Linux v3.9.7
This commit is contained in:
parent
f58c94c259
commit
753f28c2d8
|
@ -1,228 +0,0 @@
|
|||
To fix /dev/kmsg, let's compare the existing interfaces and what they allow:
|
||||
|
||||
- /proc/kmsg allows:
|
||||
- open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive
|
||||
single-reader interface (SYSLOG_ACTION_READ).
|
||||
- everything, after an open.
|
||||
|
||||
- syslog syscall allows:
|
||||
- anything, if CAP_SYSLOG.
|
||||
- SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0.
|
||||
- nothing else (EPERM).
|
||||
|
||||
The use-cases were:
|
||||
- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs.
|
||||
- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the
|
||||
destructive SYSLOG_ACTION_READs.
|
||||
|
||||
AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't
|
||||
clear the ring buffer.
|
||||
|
||||
Based on the comments in devkmsg_llseek, it sounds like actions besides
|
||||
reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR),
|
||||
so we have a strict subset of the non-destructive syslog syscall actions.
|
||||
|
||||
To this end, move the check as Josh had done, but also rename the constants
|
||||
to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and
|
||||
SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows
|
||||
non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions
|
||||
after a capabilities-constrained SYSLOG_ACTION_OPEN check.
|
||||
|
||||
- /dev/kmsg allows:
|
||||
- open if CAP_SYSLOG or dmesg_restrict==0
|
||||
- reading/polling, after open
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Christian Kujau <lists@nerdbynature.de>
|
||||
Cc: Josh Boyer <jwboyer@redhat.com>
|
||||
Cc: Kay Sievers <kay@vrfy.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
fs/proc/kmsg.c | 10 +++---
|
||||
include/linux/syslog.h | 4 +--
|
||||
kernel/printk.c | 91 ++++++++++++++++++++++++++----------------------
|
||||
3 files changed, 57 insertions(+), 48 deletions(-)
|
||||
|
||||
diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c
|
||||
index bd4b5a7..bdfabda 100644
|
||||
--- a/fs/proc/kmsg.c
|
||||
+++ b/fs/proc/kmsg.c
|
||||
@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait;
|
||||
|
||||
static int kmsg_open(struct inode * inode, struct file * file)
|
||||
{
|
||||
- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE);
|
||||
+ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC);
|
||||
}
|
||||
|
||||
static int kmsg_release(struct inode * inode, struct file * file)
|
||||
{
|
||||
- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE);
|
||||
+ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
if ((file->f_flags & O_NONBLOCK) &&
|
||||
- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
|
||||
+ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
|
||||
return -EAGAIN;
|
||||
- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE);
|
||||
+ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC);
|
||||
}
|
||||
|
||||
static unsigned int kmsg_poll(struct file *file, poll_table *wait)
|
||||
{
|
||||
poll_wait(file, &log_wait, wait);
|
||||
- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
|
||||
+ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
|
||||
return POLLIN | POLLRDNORM;
|
||||
return 0;
|
||||
}
|
||||
diff --git a/include/linux/syslog.h b/include/linux/syslog.h
|
||||
index 3891139..98a3153 100644
|
||||
--- a/include/linux/syslog.h
|
||||
+++ b/include/linux/syslog.h
|
||||
@@ -44,8 +44,8 @@
|
||||
/* Return size of the log buffer */
|
||||
#define SYSLOG_ACTION_SIZE_BUFFER 10
|
||||
|
||||
-#define SYSLOG_FROM_CALL 0
|
||||
-#define SYSLOG_FROM_FILE 1
|
||||
+#define SYSLOG_FROM_READER 0
|
||||
+#define SYSLOG_FROM_PROC 1
|
||||
|
||||
int do_syslog(int type, char __user *buf, int count, bool from_file);
|
||||
|
||||
diff --git a/kernel/printk.c b/kernel/printk.c
|
||||
index abbdd9e..53b5c5e 100644
|
||||
--- a/kernel/printk.c
|
||||
+++ b/kernel/printk.c
|
||||
@@ -368,6 +368,53 @@ static void log_store(int facility, int level,
|
||||
log_next_seq++;
|
||||
}
|
||||
|
||||
+#ifdef CONFIG_SECURITY_DMESG_RESTRICT
|
||||
+int dmesg_restrict = 1;
|
||||
+#else
|
||||
+int dmesg_restrict;
|
||||
+#endif
|
||||
+
|
||||
+static int syslog_action_restricted(int type)
|
||||
+{
|
||||
+ if (dmesg_restrict)
|
||||
+ return 1;
|
||||
+ /*
|
||||
+ * Unless restricted, we allow "read all" and "get buffer size"
|
||||
+ * for everybody.
|
||||
+ */
|
||||
+ return type != SYSLOG_ACTION_READ_ALL &&
|
||||
+ type != SYSLOG_ACTION_SIZE_BUFFER;
|
||||
+}
|
||||
+
|
||||
+static int check_syslog_permissions(int type, bool from_file)
|
||||
+{
|
||||
+ /*
|
||||
+ * If this is from /proc/kmsg and we've already opened it, then we've
|
||||
+ * already done the capabilities checks at open time.
|
||||
+ */
|
||||
+ if (from_file && type != SYSLOG_ACTION_OPEN)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (syslog_action_restricted(type)) {
|
||||
+ if (capable(CAP_SYSLOG))
|
||||
+ return 0;
|
||||
+ /*
|
||||
+ * For historical reasons, accept CAP_SYS_ADMIN too, with
|
||||
+ * a warning.
|
||||
+ */
|
||||
+ if (capable(CAP_SYS_ADMIN)) {
|
||||
+ printk_once(KERN_WARNING "%s (%d): "
|
||||
+ "Attempt to access syslog with CAP_SYS_ADMIN "
|
||||
+ "but no CAP_SYSLOG (deprecated).\n",
|
||||
+ current->comm, task_pid_nr(current));
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
+ return security_syslog(type);
|
||||
+}
|
||||
+
|
||||
+
|
||||
/* /dev/kmsg - userspace message inject/listen interface */
|
||||
struct devkmsg_user {
|
||||
u64 seq;
|
||||
@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file)
|
||||
if ((file->f_flags & O_ACCMODE) == O_WRONLY)
|
||||
return 0;
|
||||
|
||||
- err = security_syslog(SYSLOG_ACTION_READ_ALL);
|
||||
+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL,
|
||||
+ SYSLOG_FROM_READER);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level)
|
||||
}
|
||||
#endif
|
||||
|
||||
-#ifdef CONFIG_SECURITY_DMESG_RESTRICT
|
||||
-int dmesg_restrict = 1;
|
||||
-#else
|
||||
-int dmesg_restrict;
|
||||
-#endif
|
||||
-
|
||||
-static int syslog_action_restricted(int type)
|
||||
-{
|
||||
- if (dmesg_restrict)
|
||||
- return 1;
|
||||
- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */
|
||||
- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER;
|
||||
-}
|
||||
-
|
||||
-static int check_syslog_permissions(int type, bool from_file)
|
||||
-{
|
||||
- /*
|
||||
- * If this is from /proc/kmsg and we've already opened it, then we've
|
||||
- * already done the capabilities checks at open time.
|
||||
- */
|
||||
- if (from_file && type != SYSLOG_ACTION_OPEN)
|
||||
- return 0;
|
||||
-
|
||||
- if (syslog_action_restricted(type)) {
|
||||
- if (capable(CAP_SYSLOG))
|
||||
- return 0;
|
||||
- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
|
||||
- if (capable(CAP_SYS_ADMIN)) {
|
||||
- printk_once(KERN_WARNING "%s (%d): "
|
||||
- "Attempt to access syslog with CAP_SYS_ADMIN "
|
||||
- "but no CAP_SYSLOG (deprecated).\n",
|
||||
- current->comm, task_pid_nr(current));
|
||||
- return 0;
|
||||
- }
|
||||
- return -EPERM;
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
#if defined(CONFIG_PRINTK_TIME)
|
||||
static bool printk_time = 1;
|
||||
#else
|
||||
@@ -1253,7 +1262,7 @@ out:
|
||||
|
||||
SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
|
||||
{
|
||||
- return do_syslog(type, buf, len, SYSLOG_FROM_CALL);
|
||||
+ return do_syslog(type, buf, len, SYSLOG_FROM_READER);
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
--
|
||||
Kees Cook
|
||||
Chrome OS Security
|
|
@ -1,371 +0,0 @@
|
|||
From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Sat, 1 Jun 2013 16:06:20 -0400
|
||||
Subject: [PATCH] Modify UEFI anti-bricking code
|
||||
|
||||
This patch reworks the UEFI anti-bricking code, including an effective
|
||||
reversion of cc5a080c and 31ff2f20. It turns out that calling
|
||||
QueryVariableInfo() from boot services results in some firmware
|
||||
implementations jumping to physical addresses even after entering virtual
|
||||
mode, so until we have 1:1 mappings for UEFI runtime space this isn't
|
||||
going to work so well.
|
||||
|
||||
Reverting these gets us back to the situation where we'd refuse to create
|
||||
variables on some systems because they classify deleted variables as "used"
|
||||
until the firmware triggers a garbage collection run, which they won't do
|
||||
until they reach a lower threshold. This results in it being impossible to
|
||||
install a bootloader, which is unhelpful.
|
||||
|
||||
Feedback from Samsung indicates that the firmware doesn't need more than
|
||||
5KB of storage space for its own purposes, so that seems like a reasonable
|
||||
threshold. However, there's still no guarantee that a platform will attempt
|
||||
garbage collection merely because it drops below this threshold. It seems
|
||||
that this is often only triggered if an attempt to write generates a
|
||||
genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to
|
||||
create a variable larger than the remaining space. This should fail, but if
|
||||
it somehow succeeds we can then immediately delete it.
|
||||
|
||||
I've tested this on the UEFI machines I have available, but I don't have
|
||||
a Samsung and so can't verify that it avoids the bricking problem.
|
||||
|
||||
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
arch/x86/boot/compressed/eboot.c | 47 ----------
|
||||
arch/x86/include/asm/efi.h | 7 --
|
||||
arch/x86/include/uapi/asm/bootparam.h | 1 -
|
||||
arch/x86/platform/efi/efi.c | 167 +++++++++-------------------------
|
||||
4 files changed, 44 insertions(+), 178 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 35ee62f..c205035 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size)
|
||||
*size = len;
|
||||
}
|
||||
|
||||
-static efi_status_t setup_efi_vars(struct boot_params *params)
|
||||
-{
|
||||
- struct setup_data *data;
|
||||
- struct efi_var_bootdata *efidata;
|
||||
- u64 store_size, remaining_size, var_size;
|
||||
- efi_status_t status;
|
||||
-
|
||||
- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION)
|
||||
- return EFI_UNSUPPORTED;
|
||||
-
|
||||
- data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
|
||||
-
|
||||
- while (data && data->next)
|
||||
- data = (struct setup_data *)(unsigned long)data->next;
|
||||
-
|
||||
- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info,
|
||||
- EFI_VARIABLE_NON_VOLATILE |
|
||||
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
||||
- EFI_VARIABLE_RUNTIME_ACCESS, &store_size,
|
||||
- &remaining_size, &var_size);
|
||||
-
|
||||
- if (status != EFI_SUCCESS)
|
||||
- return status;
|
||||
-
|
||||
- status = efi_call_phys3(sys_table->boottime->allocate_pool,
|
||||
- EFI_LOADER_DATA, sizeof(*efidata), &efidata);
|
||||
-
|
||||
- if (status != EFI_SUCCESS)
|
||||
- return status;
|
||||
-
|
||||
- efidata->data.type = SETUP_EFI_VARS;
|
||||
- efidata->data.len = sizeof(struct efi_var_bootdata) -
|
||||
- sizeof(struct setup_data);
|
||||
- efidata->data.next = 0;
|
||||
- efidata->store_size = store_size;
|
||||
- efidata->remaining_size = remaining_size;
|
||||
- efidata->max_var_size = var_size;
|
||||
-
|
||||
- if (data)
|
||||
- data->next = (unsigned long)efidata;
|
||||
- else
|
||||
- params->hdr.setup_data = (unsigned long)efidata;
|
||||
-
|
||||
-}
|
||||
-
|
||||
static efi_status_t setup_efi_pci(struct boot_params *params)
|
||||
{
|
||||
efi_pci_io_protocol *pci;
|
||||
@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
|
||||
|
||||
setup_graphics(boot_params);
|
||||
|
||||
- setup_efi_vars(boot_params);
|
||||
-
|
||||
setup_efi_pci(boot_params);
|
||||
|
||||
status = efi_call_phys3(sys_table->boottime->allocate_pool,
|
||||
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
|
||||
index 2fb5d58..60c89f3 100644
|
||||
--- a/arch/x86/include/asm/efi.h
|
||||
+++ b/arch/x86/include/asm/efi.h
|
||||
@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void);
|
||||
extern void efi_unmap_memmap(void);
|
||||
extern void efi_memory_uc(u64 addr, unsigned long size);
|
||||
|
||||
-struct efi_var_bootdata {
|
||||
- struct setup_data data;
|
||||
- u64 store_size;
|
||||
- u64 remaining_size;
|
||||
- u64 max_var_size;
|
||||
-};
|
||||
-
|
||||
#ifdef CONFIG_EFI
|
||||
|
||||
static inline bool efi_is_native(void)
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index 0874424..c15ddaf 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -6,7 +6,6 @@
|
||||
#define SETUP_E820_EXT 1
|
||||
#define SETUP_DTB 2
|
||||
#define SETUP_PCI 3
|
||||
-#define SETUP_EFI_VARS 4
|
||||
|
||||
/* ram_size flags */
|
||||
#define RAMDISK_IMAGE_START_MASK 0x07FF
|
||||
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
|
||||
index e4a86a6..beb5d5f 100644
|
||||
--- a/arch/x86/platform/efi/efi.c
|
||||
+++ b/arch/x86/platform/efi/efi.c
|
||||
@@ -41,7 +41,6 @@
|
||||
#include <linux/io.h>
|
||||
#include <linux/reboot.h>
|
||||
#include <linux/bcd.h>
|
||||
-#include <linux/ucs2_string.h>
|
||||
|
||||
#include <asm/setup.h>
|
||||
#include <asm/efi.h>
|
||||
@@ -52,13 +51,6 @@
|
||||
|
||||
#define EFI_DEBUG 1
|
||||
|
||||
-/*
|
||||
- * There's some additional metadata associated with each
|
||||
- * variable. Intel's reference implementation is 60 bytes - bump that
|
||||
- * to account for potential alignment constraints
|
||||
- */
|
||||
-#define VAR_METADATA_SIZE 64
|
||||
-
|
||||
struct efi __read_mostly efi = {
|
||||
.mps = EFI_INVALID_TABLE_ADDR,
|
||||
.acpi = EFI_INVALID_TABLE_ADDR,
|
||||
@@ -77,13 +69,6 @@ struct efi_memory_map memmap;
|
||||
static struct efi efi_phys __initdata;
|
||||
static efi_system_table_t efi_systab __initdata;
|
||||
|
||||
-static u64 efi_var_store_size;
|
||||
-static u64 efi_var_remaining_size;
|
||||
-static u64 efi_var_max_var_size;
|
||||
-static u64 boot_used_size;
|
||||
-static u64 boot_var_size;
|
||||
-static u64 active_size;
|
||||
-
|
||||
unsigned long x86_efi_facility;
|
||||
|
||||
/*
|
||||
@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
|
||||
efi_char16_t *name,
|
||||
efi_guid_t *vendor)
|
||||
{
|
||||
- efi_status_t status;
|
||||
- static bool finished = false;
|
||||
- static u64 var_size;
|
||||
-
|
||||
- status = efi_call_virt3(get_next_variable,
|
||||
+ return efi_call_virt3(get_next_variable,
|
||||
name_size, name, vendor);
|
||||
-
|
||||
- if (status == EFI_NOT_FOUND) {
|
||||
- finished = true;
|
||||
- if (var_size < boot_used_size) {
|
||||
- boot_var_size = boot_used_size - var_size;
|
||||
- active_size += boot_var_size;
|
||||
- } else {
|
||||
- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n");
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (boot_used_size && !finished) {
|
||||
- unsigned long size;
|
||||
- u32 attr;
|
||||
- efi_status_t s;
|
||||
- void *tmp;
|
||||
-
|
||||
- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL);
|
||||
-
|
||||
- if (s != EFI_BUFFER_TOO_SMALL || !size)
|
||||
- return status;
|
||||
-
|
||||
- tmp = kmalloc(size, GFP_ATOMIC);
|
||||
-
|
||||
- if (!tmp)
|
||||
- return status;
|
||||
-
|
||||
- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp);
|
||||
-
|
||||
- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) {
|
||||
- var_size += size;
|
||||
- var_size += ucs2_strsize(name, 1024);
|
||||
- active_size += size;
|
||||
- active_size += VAR_METADATA_SIZE;
|
||||
- active_size += ucs2_strsize(name, 1024);
|
||||
- }
|
||||
-
|
||||
- kfree(tmp);
|
||||
- }
|
||||
-
|
||||
- return status;
|
||||
}
|
||||
|
||||
static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
||||
@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
|
||||
unsigned long data_size,
|
||||
void *data)
|
||||
{
|
||||
- efi_status_t status;
|
||||
- u32 orig_attr = 0;
|
||||
- unsigned long orig_size = 0;
|
||||
-
|
||||
- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size,
|
||||
- NULL);
|
||||
-
|
||||
- if (status != EFI_BUFFER_TOO_SMALL)
|
||||
- orig_size = 0;
|
||||
-
|
||||
- status = efi_call_virt5(set_variable,
|
||||
- name, vendor, attr,
|
||||
- data_size, data);
|
||||
-
|
||||
- if (status == EFI_SUCCESS) {
|
||||
- if (orig_size) {
|
||||
- active_size -= orig_size;
|
||||
- active_size -= ucs2_strsize(name, 1024);
|
||||
- active_size -= VAR_METADATA_SIZE;
|
||||
- }
|
||||
- if (data_size) {
|
||||
- active_size += data_size;
|
||||
- active_size += ucs2_strsize(name, 1024);
|
||||
- active_size += VAR_METADATA_SIZE;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return status;
|
||||
+ return efi_call_virt5(set_variable,
|
||||
+ name, vendor, attr,
|
||||
+ data_size, data);
|
||||
}
|
||||
|
||||
static efi_status_t virt_efi_query_variable_info(u32 attr,
|
||||
@@ -776,9 +691,6 @@ void __init efi_init(void)
|
||||
char vendor[100] = "unknown";
|
||||
int i = 0;
|
||||
void *tmp;
|
||||
- struct setup_data *data;
|
||||
- struct efi_var_bootdata *efi_var_data;
|
||||
- u64 pa_data;
|
||||
|
||||
#ifdef CONFIG_X86_32
|
||||
if (boot_params.efi_info.efi_systab_hi ||
|
||||
@@ -796,22 +708,6 @@ void __init efi_init(void)
|
||||
if (efi_systab_init(efi_phys.systab))
|
||||
return;
|
||||
|
||||
- pa_data = boot_params.hdr.setup_data;
|
||||
- while (pa_data) {
|
||||
- data = early_ioremap(pa_data, sizeof(*efi_var_data));
|
||||
- if (data->type == SETUP_EFI_VARS) {
|
||||
- efi_var_data = (struct efi_var_bootdata *)data;
|
||||
-
|
||||
- efi_var_store_size = efi_var_data->store_size;
|
||||
- efi_var_remaining_size = efi_var_data->remaining_size;
|
||||
- efi_var_max_var_size = efi_var_data->max_var_size;
|
||||
- }
|
||||
- pa_data = data->next;
|
||||
- early_iounmap(data, sizeof(*efi_var_data));
|
||||
- }
|
||||
-
|
||||
- boot_used_size = efi_var_store_size - efi_var_remaining_size;
|
||||
-
|
||||
set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
|
||||
|
||||
/*
|
||||
@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
|
||||
if (status != EFI_SUCCESS)
|
||||
return status;
|
||||
|
||||
- if (!max_size && remaining_size > size)
|
||||
- printk_once(KERN_ERR FW_BUG "Broken EFI implementation"
|
||||
- " is returning MaxVariableSize=0\n");
|
||||
/*
|
||||
* Some firmware implementations refuse to boot if there's insufficient
|
||||
* space in the variable store. We account for that by refusing the
|
||||
* write if permitting it would reduce the available space to under
|
||||
- * 50%. However, some firmware won't reclaim variable space until
|
||||
- * after the used (not merely the actively used) space drops below
|
||||
- * a threshold. We can approximate that case with the value calculated
|
||||
- * above. If both the firmware and our calculations indicate that the
|
||||
- * available space would drop below 50%, refuse the write.
|
||||
+ * 5KB. This figure was provided by Samsung, so should be safe.
|
||||
*/
|
||||
+ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) {
|
||||
+ /*
|
||||
+ * Triggering garbage collection may require that the firmware
|
||||
+ * generate a real EFI_OUT_OF_RESOURCES error. We can force
|
||||
+ * that by attempting to use more space than is available.
|
||||
+ */
|
||||
+ unsigned long dummy_size = remaining_size + 1024;
|
||||
+ void *dummy = kmalloc(dummy_size, GFP_ATOMIC);
|
||||
+ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 };
|
||||
+ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e,
|
||||
+ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92,
|
||||
+ 0xa9);
|
||||
+
|
||||
+ status = efi.set_variable(efi_name, &guid, attributes,
|
||||
+ dummy_size, dummy);
|
||||
+
|
||||
+ if (status == EFI_SUCCESS) {
|
||||
+ /*
|
||||
+ * This should have failed, so if it didn't make sure
|
||||
+ * that we delete it...
|
||||
+ */
|
||||
+ efi.set_variable(efi_name, &guid, attributes, 0,
|
||||
+ dummy);
|
||||
+ }
|
||||
|
||||
- if (!storage_size || size > remaining_size ||
|
||||
- (max_size && size > max_size))
|
||||
- return EFI_OUT_OF_RESOURCES;
|
||||
+ /*
|
||||
+ * The runtime code may now have triggered a garbage collection
|
||||
+ * run, so check the variable info again
|
||||
+ */
|
||||
+ status = efi.query_variable_info(attributes, &storage_size,
|
||||
+ &remaining_size, &max_size);
|
||||
|
||||
- if (!efi_no_storage_paranoia &&
|
||||
- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) &&
|
||||
- (remaining_size - size < storage_size / 2)))
|
||||
- return EFI_OUT_OF_RESOURCES;
|
||||
+ if (status != EFI_SUCCESS)
|
||||
+ return status;
|
||||
+
|
||||
+ /*
|
||||
+ * There still isn't enough room, so return an error
|
||||
+ */
|
||||
+ if (remaining_size - size < 5120)
|
||||
+ return EFI_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
--
|
||||
1.8.1.4
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Fri, 10 May 2013 21:48:21 +0000
|
||||
Subject: b43: stop format string leaking into error msgs
|
||||
|
||||
The module parameter "fwpostfix" is userspace controllable, unfiltered,
|
||||
and is used to define the firmware filename. b43_do_request_fw() populates
|
||||
ctx->errors[] on error, containing the firmware filename. b43err()
|
||||
parses its arguments as a format string. For systems with b43 hardware,
|
||||
this could lead to a uid-0 to ring-0 escalation.
|
||||
|
||||
CVE-2013-2852
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
|
||||
index 6dd07e2..a95b77a 100644
|
||||
--- a/drivers/net/wireless/b43/main.c
|
||||
+++ b/drivers/net/wireless/b43/main.c
|
||||
@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
|
||||
for (i = 0; i < B43_NR_FWTYPES; i++) {
|
||||
errmsg = ctx->errors[i];
|
||||
if (strlen(errmsg))
|
||||
- b43err(dev->wl, errmsg);
|
||||
+ b43err(dev->wl, "%s", errmsg);
|
||||
}
|
||||
b43_print_fw_helptext(dev->wl, 1);
|
||||
goto out;
|
||||
--
|
||||
cgit v0.9.2
|
|
@ -1533,7 +1533,7 @@ CONFIG_ATH9K_DEBUGFS=y
|
|||
CONFIG_ATH9K_HTC=m
|
||||
CONFIG_ATH9K_BTCOEX_SUPPORT=y
|
||||
# CONFIG_ATH9K_HTC_DEBUGFS is not set
|
||||
CONFIG_ATH9K_RATE_CONTROL=y
|
||||
CONFIG_ATH9K_LEGACY_RATE_CONTROL=y
|
||||
CONFIG_WIL6210=m
|
||||
CONFIG_WIL6210_ISR_COR=y
|
||||
CONFIG_CARL9170=m
|
||||
|
|
23
kernel.spec
23
kernel.spec
|
@ -66,7 +66,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -720,9 +720,6 @@ Patch22070: net-tcp-bz857324.patch
|
|||
#rhbz 892811
|
||||
Patch22247: ath9k_rx_dma_stop_check.patch
|
||||
|
||||
#rhbz 903192
|
||||
Patch22261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
|
||||
#rhbz 916544
|
||||
Patch22263: 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch
|
||||
|
||||
|
@ -740,9 +737,6 @@ Patch25007: fix-child-thread-introspection.patch
|
|||
#rhbz 948262
|
||||
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#rhbz 964335
|
||||
Patch25026: Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
#CVE-2013-2140 rhbz 971146 971148
|
||||
Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
|
||||
|
||||
|
@ -752,9 +746,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
|
|||
#CVE-2013-2148 rhbz 971258 971261
|
||||
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2852 rhbz 969518 971665
|
||||
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
|
@ -1449,9 +1440,6 @@ ApplyPatch net-tcp-bz857324.patch
|
|||
#rhbz 892811
|
||||
ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||
|
||||
#rhbz 903192
|
||||
ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
|
||||
#rhbz 916544
|
||||
ApplyPatch 0001-drivers-crypto-nx-fix-init-race-alignmasks-and-GCM-b.patch
|
||||
|
||||
|
@ -1469,9 +1457,6 @@ ApplyPatch fix-child-thread-introspection.patch
|
|||
#rhbz 948262
|
||||
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#rhbz 964335
|
||||
ApplyPatch Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
#CVE-2013-2140 rhbz 971146 971148
|
||||
ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
|
||||
|
||||
|
@ -1481,9 +1466,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
|||
#CVE-2013-2148 rhbz 971258 971261
|
||||
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2852 rhbz 969518 971665
|
||||
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
|
@ -2355,6 +2337,9 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Thu Jun 20 2013 Justin M. Forbes <jforbes@redhat.com>
|
||||
- Linux v3.9.7
|
||||
|
||||
* Tue Jun 18 2013 Dave Jones <davej@redhat.com>
|
||||
- Disable MTRR sanitizer by default.
|
||||
|
||||
|
|
Loading…
Reference in New Issue