| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YmA9x/Yn9lJwegsu@kroah.com>
Date: Wed, 20 Apr 2022 19:07:19 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Thiébaud Weksteen <tweek@...gle.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Saravana Kannan <saravanak@...gle.com>,
Alistair Delva <adelva@...gle.com>,
Adam Shih <adamshih@...gle.com>, selinux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] firmware_loader: use kernel credentials when reading
firmware
On Mon, Apr 04, 2022 at 03:46:42PM +1000, Thiébaud Weksteen wrote:
> Device drivers may decide to not load firmware when probed to avoid
> slowing down the boot process should the firmware filesystem not be
> available yet. In this case, the firmware loading request may be done
> when a device file associated with the driver is first accessed. The
> credentials of the userspace process accessing the device file may be
> used to validate access to the firmware files requested by the driver.
> Ensure that the kernel assumes the responsibility of reading the
> firmware.
>
> This was observed on Android for a graphic driver loading their firmware
> when the device file (e.g. /dev/mali0) was first opened by userspace
> (i.e. surfaceflinger). The security context of surfaceflinger was used
> to validate the access to the firmware file (e.g.
> /vendor/firmware/mali.bin).
>
> Because previous configurations were relying on the userspace fallback
> mechanism, the security context of the userspace daemon (i.e. ueventd)
> was consistently used to read firmware files. More devices are found to
> use the command line argument firmware_class.path which gives the kernel
> the opportunity to read the firmware directly, hence surfacing this
> misattribution.
>
> Signed-off-by: Thiébaud Weksteen <tweek@...gle.com>
> ---
> drivers/base/firmware_loader/main.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 94d1789a233e..416ee3cc6584 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> size_t offset, u32 opt_flags)
> {
> struct firmware *fw = NULL;
> + struct cred *kern_cred = NULL;
> + const struct cred *old_cred;
> bool nondirect = false;
> int ret;
>
> @@ -751,6 +753,13 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> if (ret <= 0) /* error or already assigned */
> goto out;
>
> + kern_cred = prepare_kernel_cred(NULL);
> + if (!kern_cred) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + old_cred = override_creds(kern_cred);
Can you add a comment here before the call to prepare_kernel_cred() to
say why you are doing this and what it is for? Otherwise it is not
obvious at all.
thanks,
greg k-h
Powered by blists - more mailing lists