (!entry) {
> + pr_err("failed to allocate efivar entry");
> + return -1;
> + }
This should be -ENOMEM.
>
> - ret = efivar_entry_set(&entry,
> + efibc_str_to_str16(name, entry->var.VariableName);
> + efibc_str_to_str16(value, (efi_char16_t *)entry->var.Data);
> + memcpy(&entry->var.VendorGuid, &guid, sizeof(guid));
> +
> + ret = efivar_entry_set(entry,
> EFI_VARIABLE_NON_VOLATILE
> | EFI_VARIABLE_BOOTSERVICE_ACCESS
> | EFI_VARIABLE_RUNTIME_ACCESS,
> - size, entry.var.Data, NULL);
> + size, entry->var.Data, NULL);
> if (ret)
> pr_err("failed to set %s EFI variable: 0x%x\n",
> name, ret);
> +
> + kfree(entry);
> + return ret;
> }
>
> static int efibc_reboot_notifier_call(struct notifier_block *notifier,
> unsigned long event, void *data)
> {
> const char *reason = "shutdown";
> + int ret;
>
> if (event == SYS_RESTART)
> reason = "reboot";
>
> - efibc_set_variable("LoaderEntryRebootReason", reason);
> -
> - if (!data)
> - return NOTIFY_DONE;
> + ret = efibc_set_variable("LoaderEntryRebootReason", reason);
> + if (ret || !data)
> + return NOTIFY_DONE;
>
> efibc_set_variable("LoaderEntryOneShot", (char *)data);
You need to check this return value too now.
Powered by blists - more mailing lists