* Patch "efi: Move some sysfs files to be read-only by root" has been added to the 4.14-stable tree
@ 2017-12-11 21:52 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-12-11 21:52 UTC (permalink / raw)
To: gregkh, ard.biesheuvel, dyoung, hpa, matt, mingo, peterz, tglx,
torvalds
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
efi: Move some sysfs files to be read-only by root
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
efi-move-some-sysfs-files-to-be-read-only-by-root.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 6 Dec 2017 09:50:08 +0000
Subject: efi: Move some sysfs files to be read-only by root
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.
Thanks to the scripts/leaking_addresses.pl script, it was found that
some EFI values should not be readable by non-root users.
So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
make this easier, and use it in other places at the same time.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/efi.c | 3 +--
drivers/firmware/efi/esrt.c | 15 ++++++---------
drivers/firmware/efi/runtime-map.c | 10 +++++-----
include/linux/sysfs.h | 6 ++++++
4 files changed, 18 insertions(+), 16 deletions(-)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -143,8 +143,7 @@ static ssize_t systab_show(struct kobjec
return str - buf;
}
-static struct kobj_attribute efi_attr_systab =
- __ATTR(systab, 0400, systab_show, NULL);
+static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
#define EFI_FIELD(var) efi.var
--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -106,7 +106,7 @@ static const struct sysfs_ops esre_attr_
};
/* Generic ESRT Entry ("ESRE") support. */
-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
+static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
{
char *str = buf;
@@ -117,18 +117,16 @@ static ssize_t esre_fw_class_show(struct
return str - buf;
}
-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
- esre_fw_class_show, NULL);
+static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
#define esre_attr_decl(name, size, fmt) \
-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
+static ssize_t name##_show(struct esre_entry *entry, char *buf) \
{ \
return sprintf(buf, fmt "\n", \
le##size##_to_cpu(entry->esre.esre1->name)); \
} \
\
-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
- esre_##name##_show, NULL)
+static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
esre_attr_decl(fw_type, 32, "%u");
esre_attr_decl(fw_version, 32, "%u");
@@ -193,14 +191,13 @@ static int esre_create_sysfs_entry(void
/* support for displaying ESRT fields at the top level */
#define esrt_attr_decl(name, size, fmt) \
-static ssize_t esrt_##name##_show(struct kobject *kobj, \
+static ssize_t name##_show(struct kobject *kobj, \
struct kobj_attribute *attr, char *buf)\
{ \
return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
} \
\
-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
- esrt_##name##_show, NULL)
+static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
esrt_attr_decl(fw_resource_count, 32, "%u");
esrt_attr_decl(fw_resource_count_max, 32, "%u");
--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -63,11 +63,11 @@ static ssize_t map_attr_show(struct kobj
return map_attr->show(entry, buf);
}
-static struct map_attribute map_type_attr = __ATTR_RO(type);
-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr);
-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr);
-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages);
-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute);
+static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
+static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
+static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
+static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
+static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
/*
* These are default attributes that are added for every memmap entry.
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -117,6 +117,12 @@ struct attribute_group {
.show = _name##_show, \
}
+#define __ATTR_RO_MODE(_name, _mode) { \
+ .attr = { .name = __stringify(_name), \
+ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
+ .show = _name##_show, \
+}
+
#define __ATTR_WO(_name) { \
.attr = { .name = __stringify(_name), .mode = S_IWUSR }, \
.store = _name##_store, \
Patches currently in stable-queue which might be from gregkh@linuxfoundation.org are
queue-4.14/smp-hotplug-move-step-cpuhp_ap_smpcfd_dying-to-the-correct-place.patch
queue-4.14/powerpc-64s-initialize-isav3-mmu-registers-before-setting-partition-table.patch
queue-4.14/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
queue-4.14/x.509-reject-invalid-bit-string-for-subjectpublickey.patch
queue-4.14/bus-arm-ccn-check-memory-allocation-failure.patch
queue-4.14/iio-health-max30102-temperature-should-be-in-milli-celsius.patch
queue-4.14/asn.1-check-for-error-from-asn1_op_end__act-actions.patch
queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch
queue-4.14/s390-always-save-and-restore-all-registers-on-context-switch.patch
queue-4.14/efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch
queue-4.14/alsa-seq-remove-spurious-warn_on-at-timer-check.patch
queue-4.14/ib-core-avoid-unnecessary-return-value-check.patch
queue-4.14/media-rc-partial-revert-of-media-rc-per-protocol-repeat-period.patch
queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch
queue-4.14/keys-add-missing-permission-check-for-request_key-destination.patch
queue-4.14/can-peak-pcie_fd-fix-potential-bug-in-restarting-tx-queue.patch
queue-4.14/s390-fix-compat-system-call-table.patch
queue-4.14/ib-core-only-enforce-security-for-infiniband.patch
queue-4.14/can-flexcan-fix-vf610-state-transition-issue.patch
queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
queue-4.14/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
queue-4.14/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch
queue-4.14/iommu-vt-d-fix-scatterlist-offset-handling.patch
queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
queue-4.14/revert-powerpc-do-not-call-ppc_md.panic-in-fadump-panic-notifier.patch
queue-4.14/iwlwifi-mvm-enable-rx-offloading-with-tkip-and-wep.patch
queue-4.14/iio-stm32-fix-adc-trigger-link-error.patch
queue-4.14/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch
queue-4.14/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
queue-4.14/arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
queue-4.14/firmware-cleanup-firmware_in_kernel-message.patch
queue-4.14/alsa-usb-audio-add-check-return-value-for-usb_string.patch
queue-4.14/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch
queue-4.14/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
queue-4.14/kvm-arm-arm64-fix-broken-gich_elrsr-big-endian-conversion.patch
queue-4.14/iwlwifi-mvm-flush-queue-before-deleting-roc.patch
queue-4.14/bus-arm-ccn-fix-module-unloading-error-removing-state-147-which-has-instances-left.patch
queue-4.14/firmware-vpd-fix-platform-driver-and-device-registration-unregistration.patch
queue-4.14/serdev-ttyport-fix-null-deref-on-hangup.patch
queue-4.14/iio-adc-cpcap-fix-incorrect-validation.patch
queue-4.14/brcmfmac-change-driver-unbind-order-of-the-sdio-function-devices.patch
queue-4.14/btrfs-fix-missing-error-return-in-btrfs_drop_snapshot.patch
queue-4.14/md-r5cache-move-mddev_lock-out-of-r5c_journal_mode_set.patch
queue-4.14/can-peak-pci-fix-potential-bug-when-probe-fails.patch
queue-4.14/drm-safely-free-connectors-from-connector_iter.patch
queue-4.14/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch
queue-4.14/usb-gadget-udc-renesas_usb3-fix-number-of-the-pipes.patch
queue-4.14/s390-mm-fix-off-by-one-bug-in-5-level-page-table-handling.patch
queue-4.14/drm-i915-fix-vblank-timestamp-frame-counter-jumps-on-gen2.patch
queue-4.14/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
queue-4.14/arm64-sw-pan-update-saved-ttbr0-value-on-enter_lazy_tlb.patch
queue-4.14/kvm-arm-arm64-vgic-its-check-result-of-allocation-before-use.patch
queue-4.14/efi-move-some-sysfs-files-to-be-read-only-by-root.patch
queue-4.14/kvm-arm-arm64-vgic-preserve-the-revious-read-from-the-pending-table.patch
queue-4.14/firmware-vpd-destroy-vpd-sections-in-remove-function.patch
queue-4.14/drivers-hv-vmbus-fix-a-rescind-issue.patch
queue-4.14/media-rc-sir_ir-detect-presence-of-port.patch
queue-4.14/kvm-arm-arm64-vgic-irqfd-fix-msi-entry-allocation.patch
queue-4.14/virtio-release-virtio-index-when-fail-to-device_register.patch
queue-4.14/pinctrl-armada-37xx-fix-direction_output-callback-behavior.patch
queue-4.14/revert-arm-dts-imx53-add-srtc-node.patch
queue-4.14/kvm-x86-fix-apic-page-invalidation.patch
queue-4.14/can-kvaser_usb-free-buf-in-error-paths.patch
queue-4.14/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
queue-4.14/iio-adc-meson-saradc-initialize-the-bandgap-correctly-on-older-socs.patch
queue-4.14/iwlwifi-mvm-fix-packet-injection.patch
queue-4.14/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
queue-4.14/keys-reject-null-restriction-string-when-type-is-specified.patch
queue-4.14/iio-adc-meson-saradc-fix-the-bit_idx-of-the-adc_en-clock.patch
queue-4.14/iwlwifi-add-new-cards-for-9260-and-22000-series.patch
queue-4.14/usb-gadget-core-fix-udc_set_speed-speed-handling.patch
queue-4.14/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch
queue-4.14/bus-arm-cci-fix-use-of-smp_processor_id-in-preemptible-context.patch
queue-4.14/iwlwifi-mvm-don-t-use-transmit-queue-hang-detection-when-it-is-not-possible.patch
queue-4.14/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
queue-4.14/iwlwifi-mvm-mark-mic-stripped-mpdus.patch
queue-4.14/drm-bridge-analogix-dp-fix-runtime-pm-state-in-get_modes-callback.patch
queue-4.14/x.509-fix-comparisons-of-pkey_algo.patch
queue-4.14/serdev-ttyport-fix-tty-locking-in-close.patch
queue-4.14/usb-f_fs-force-reserved1-1-in-os_desc_ext_compat.patch
queue-4.14/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch
queue-4.14/firmware-vpd-tie-firmware-kobject-to-device-lifetime.patch
queue-4.14/iio-adc-meson-saradc-meson8-and-meson8b-do-not-have-reg11-and-reg13.patch
queue-4.14/btrfs-handle-errors-while-updating-refcounts-in-update_ref_for_cow.patch
queue-4.14/arm64-sw-pan-point-saved-ttbr0-at-the-zero-page-when-switching-to-init_mm.patch
queue-4.14/alsa-hda-realtek-new-codec-support-for-alc257.patch
queue-4.14/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch
queue-4.14/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
queue-4.14/alsa-usb-audio-fix-out-of-bound-error.patch
queue-4.14/bus-arm-ccn-fix-use-of-smp_processor_id-in-preemptible-context.patch
queue-4.14/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
queue-4.14/serdev-ttyport-add-missing-receive_buf-sanity-checks.patch
queue-4.14/x86-idt-load-idt-early-in-start_secondary.patch
queue-4.14/kvm-s390-fix-skey-emulation-permission-check.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-12-11 21:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-11 21:52 Patch "efi: Move some sysfs files to be read-only by root" has been added to the 4.14-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).