* [GIT PULL] EFI urgent fix
@ 2016-04-25 11:26 Matt Fleming
2016-04-25 11:29 ` [PATCH] efi: Fix out-of-bounds read in variable_matches() Matt Fleming
2016-04-25 15:29 ` [GIT PULL] EFI urgent fix Ingo Molnar
0 siblings, 2 replies; 3+ messages in thread
From: Matt Fleming @ 2016-04-25 11:26 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, H . Peter Anvin
Cc: Matt Fleming, Ard Biesheuvel, linux-kernel, linux-efi,
Chris Wilson, Jani Nikula, Jason Andryuk, Laszlo Ersek,
Matthew Garrett, Peter Jones
Folks, please pull the following fix from Laszlo that ensures we don't
perform an out-of-bounds access when matching EFI variable names
against the variable protection whitelist.
The following changes since commit c3b46c73264b03000d1e18b22f5caf63332547c9:
Linux 4.6-rc4 (2016-04-17 19:13:32 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git tags/efi-urgent
for you to fetch changes up to 630ba0cc7a6dbafbdee43795617c872b35cde1b4:
efi: Fix out-of-bounds read in variable_matches() (2016-04-22 19:41:41 +0100)
----------------------------------------------------------------
* Avoid out-of-bounds access in the efivars code when performing
string matching on converted EFI variable names - Laszlo Ersek
----------------------------------------------------------------
Laszlo Ersek (1):
efi: Fix out-of-bounds read in variable_matches()
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] efi: Fix out-of-bounds read in variable_matches()
2016-04-25 11:26 [GIT PULL] EFI urgent fix Matt Fleming
@ 2016-04-25 11:29 ` Matt Fleming
2016-04-25 15:29 ` [GIT PULL] EFI urgent fix Ingo Molnar
1 sibling, 0 replies; 3+ messages in thread
From: Matt Fleming @ 2016-04-25 11:29 UTC (permalink / raw)
To: Ingo Molnar, Thomas Gleixner, H . Peter Anvin
Cc: Laszlo Ersek, Ard Biesheuvel, linux-kernel, linux-efi,
Matt Fleming, Chris Wilson, Jani Nikula, Jason Andryuk,
Matthew Garrett, Peter Jones, stable
From: Laszlo Ersek <lersek@redhat.com>
The variable_matches() function can currently read "var_name[len]", for
example when:
- var_name[0] == 'a',
- len == 1
- match_name points to the NUL-terminated string "ab".
This function is supposed to accept "var_name" inputs that are not
NUL-terminated (hence the "len" parameter"). Document the function, and
access "var_name[*match]" only if "*match" is smaller than "len".
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Matthew Garrett <mjg59@coreos.com>
Cc: Jason Andryuk <jandryuk@gmail.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: <stable@vger.kernel.org> # v3.10+
Link: http://thread.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/86906
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
---
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
index 0ac594c0a234..34b741940494 100644
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -202,29 +202,44 @@ static const struct variable_validate variable_validate[] = {
{ NULL_GUID, "", NULL },
};
+/*
+ * Check if @var_name matches the pattern given in @match_name.
+ *
+ * @var_name: an array of @len non-NUL characters.
+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
+ * final "*" character matches any trailing characters @var_name,
+ * including the case when there are none left in @var_name.
+ * @match: on output, the number of non-wildcard characters in @match_name
+ * that @var_name matches, regardless of the return value.
+ * @return: whether @var_name fully matches @match_name.
+ */
static bool
variable_matches(const char *var_name, size_t len, const char *match_name,
int *match)
{
for (*match = 0; ; (*match)++) {
char c = match_name[*match];
- char u = var_name[*match];
- /* Wildcard in the matching name means we've matched */
- if (c == '*')
+ switch (c) {
+ case '*':
+ /* Wildcard in @match_name means we've matched. */
return true;
- /* Case sensitive match */
- if (!c && *match == len)
- return true;
+ case '\0':
+ /* @match_name has ended. Has @var_name too? */
+ return (*match == len);
- if (c != u)
+ default:
+ /*
+ * We've reached a non-wildcard char in @match_name.
+ * Continue only if there's an identical character in
+ * @var_name.
+ */
+ if (*match < len && c == var_name[*match])
+ continue;
return false;
-
- if (!c)
- return true;
+ }
}
- return true;
}
bool
--
2.7.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [GIT PULL] EFI urgent fix
2016-04-25 11:26 [GIT PULL] EFI urgent fix Matt Fleming
2016-04-25 11:29 ` [PATCH] efi: Fix out-of-bounds read in variable_matches() Matt Fleming
@ 2016-04-25 15:29 ` Ingo Molnar
1 sibling, 0 replies; 3+ messages in thread
From: Ingo Molnar @ 2016-04-25 15:29 UTC (permalink / raw)
To: Matt Fleming
Cc: Thomas Gleixner, H . Peter Anvin, Ard Biesheuvel, linux-kernel,
linux-efi, Chris Wilson, Jani Nikula, Jason Andryuk, Laszlo Ersek,
Matthew Garrett, Peter Jones
* Matt Fleming <matt@codeblueprint.co.uk> wrote:
> Folks, please pull the following fix from Laszlo that ensures we don't
> perform an out-of-bounds access when matching EFI variable names
> against the variable protection whitelist.
>
> The following changes since commit c3b46c73264b03000d1e18b22f5caf63332547c9:
>
> Linux 4.6-rc4 (2016-04-17 19:13:32 -0700)
>
> are available in the git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git tags/efi-urgent
>
> for you to fetch changes up to 630ba0cc7a6dbafbdee43795617c872b35cde1b4:
>
> efi: Fix out-of-bounds read in variable_matches() (2016-04-22 19:41:41 +0100)
>
> ----------------------------------------------------------------
> * Avoid out-of-bounds access in the efivars code when performing
> string matching on converted EFI variable names - Laszlo Ersek
>
> ----------------------------------------------------------------
> Laszlo Ersek (1):
> efi: Fix out-of-bounds read in variable_matches()
>
> drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
> 1 file changed, 26 insertions(+), 11 deletions(-)
Pulled into tip:efi/urgent, thanks Matt!
Ingo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-25 15:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-25 11:26 [GIT PULL] EFI urgent fix Matt Fleming
2016-04-25 11:29 ` [PATCH] efi: Fix out-of-bounds read in variable_matches() Matt Fleming
2016-04-25 15:29 ` [GIT PULL] EFI urgent fix Ingo Molnar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).