Re: [PATCH] firmware: Fix security issue with request_firmware_into_buf()

[rishabhb@codeaurora.org]

On 2018-08-02 14:58, Luis Chamberlain wrote:
> On Wed, Aug 1, 2018, 4:26 PM Rishabh Bhatnagar
> <rishabhb@codeaurora.org> wrote:
> 
>> When calling request_firmware_into_buf() with the FW_OPT_NOCACHE
>> flag
>> it is expected that firmware is loaded into buffer from memory.
>> But inside alloc_lookup_fw_priv every new firmware that is loaded is
>> added to the firmware cache (fwc) list head. So if any driver
>> requests
>> a firmware that is already loaded the code iterates over the above
>> mentioned list and it can end up giving a pointer to other device
>> driver's
>> firmware buffer.
>> Also the existing copy may either be modified by drivers, remote
>> processors
>> or even freed. This causes a potential security issue with batched
>> requests
>> when using request_firmware_into_buf.
>> 
>> Fix alloc_lookup_fw_priv to not add to the fwc head list if
>> FW_OPT_NOCACHE
>> is set, and also don't do the lookup in the list.
>> 
>> Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw
>> caching optional")
>> 
>> Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
>> Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
>> ---
> 
> Did you test with the tools/testing/selftests/firmware/ scripts? If
> not please do so and report back and confirm no regressions are found.
> 
> Brownie points for you to add a test case to show the issue
> highlighted in this patch, and which it fixes. I believe this fix
> should be pushed to stable, so I'll do that after you confirm no
> regressions were found.
> 
> The new selftests changed you'd make would not go to stable, however
> there are Linux distributions and 0day that test the latest tools
> directory against older kernels. So this test would help capture gaps
> later.
> 
>   Luis

I ran the selftests and observed no regressions with this change.
I'm still working on adding a test case though.

-Rishabh