From: Hyunwoo Kim <imv4bel@gmail.com>
To: ardb@kernel.org, linux-efi@vger.kernel.org
Subject: [PATCH] efi/capsule-loader: Add write mutex to prevent uaf
Date: Sat, 11 Jun 2022 12:40:19 -0700 [thread overview]
Message-ID: <20220611194019.GA483211@ubuntu> (raw)
If the user calls close() in the middle of copy operation in
copy_from_user() of efi_capsule_write(),
the user buffer may be copied to the released page.
This is because ->flush is called unconditionally regardless
of f_count, unlike ->release.
This driver is not a security vulnerability, as only
root privileges can write to it.
However, it seems to be a good idea to add mutexes to
efi_capsule_write() and efi_capsule_flush() as root can
accidentally break the page while in use.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
drivers/firmware/efi/capsule-loader.c | 12 ++++++++++++
include/linux/efi.h | 1 +
2 files changed, 13 insertions(+)
diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c
index 4dde8edd53b6..e50ede51ef38 100644
--- a/drivers/firmware/efi/capsule-loader.c
+++ b/drivers/firmware/efi/capsule-loader.c
@@ -177,6 +177,8 @@ static ssize_t efi_capsule_write(struct file *file, const char __user *buff,
if (count == 0)
return 0;
+ mutex_lock(&cap_info->write_lock);
+
/* Return error while NO_FURTHER_WRITE_ACTION is flagged */
if (cap_info->index < 0)
return -EIO;
@@ -233,12 +235,16 @@ static ssize_t efi_capsule_write(struct file *file, const char __user *buff,
goto failed;
}
+ mutex_unlock(&cap_info->write_lock);
+
return write_byte;
fail_unmap:
kunmap(page);
failed:
efi_free_all_buff_pages(cap_info);
+ mutex_unlock(&cap_info->write_lock);
+
return ret;
}
@@ -256,12 +262,16 @@ static int efi_capsule_flush(struct file *file, fl_owner_t id)
int ret = 0;
struct capsule_info *cap_info = file->private_data;
+ mutex_lock(&cap_info->write_lock);
+
if (cap_info->index > 0) {
pr_err("capsule upload not complete\n");
efi_free_all_buff_pages(cap_info);
ret = -ECANCELED;
}
+ mutex_unlock(&cap_info->write_lock);
+
return ret;
}
@@ -315,6 +325,8 @@ static int efi_capsule_open(struct inode *inode, struct file *file)
return -ENOMEM;
}
+ mutex_init(&cap_info->write_lock);
+
file->private_data = cap_info;
return 0;
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 7d9b0bb47eb3..e274c4e8d7c6 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -204,6 +204,7 @@ struct efi_image_auth {
struct capsule_info {
efi_capsule_header_t header;
efi_capsule_header_t *capsule;
+ struct mutex write_mutex;
int reset_type;
long index;
size_t count;
--
2.25.1
reply other threads:[~2022-06-11 19:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220611194019.GA483211@ubuntu \
--to=imv4bel@gmail.com \
--cc=ardb@kernel.org \
--cc=linux-efi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox