From: Lingzhu Xiang <lxiang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: joeyli <jlee-IBi9RG/b67k@public.gmane.org>
Cc: Matt Fleming
<matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>,
Jeremy Kerr <jeremy.kerr-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Andy Whitcroft <apw-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Jan Beulich <JBeulich-IBi9RG/b67k@public.gmane.org>,
Matt Fleming
<matt.fleming-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Josh Boyer <jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
glin-IBi9RG/b67k@public.gmane.org
Subject: Re: General protection fault in efivarfs
Date: Tue, 25 Dec 2012 10:24:33 +0800 [thread overview]
Message-ID: <50D90E61.40702@redhat.com> (raw)
In-Reply-To: <1356346840.6113.45.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
On 12/24/2012 07:00 PM, joeyli wrote:
> 於 五,2012-12-21 於 19:05 +0800,Lingzhu Xiang 提到:
>> The following reproducer triggers certain bugs in efivarfs_file_write.
>>
>> #!/bin/bash
>> p=/sys/firmware/efi/efivars
>> mount -t efivarfs - $p
>> cat $p/Lang-*>$p/test-12341234-1234-1234-1234-123412341234
>> umount $p
>> mount -t efivarfs - $p
>> echo -en "\0\0\0\0">$p/test-12341234-1234-1234-1234-123412341234
>
> The problem is check EFI_VARIABLE_MASK in efivars.c that is not enough
> for deny use 0x00000000 attributes.
>
> Per UEFI spec, runtime variable at least need has attributes
> EFI_VARIABLE_BOOTSERVICE_ACCESS and EFI_VARIABLE_RUNTIME_ACCESS.
> Otherwise UEFI BIOS will occur unexpected error.
>
> Please try the following patch.
Thank you for your patch.
Per UEFI spec, echo -en "\0\0\0\0" should be equivalent to deleting.
This is what efivarfs_unlink is doing but I wanted to avoid its
underflowing when reproducing this.
This still reproduces the bug and passes the check in your patch:
echo -en "\x07\0\0\0" >$p/test-12341234-1234-1234-1234-123412341234
> diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
> index 7b1c374..7aeb4a5 100644
> --- a/drivers/firmware/efivars.c
> +++ b/drivers/firmware/efivars.c
> @@ -706,6 +706,10 @@ static ssize_t efivarfs_file_write(struct file *file,
> if (attributes& ~(EFI_VARIABLE_MASK))
> return -EINVAL;
>
> + if (!((attributes& EFI_VARIABLE_BOOTSERVICE_ACCESS)&&
> + (attributes& EFI_VARIABLE_RUNTIME_ACCESS)))
> + return -EINVAL;
> +
> efivars = var->efivars;
--
Lingzhu Xiang
next prev parent reply other threads:[~2012-12-25 2:24 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-26 7:51 [PATCH 00/20] EFI changes for v3.8 Matt Fleming
[not found] ` <1351237923-10313-1-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-10-26 7:51 ` [PATCH 01/20] efi: Add support for a UEFI variable filesystem Matt Fleming
[not found] ` <1351237923-10313-2-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-10-26 10:10 ` Alan Cox
[not found] ` <20121026111039.4802a3c2-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-26 10:45 ` Matt Fleming
2012-11-02 8:53 ` [PATCH v2 " Matt Fleming
[not found] ` <1351846416.14888.155.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2012-11-03 0:22 ` Alan Cox
[not found] ` <20121103002249.63eb4142-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-03 0:21 ` Matthew Garrett
[not found] ` <20121103002132.GB18691-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-04 20:27 ` Matt Fleming
[not found] ` <1352060878.14888.193.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2012-11-04 20:34 ` Matthew Garrett
[not found] ` <20121104203437.GA23130-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-04 20:47 ` Matt Fleming
[not found] ` <1352062026.14888.199.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2012-11-04 20:55 ` Matthew Garrett
2012-11-09 19:39 ` Matt Fleming
2012-11-04 21:06 ` Alan Cox
[not found] ` <20121104210627.6f57662a-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-05 7:42 ` Matt Fleming
2012-12-21 5:54 ` [PATCH " Lingzhu Xiang
[not found] ` <50D3F995.5000705-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-04 20:58 ` Matt Fleming
[not found] ` <1357333116.8203.50.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2013-01-05 5:59 ` [PATCH] efivarfs: Drop link count of the right inode Lingzhu Xiang
[not found] ` <44edfa54b80aedb674bdb482eef4f559030d9bf7.1357365172.git.lxiang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-07 13:41 ` joeyli
2013-01-07 16:15 ` Matt Fleming
2012-12-21 11:05 ` General protection fault in efivarfs Lingzhu Xiang
[not found] ` <50D44279.7010008-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-24 11:00 ` joeyli
[not found] ` <1356346840.6113.45.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-12-25 2:24 ` Lingzhu Xiang [this message]
[not found] ` <50D90E61.40702-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-25 4:13 ` joeyli
[not found] ` <1356408784.6113.68.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-12-26 6:02 ` joeyli
[not found] ` <1356501732.6113.213.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-12-26 9:21 ` efivarfs: unlinking open files results in spinlock corruption Lingzhu Xiang
[not found] ` <50DAC19A.8060500-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-26 10:16 ` joeyli
[not found] ` <1356516962.6113.232.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-12-26 10:40 ` Lingzhu Xiang
2013-01-11 13:22 ` General protection fault in efivarfs Matt Fleming
2013-01-25 7:01 ` efivarfs allows non-canonical GUID and duplicate filenames Lingzhu Xiang
[not found] ` <51022DD7.4010701-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-29 4:44 ` Matthew Garrett
[not found] ` <20130129044418.GD14395-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2013-01-29 5:17 ` Lingzhu Xiang
[not found] ` <51075B56.5050408-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-29 5:25 ` Matthew Garrett
[not found] ` <20130129052532.GA15383-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2013-01-29 5:46 ` Lingzhu Xiang
[not found] ` <51076220.5080001-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-31 19:52 ` Matt Fleming
2012-10-26 7:51 ` [PATCH 02/20] efi: Handle deletions and size changes in efivarfs_write_file Matt Fleming
[not found] ` <1351237923-10313-3-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-12-26 10:29 ` File lingers after deletion with efivarfs_write_file Lingzhu Xiang
2012-10-26 7:51 ` [PATCH 03/20] efi: add efivars kobject to efi sysfs folder Matt Fleming
[not found] ` <1351237923-10313-4-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-10-26 10:13 ` Alan Cox
[not found] ` <20121026111347.209c11c5-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-26 11:13 ` Matt Fleming
[not found] ` <1351250024.5303.68.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2012-10-29 6:55 ` joeyli
2012-11-02 8:53 ` [PATCH v2 " Matt Fleming
2012-10-26 7:51 ` [PATCH 04/20] efivarfs: Add documentation for the EFI variable filesystem Matt Fleming
2012-10-26 7:51 ` [PATCH 05/20] x86, mm: Include the entire kernel memory map in trampoline_pgd Matt Fleming
2012-10-26 7:51 ` [PATCH 06/20] x86, efi: 1:1 pagetable mapping for virtual EFI calls Matt Fleming
2012-10-26 7:51 ` [PATCH 07/20] x86/kernel: remove tboot 1:1 page table creation code Matt Fleming
2012-10-26 7:51 ` [PATCH 08/20] x86-64/efi: Use EFI to deal with platform wall clock (again) Matt Fleming
2012-10-26 7:51 ` [PATCH 09/20] efivarfs: efivarfs_file_read ensure we free data in error paths Matt Fleming
2012-10-26 7:51 ` [PATCH 10/20] efivarfs: efivarfs_create() ensure we drop our reference on inode on error Matt Fleming
2012-10-26 7:51 ` [PATCH 11/20] efivarfs: efivarfs_fill_super() fix inode reference counts Matt Fleming
2012-10-26 7:51 ` [PATCH 12/20] efivarfs: efivarfs_fill_super() ensure we free our temporary name Matt Fleming
2012-10-26 7:51 ` [PATCH 13/20] efivarfs: efivarfs_fill_super() ensure we clean up correctly on error Matt Fleming
2012-10-26 7:51 ` [PATCH 14/20] efivarfs: Implement exclusive access for {get,set}_variable Matt Fleming
2012-10-26 7:51 ` [PATCH 15/20] efi: Clarify GUID length calculations Matt Fleming
2012-10-26 7:51 ` [PATCH 16/20] efivarfs: Return an error if we fail to read a variable Matt Fleming
[not found] ` <1351237923-10313-17-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-11-02 8:53 ` [PATCH v2 " Matt Fleming
[not found] ` <1351846434.14888.157.camel-ZqTwcBeJ+wsBof6jY8KHXm7IUlhRatedral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2012-12-21 7:08 ` Lingzhu Xiang
[not found] ` <50D40ADF.4050700-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-11 13:24 ` Matt Fleming
2012-10-26 7:52 ` [PATCH 17/20] efivarfs: Replace magic number with sizeof(attributes) Matt Fleming
[not found] ` <1351237923-10313-18-git-send-email-matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org>
2012-12-26 9:24 ` Lingzhu Xiang
[not found] ` <50DAC252.5030308-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-01-11 13:30 ` Matt Fleming
2012-10-26 7:52 ` [PATCH 18/20] efivarfs: Add unique magic number Matt Fleming
2012-10-26 7:52 ` [PATCH 19/20] efivarfs: Make 'datasize' unsigned long Matt Fleming
2012-10-26 7:52 ` [PATCH 20/20] efivarfs: Return a consistent error when efivarfs_get_inode() fails Matt Fleming
2012-11-02 8:54 ` [PATCH 21/20] efivarfs: Fix return value of efivarfs_file_write() Matt Fleming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D90E61.40702@redhat.com \
--to=lxiang-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=JBeulich-IBi9RG/b67k@public.gmane.org \
--cc=apw-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=glin-IBi9RG/b67k@public.gmane.org \
--cc=jeremy.kerr-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=jlee-IBi9RG/b67k@public.gmane.org \
--cc=jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matt-HNK1S37rvNbeXh+fF434Mdi2O/JbrIOy@public.gmane.org \
--cc=matt.fleming-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.