From: Hyunwoo Kim <imv4bel@gmail.com>
To: ardb@kernel.org
Cc: linux-efi@vger.kernel.org, imv4bel@gmail.com
Subject: [PATCH v4] efi: capsule-loader: Fix use-after-free in efi_capsule_write
Date: Wed, 7 Sep 2022 08:35:13 -0700 [thread overview]
Message-ID: <20220907153513.GA147130@ubuntu> (raw)
A race condition may occur if the user calls close() on another
thread during a write() operation on the device node of the efi capsule.
This is a race condition that occurs between the efi_capsule_write()
and efi_capsule_flush() functions of efi_capsule_fops,
which ultimately results in UAF.
So, the page freeing process is modified to be done in
efi_capsule_release() instead of efi_capsule_flush().
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
drivers/firmware/efi/capsule-loader.c | 29 ++++++---------------------
1 file changed, 6 insertions(+), 23 deletions(-)
diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c
index 4dde8edd53b6..788e860304ae 100644
--- a/drivers/firmware/efi/capsule-loader.c
+++ b/drivers/firmware/efi/capsule-loader.c
@@ -243,18 +243,17 @@ static ssize_t efi_capsule_write(struct file *file, const char __user *buff,
}
/**
- * efi_capsule_flush - called by file close or file flush
+ * efi_capsule_release - called by file close
+ * @inode: not used
* @file: file pointer
- * @id: not used
*
- * If a capsule is being partially uploaded then calling this function
- * will be treated as upload termination and will free those completed
- * buffer pages and -ECANCELED will be returned.
+ * We will not free successfully submitted pages since efi update
+ * requires data to be maintained across system reboot.
**/
-static int efi_capsule_flush(struct file *file, fl_owner_t id)
+static int efi_capsule_release(struct inode *inode, struct file *file)
{
- int ret = 0;
struct capsule_info *cap_info = file->private_data;
+ int ret = 0;
if (cap_info->index > 0) {
pr_err("capsule upload not complete\n");
@@ -262,21 +261,6 @@ static int efi_capsule_flush(struct file *file, fl_owner_t id)
ret = -ECANCELED;
}
- return ret;
-}
-
-/**
- * efi_capsule_release - called by file close
- * @inode: not used
- * @file: file pointer
- *
- * We will not free successfully submitted pages since efi update
- * requires data to be maintained across system reboot.
- **/
-static int efi_capsule_release(struct inode *inode, struct file *file)
-{
- struct capsule_info *cap_info = file->private_data;
-
kfree(cap_info->pages);
kfree(cap_info->phys);
kfree(file->private_data);
@@ -324,7 +308,6 @@ static const struct file_operations efi_capsule_fops = {
.owner = THIS_MODULE,
.open = efi_capsule_open,
.write = efi_capsule_write,
- .flush = efi_capsule_flush,
.release = efi_capsule_release,
.llseek = no_llseek,
};
--
2.25.1
next reply other threads:[~2022-09-07 15:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 15:35 Hyunwoo Kim [this message]
2022-09-07 15:48 ` [PATCH v4] efi: capsule-loader: Fix use-after-free in efi_capsule_write Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220907153513.GA147130@ubuntu \
--to=imv4bel@gmail.com \
--cc=ardb@kernel.org \
--cc=linux-efi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.