Commit 40fbb238 authored by Julius Werner's avatar Julius Werner Committed by Greg Kroah-Hartman

firmware: google: memconsole: Prevent overrun attack on coreboot console

The recent coreboot memory console update (firmware: google: memconsole:
Adapt to new coreboot ring buffer format) introduced a small security
issue in the driver: The new driver implementation parses the memory
console structure again on every access. This is intentional so that
additional lines added concurrently by runtime firmware can be read out.

However, if an attacker can write to the structure, they could increase
the size value to a point where the driver would read potentially
sensitive memory areas from outside the original console buffer during
the next access. This can be done through /dev/mem, since the console
buffer usually resides in firmware-reserved memory that is not covered
by STRICT_DEVMEM.

This patch resolves that problem by reading the buffer's size value only
once during boot (where we can still trust the structure). Other parts
of the structure can still be modified at runtime, but the driver's
bounds checks make sure that it will never read outside the buffer.

Fixes: a5061d02 ("firmware: google: memconsole: Adapt to new coreboot ring buffer format")
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b4a338d2
...@@ -26,7 +26,7 @@ ...@@ -26,7 +26,7 @@
/* CBMEM firmware console log descriptor. */ /* CBMEM firmware console log descriptor. */
struct cbmem_cons { struct cbmem_cons {
u32 size; u32 size_dont_access_after_boot;
u32 cursor; u32 cursor;
u8 body[0]; u8 body[0];
} __packed; } __packed;
...@@ -35,6 +35,7 @@ struct cbmem_cons { ...@@ -35,6 +35,7 @@ struct cbmem_cons {
#define OVERFLOW (1 << 31) #define OVERFLOW (1 << 31)
static struct cbmem_cons __iomem *cbmem_console; static struct cbmem_cons __iomem *cbmem_console;
static u32 cbmem_console_size;
/* /*
* The cbmem_console structure is read again on every access because it may * The cbmem_console structure is read again on every access because it may
...@@ -47,7 +48,7 @@ static ssize_t memconsole_coreboot_read(char *buf, loff_t pos, size_t count) ...@@ -47,7 +48,7 @@ static ssize_t memconsole_coreboot_read(char *buf, loff_t pos, size_t count)
{ {
u32 cursor = cbmem_console->cursor & CURSOR_MASK; u32 cursor = cbmem_console->cursor & CURSOR_MASK;
u32 flags = cbmem_console->cursor & ~CURSOR_MASK; u32 flags = cbmem_console->cursor & ~CURSOR_MASK;
u32 size = cbmem_console->size; u32 size = cbmem_console_size;
struct seg { /* describes ring buffer segments in logical order */ struct seg { /* describes ring buffer segments in logical order */
u32 phys; /* physical offset from start of mem buffer */ u32 phys; /* physical offset from start of mem buffer */
u32 len; /* length of segment */ u32 len; /* length of segment */
...@@ -81,8 +82,10 @@ static int memconsole_coreboot_init(phys_addr_t physaddr) ...@@ -81,8 +82,10 @@ static int memconsole_coreboot_init(phys_addr_t physaddr)
if (!tmp_cbmc) if (!tmp_cbmc)
return -ENOMEM; return -ENOMEM;
/* Read size only once to prevent overrun attack through /dev/mem. */
cbmem_console_size = tmp_cbmc->size_dont_access_after_boot;
cbmem_console = memremap(physaddr, cbmem_console = memremap(physaddr,
tmp_cbmc->size + sizeof(*cbmem_console), cbmem_console_size + sizeof(*cbmem_console),
MEMREMAP_WB); MEMREMAP_WB);
memunmap(tmp_cbmc); memunmap(tmp_cbmc);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment