Two EFI fixes:
- Prevent a race and buffer overflow in the sysfs efivars interface which causes kernel memory corruption. - Add the missing NULL pointer checks in efivar_store_raw() -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEQp8+kY+LLUocC4bMphj1TA10mKEFAl5uPtwTHHRnbHhAbGlu dXRyb25peC5kZQAKCRCmGPVMDXSYoU7CEAC7TN816o0o2EUokeThTnzEN1YljTNd zxL9Kin+a8PnVGM2KsJJNGN3vVErdzIqPrpiNRvVvV5PVBmXVkJiMQAFqBeP5Lu1 h+69W5pGPVPun3EUnIKvTgrBkHU5F2GsDrUjaERZdP/ukeIpYf1oAmY7yMMRNSiI 0ApjU5uhcuuLJHKUQ9xEz/QLNunbDW7j8tJy0jEsFKYixTsH2Gp4hiWWKONbPqhe K3Gs81NErIMz6iVsQmGEMKOqWo2TLtR3tIykGtj89fohauDwNvlmCOyV1l+ILdZd +SQhnM/yEimLfjV/QVyu/OxFFk9mK7iLQx7ADAtssMyz0z3vs9OyJqwicwjectl/ 70Ye9u+M4YzkgXYiUNJlXeRorhpZd6mpcj4lo5FrE42ydgd6Gmc2wNLT5P8bwO6T bMWPCdl/+9v3NofCFr1JCTHHtW6qgdEF1ehkW/P8NkxEQKvtMp5IV3M2DnR1TAxh oflf+nnA//daxc6RKzn5k0bMbQreXnBpQCjFIi9heenyDu14VO6Vok2EmqR6aZMF 6pIqdOqv+m/xxJGFWLjYiZO5zMNcrEsd0ypNXmXXxDauDb/JZlkE88SfiUJaOpFd hmh7nYRjCXkO3/JHSugIyN4xnYuUgAgIJGnloRfATppfd+rkB/u5mf29jl54edRK +lhkYCvWP+cACQ== =BzA6 -----END PGP SIGNATURE----- Merge tag 'efi-urgent-2020-03-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Thomas Gleixner: "Two EFI fixes: - Prevent a race and buffer overflow in the sysfs efivars interface which causes kernel memory corruption. - Add the missing NULL pointer checks in efivar_store_raw()" * tag 'efi-urgent-2020-03-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi: Add a sanity check to efivar_store_raw() efi: Fix a race and a buffer overflow while reading efivars via sysfs
This commit is contained in:
commit
b67775e124
@ -83,13 +83,16 @@ static ssize_t
|
||||
efivar_attr_read(struct efivar_entry *entry, char *buf)
|
||||
{
|
||||
struct efi_variable *var = &entry->var;
|
||||
unsigned long size = sizeof(var->Data);
|
||||
char *str = buf;
|
||||
int ret;
|
||||
|
||||
if (!entry || !buf)
|
||||
return -EINVAL;
|
||||
|
||||
var->DataSize = 1024;
|
||||
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
|
||||
ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
|
||||
var->DataSize = size;
|
||||
if (ret)
|
||||
return -EIO;
|
||||
|
||||
if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
|
||||
@ -116,13 +119,16 @@ static ssize_t
|
||||
efivar_size_read(struct efivar_entry *entry, char *buf)
|
||||
{
|
||||
struct efi_variable *var = &entry->var;
|
||||
unsigned long size = sizeof(var->Data);
|
||||
char *str = buf;
|
||||
int ret;
|
||||
|
||||
if (!entry || !buf)
|
||||
return -EINVAL;
|
||||
|
||||
var->DataSize = 1024;
|
||||
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
|
||||
ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
|
||||
var->DataSize = size;
|
||||
if (ret)
|
||||
return -EIO;
|
||||
|
||||
str += sprintf(str, "0x%lx\n", var->DataSize);
|
||||
@ -133,12 +139,15 @@ static ssize_t
|
||||
efivar_data_read(struct efivar_entry *entry, char *buf)
|
||||
{
|
||||
struct efi_variable *var = &entry->var;
|
||||
unsigned long size = sizeof(var->Data);
|
||||
int ret;
|
||||
|
||||
if (!entry || !buf)
|
||||
return -EINVAL;
|
||||
|
||||
var->DataSize = 1024;
|
||||
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data))
|
||||
ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
|
||||
var->DataSize = size;
|
||||
if (ret)
|
||||
return -EIO;
|
||||
|
||||
memcpy(buf, var->Data, var->DataSize);
|
||||
@ -199,6 +208,9 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
|
||||
u8 *data;
|
||||
int err;
|
||||
|
||||
if (!entry || !buf)
|
||||
return -EINVAL;
|
||||
|
||||
if (in_compat_syscall()) {
|
||||
struct compat_efi_variable *compat;
|
||||
|
||||
@ -250,14 +262,16 @@ efivar_show_raw(struct efivar_entry *entry, char *buf)
|
||||
{
|
||||
struct efi_variable *var = &entry->var;
|
||||
struct compat_efi_variable *compat;
|
||||
unsigned long datasize = sizeof(var->Data);
|
||||
size_t size;
|
||||
int ret;
|
||||
|
||||
if (!entry || !buf)
|
||||
return 0;
|
||||
|
||||
var->DataSize = 1024;
|
||||
if (efivar_entry_get(entry, &entry->var.Attributes,
|
||||
&entry->var.DataSize, entry->var.Data))
|
||||
ret = efivar_entry_get(entry, &var->Attributes, &datasize, var->Data);
|
||||
var->DataSize = datasize;
|
||||
if (ret)
|
||||
return -EIO;
|
||||
|
||||
if (in_compat_syscall()) {
|
||||
|
Loading…
Reference in New Issue
Block a user