From: Ard Biesheuvel <ardb+git@google.com>
To: stable@vger.kernel.org
Cc: linux-efi@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>
Subject: [PATCH stable-v6.1 01/18] arm64: efi: Limit allocations to 48-bit addressable physical region
Date: Mon, 4 Mar 2024 12:19:39 +0100 [thread overview]
Message-ID: <20240304111937.2556102-21-ardb+git@google.com> (raw)
In-Reply-To: <20240304111937.2556102-20-ardb+git@google.com>
From: Ard Biesheuvel <ardb@kernel.org>
[ Commit a37dac5c5dcfe0f1fd58513c16cdbc280a47f628 upstream ]
The UEFI spec does not mention or reason about the configured size of
the virtual address space at all, but it does mention that all memory
should be identity mapped using a page size of 4 KiB.
This means that a LPA2 capable system that has any system memory outside
of the 48-bit addressable physical range and follows the spec to the
letter may serve page allocation requests from regions of memory that
the kernel cannot access unless it was built with LPA2 support and
enables it at runtime.
So let's ensure that all page allocations are limited to the 48-bit
range.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/arm64/include/asm/efi.h | 1 +
drivers/firmware/efi/libstub/alignedmem.c | 2 ++
drivers/firmware/efi/libstub/arm64-stub.c | 5 +++--
drivers/firmware/efi/libstub/efistub.h | 4 ++++
drivers/firmware/efi/libstub/mem.c | 2 ++
drivers/firmware/efi/libstub/randomalloc.c | 2 +-
6 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h
index 62c846be2d76..a75c0772ecfc 100644
--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -103,6 +103,7 @@ static inline void free_screen_info(struct screen_info *si)
}
#define EFI_ALLOC_ALIGN SZ_64K
+#define EFI_ALLOC_LIMIT ((1UL << 48) - 1)
/*
* On ARM systems, virtually remapped UEFI runtime services are set up in two
diff --git a/drivers/firmware/efi/libstub/alignedmem.c b/drivers/firmware/efi/libstub/alignedmem.c
index 174832661251..6b83c492c3b8 100644
--- a/drivers/firmware/efi/libstub/alignedmem.c
+++ b/drivers/firmware/efi/libstub/alignedmem.c
@@ -29,6 +29,8 @@ efi_status_t efi_allocate_pages_aligned(unsigned long size, unsigned long *addr,
efi_status_t status;
int slack;
+ max = min(max, EFI_ALLOC_LIMIT);
+
if (align < EFI_ALLOC_ALIGN)
align = EFI_ALLOC_ALIGN;
diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c
index 08f46c072da5..40275c3131c8 100644
--- a/drivers/firmware/efi/libstub/arm64-stub.c
+++ b/drivers/firmware/efi/libstub/arm64-stub.c
@@ -191,10 +191,11 @@ efi_status_t handle_kernel_image(unsigned long *image_addr,
if (status != EFI_SUCCESS) {
if (!check_image_region((u64)_text, kernel_memsize)) {
efi_err("FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region\n");
- } else if (IS_ALIGNED((u64)_text, min_kimg_align)) {
+ } else if (IS_ALIGNED((u64)_text, min_kimg_align) &&
+ (u64)_end < EFI_ALLOC_LIMIT) {
/*
* Just execute from wherever we were loaded by the
- * UEFI PE/COFF loader if the alignment is suitable.
+ * UEFI PE/COFF loader if the placement is suitable.
*/
*image_addr = (u64)_text;
*reserve_size = 0;
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index ab505b07e626..002f02a6d359 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -29,6 +29,10 @@
#define EFI_ALLOC_ALIGN EFI_PAGE_SIZE
#endif
+#ifndef EFI_ALLOC_LIMIT
+#define EFI_ALLOC_LIMIT ULONG_MAX
+#endif
+
extern bool efi_nochunk;
extern bool efi_nokaslr;
extern int efi_loglevel;
diff --git a/drivers/firmware/efi/libstub/mem.c b/drivers/firmware/efi/libstub/mem.c
index 03d147f17185..4f1fa302234d 100644
--- a/drivers/firmware/efi/libstub/mem.c
+++ b/drivers/firmware/efi/libstub/mem.c
@@ -89,6 +89,8 @@ efi_status_t efi_allocate_pages(unsigned long size, unsigned long *addr,
efi_physical_addr_t alloc_addr;
efi_status_t status;
+ max = min(max, EFI_ALLOC_LIMIT);
+
if (EFI_ALLOC_ALIGN > EFI_PAGE_SIZE)
return efi_allocate_pages_aligned(size, addr, max,
EFI_ALLOC_ALIGN,
diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
index ec44bb7e092f..1692d19ae80f 100644
--- a/drivers/firmware/efi/libstub/randomalloc.c
+++ b/drivers/firmware/efi/libstub/randomalloc.c
@@ -29,7 +29,7 @@ static unsigned long get_entry_num_slots(efi_memory_desc_t *md,
return 0;
region_end = min(md->phys_addr + md->num_pages * EFI_PAGE_SIZE - 1,
- (u64)ULONG_MAX);
+ (u64)EFI_ALLOC_LIMIT);
if (region_end < size)
return 0;
--
2.44.0.278.ge034bb2e1d-goog
next prev parent reply other threads:[~2024-03-04 11:20 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-04 11:19 [PATCH stable-v6.1 00/18] efistub/x86 changes for secure boot Ard Biesheuvel
2024-03-04 11:19 ` Ard Biesheuvel [this message]
2024-03-04 11:19 ` [PATCH stable-v6.1 02/18] efi: efivars: prevent double registration Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 03/18] x86/efistub: Simplify and clean up handover entry code Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 04/18] x86/decompressor: Avoid magic offsets for EFI handover entrypoint Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 05/18] x86/efistub: Clear BSS in EFI handover protocol entrypoint Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 06/18] x86/decompressor: Move global symbol references to C code Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 07/18] efi/libstub: Add memory attribute protocol definitions Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 08/18] efi/libstub: Add limit argument to efi_random_alloc() Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 09/18] x86/efistub: Perform 4/5 level paging switch from the stub Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 10/18] x86/decompressor: Factor out kernel decompression and relocation Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 11/18] x86/efistub: Prefer EFI memory attributes protocol over DXE services Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 12/18] x86/efistub: Perform SNP feature test while running in the firmware Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 13/18] x86/efistub: Avoid legacy decompressor when doing EFI boot Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 14/18] efi/x86: Avoid physical KASLR on older Dell systems Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 15/18] x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 16/18] x86/boot: Rename conflicting 'boot_params' pointer to 'boot_params_ptr' Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 17/18] x86/boot: efistub: Assign global boot_params variable Ard Biesheuvel
2024-03-04 11:19 ` [PATCH stable-v6.1 18/18] efi/x86: Fix the missing KASLR_FLAG bit in boot_params->hdr.loadflags Ard Biesheuvel
2024-03-04 11:42 ` [PATCH stable-v6.1 00/18] efistub/x86 changes for secure boot Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304111937.2556102-21-ardb+git@google.com \
--to=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox