lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55368a65-c536-93c7-c501-9f6086e308d2@redhat.com>
Date:   Thu, 28 Jul 2022 13:57:25 +0200
From:   Hans de Goede <hdegoede@...hat.com>
To:     Greg KH <gregkh@...uxfoundation.org>,
        Jithu Joseph <jithu.joseph@...el.com>
Cc:     markgross@...nel.org, ashok.raj@...el.com, tony.luck@...el.com,
        ravi.v.shankar@...el.com, linux-kernel@...r.kernel.org,
        platform-driver-x86@...r.kernel.org, patches@...ts.linux.dev
Subject: Re: [PATCH v2] platform/x86/intel/ifs: Allow non-default names for
 IFS image

Hi,

On 7/10/22 18:59, Greg KH wrote:
> On Sun, Jul 10, 2022 at 09:00:11AM -0700, Jithu Joseph wrote:
>> Existing implementation limits IFS images to be loaded only from
>> a default file-name /lib/firmware/intel/ifs/ff-mm-ss.scan.
> 
> That was by design, why is this suddenly not acceptable?
> 
>> But there are situations where there may be multiple scan files
>> that can be run on a particular system stored in /lib/firmware/intel/ifs
> 
> Again, this was by design.
> 
>> E.g.
>> 1. Because test contents are larger than the memory reserved for IFS by BIOS
> 
> What does the BIOS have to do with this?
> 
>> 2. To provide increased test coverage
> 
> Test coverage of what?
> 
>> 3. Custom test files to debug certain specific issues in the field
> 
> Why can't you rename the existing file?
> 
>> Renaming each of these to ff-mm-ss.scan and then loading might be
>> possible in some environments. But on systems where /lib is read-only
>> this is not a practical solution.
> 
> What system puts /lib/ as read-only that you want to have loading
> hardware firmware?  That kind of defeats the security implications of
> having a read-only /lib/, right?
> 
>> Modify the semantics of the driver file
>> /sys/devices/virtual/misc/intel_ifs_0/reload such that,
>> it interprets the input as the filename to be loaded.
> 
> So you are now going to allow any file to be read from the system, in an
> unknown filesystem namespace, by this driver?

@Intel folks to me this is the big blocker which needs to be solved before
we can move forward with figuring out how to allow loading multiple
different sets of test patterns through IFS.

Which in turn is required to remove the broken marking...

How about echoing a suffix to be appended to the default filename to
the reload attribute? This suffix would then need to be sanity checked
to only contain [a-z][0-9] (we don't want '/' but it seems better to
limit this further) to avoid directory traversal attacks. 

(and echoing an empty suffix can be used to force reloading the
default test-patterns after a linux-firmware pkg upgrade)

This way we avoid the allowing user to load an arbitrary file issue.

Greg, would using a suffix appended to the default filename be
acceptable to you as a solution to solving the load arbitrary
file issue?

Also as Greg has mentioned for the next version the commit message
+ ABI docs need to a better job of explaining why support for more
then one set of test patterns per CPU model is necessary.

Since there has been no progress on this I'm going to drop this
as well as the "[PATCH 0/2] Two fixes for IFS" patch series from
my patch queue. Lets continue discussing the userspace API issue
in this thread and then once it is solved please post a v3 patch/series
addressing all the issues.

Regards,

Hans




> How wise is that?  How
> much has this been fuzzed and tested to ensure that it can not now be
> instantly abused by anyone with access to this sysfs file?
> 
> Be aware that most systems have now locked down the ability for
> userspace to pick filenames for stuff like this for good reason.  This
> feels like a step backwards from those protections.  Are you _SURE_ you
> want to do this?
> 
>> diff --git a/drivers/platform/x86/intel/ifs/ifs.h b/drivers/platform/x86/intel/ifs/ifs.h
>> index 73c8e91cf144..577cee7db86a 100644
>> --- a/drivers/platform/x86/intel/ifs/ifs.h
>> +++ b/drivers/platform/x86/intel/ifs/ifs.h
>> @@ -34,12 +34,13 @@
>>   * socket in a two step process using writes to MSRs to first load the
>>   * SHA hashes for the test. Then the tests themselves. Status MSRs provide
>>   * feedback on the success/failure of these steps. When a new test file
>> - * is installed it can be loaded by writing to the driver reload file::
>> + * is installed it can be loaded by writing the filename to the driver reload file::
>>   *
>> - *   # echo 1 > /sys/devices/virtual/misc/intel_ifs_0/reload
>> + *   # echo mytest > /sys/devices/virtual/misc/intel_ifs_0/reload
>>   *
>> - * Similar to microcode, the current version of the scan tests is stored
>> - * in a fixed location: /lib/firmware/intel/ifs.0/family-model-stepping.scan
>> + * The file will be loaded from /lib/firmware/intel/ifs/mytest
>> + * The default file /lib/firmware/intel/ifs/family-model-stepping.scan
>> + * will be loaded during module insertion.
> 
> So you have a default directory, what happened to your read-only /lib/ ?
> 
> This also does not properly document what the kernel code does.
> 
> {sigh}
> 
> Please do not rush this, it's not acceptable as-is at all.
> 
>> --- a/Documentation/ABI/testing/sysfs-platform-intel-ifs
>> +++ b/Documentation/ABI/testing/sysfs-platform-intel-ifs
>> @@ -35,5 +35,4 @@ What:		/sys/devices/virtual/misc/intel_ifs_<N>/reload
>>  Date:		April 21 2022
>>  KernelVersion:	5.19
>>  Contact:	"Jithu Joseph" <jithu.joseph@...el.com>
>> -Description:	Write "1" (or "y" or "Y") to reload the IFS image from
>> -		/lib/firmware/intel/ifs/ff-mm-ss.scan.
>> +Description:	Write <file_name> to reload the IFS image from /lib/firmware/intel/<file_name>.
> 
> "reload" should not be for specifying the filename, please use a sane
> interface instead of this overloading logic.
> 
> greg k-h
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ