From: Ma Wupeng mawupeng1@huawei.com
1. fix memleak with efi_fake_mem 2. disable efi_fake_mem support by default for arm64
Ma Wupeng (2): efi: Fix UAF for arm64 when enable efi_fake_mem config: Disable EFI_FAKE_MEMMAP support for arm64 by default
arch/arm64/configs/openeuler_defconfig | 3 +-- drivers/firmware/efi/fake_mem.c | 13 +++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-)
From: Ma Wupeng mawupeng1@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7F3NP CVE: NA
--------------------------------
Efi fake mem support for arm64 is introduced for debug propose only. However efi_memmap_init_late in arm_enable_runtime_services will free this memory which will lead to UAF on efi.memmap.map.
In order to slove this, clear efi.memmap.flags to skip free. Since efi map is never freed in arm64, this will not lead to memroy leak.
Signed-off-by: Ma Wupeng mawupeng1@huawei.com --- drivers/firmware/efi/fake_mem.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/drivers/firmware/efi/fake_mem.c b/drivers/firmware/efi/fake_mem.c index 6e0f34a38171..be7d13ef91d2 100644 --- a/drivers/firmware/efi/fake_mem.c +++ b/drivers/firmware/efi/fake_mem.c @@ -61,6 +61,19 @@ static void __init efi_fake_range(struct efi_mem_range *efi_range) /* swap into new EFI memmap */ early_memunmap(new_memmap, data.size);
+#ifdef CONFIG_ARM64 + /* + * Efi fake mem support for arm64 is introduced for debug propose + * only. However efi_memmap_init_late in arm_enable_runtime_services + * will free this memory which will lead to UAF on efi.memmap.map. + * + * In order to slove this, clear efi.memmap.flags to skip free. + * Since efi map is never freed in arm64, this will not lead to + * memroy leak. + */ + data.flags &= ~(EFI_MEMMAP_SLAB | EFI_MEMMAP_MEMBLOCK); +#endif + efi_memmap_install(&data); }
From: Ma Wupeng mawupeng1@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7F3NP CVE: NA
--------------------------------
EFI_FAKE_MEMMAP is used specific memory range by updating original (firmware provided) EFI memmap. This can only be used for debug propose. Disable it by default.
Signed-off-by: Ma Wupeng mawupeng1@huawei.com --- arch/arm64/configs/openeuler_defconfig | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 5ef45486a594..10ef44952212 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -657,8 +657,7 @@ CONFIG_FW_CFG_SYSFS=y CONFIG_EFI_ESRT=y CONFIG_EFI_VARS_PSTORE=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y -CONFIG_EFI_FAKE_MEMMAP=y -CONFIG_EFI_MAX_FAKE_MEM=8 +# CONFIG_EFI_FAKE_MEMMAP is not set CONFIG_EFI_SOFT_RESERVE=y CONFIG_EFI_PARAMS_FROM_FDT=y CONFIG_EFI_RUNTIME_WRAPPERS=y
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/1194 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/J...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/1194 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/J...
-
patchwork bot -
Wupeng Ma