linux/drivers/firmware
Qian Cai 74c953ca5f efi/arm64: Fix debugfs crash by adding a terminator for ptdump marker
When reading 'efi_page_tables' debugfs triggers an out-of-bounds access here:

  arch/arm64/mm/dump.c: 282
  if (addr >= st->marker[1].start_address) {

called from:

  arch/arm64/mm/dump.c: 331
  note_page(st, addr, 2, pud_val(pud));

because st->marker++ is is called after "UEFI runtime end" which is the
last element in addr_marker[]. Therefore, add a terminator like the one
for kernel_page_tables, so it can be skipped to print out non-existent
markers.

Here's the KASAN bug report:

  # cat /sys/kernel/debug/efi_page_tables
  ---[ UEFI runtime start ]---
  0x0000000020000000-0x0000000020010000          64K PTE       RW NX SHD AF ...
  0x0000000020200000-0x0000000021340000       17664K PTE       RW NX SHD AF ...
  ...
  0x0000000021920000-0x0000000021950000         192K PTE       RW x  SHD AF ...
  0x0000000021950000-0x00000000219a0000         320K PTE       RW NX SHD AF ...
  ---[ UEFI runtime end ]---
  ---[ (null) ]---
  ---[ (null) ]---

   BUG: KASAN: global-out-of-bounds in note_page+0x1f0/0xac0
   Read of size 8 at addr ffff2000123f2ac0 by task read_all/42464
   Call trace:
    dump_backtrace+0x0/0x298
    show_stack+0x24/0x30
    dump_stack+0xb0/0xdc
    print_address_description+0x64/0x2b0
    kasan_report+0x150/0x1a4
    __asan_report_load8_noabort+0x30/0x3c
    note_page+0x1f0/0xac0
    walk_pgd+0xb4/0x244
    ptdump_walk_pgd+0xec/0x140
    ptdump_show+0x40/0x50
    seq_read+0x3f8/0xad0
    full_proxy_read+0x9c/0xc0
    __vfs_read+0xfc/0x4c8
    vfs_read+0xec/0x208
    ksys_read+0xd0/0x15c
    __arm64_sys_read+0x84/0x94
    el0_svc_handler+0x258/0x304
    el0_svc+0x8/0xc

  The buggy address belongs to the variable:
   __compound_literal.0+0x20/0x800

  Memory state around the buggy address:
   ffff2000123f2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   ffff2000123f2a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  >ffff2000123f2a80: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00
                                            ^
   ffff2000123f2b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   ffff2000123f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

[ ardb: fix up whitespace ]
[ mingo: fix up some moar ]

Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 9d80448ac9 ("efi/arm64: Add debugfs node to dump UEFI runtime page tables")
Link: http://lkml.kernel.org/r/20190202095017.13799-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-02-02 11:27:29 +01:00
..
arm_scmi firmware: arm_scmi: add a getter for power of performance states 2018-09-10 17:37:06 +01:00
broadcom firmware: bcm47xx_nvram: Support small (0x6000 B) NVRAM partitions 2018-04-23 16:39:35 +01:00
efi efi/arm64: Fix debugfs crash by adding a terminator for ptdump marker 2019-02-02 11:27:29 +01:00
google gsmi: Add GSMI commands to log S0ix info 2018-10-15 20:32:26 +02:00
imx firmware: imx: add SCU power domain driver 2018-11-14 09:20:47 +08:00
meson firmware: meson_sm: Add serial number sysfs entry 2018-09-12 20:54:07 -07:00
tegra firmware: tegra: Use in-band messages for firmware version query 2018-11-08 12:49:26 +01:00
xilinx firmware: xilinx: Add zynqmp IOCTL API for device control 2018-10-09 13:26:21 +02:00
arm_scpi.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
arm_sdei.c firmware: arm_sdei: Fix DT platform device creation 2019-01-03 18:03:54 +00:00
dmi_scan.c mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
dmi-id.c firmware: dmi: Add access to the SKU ID string 2018-06-17 14:09:42 +02:00
dmi-sysfs.c firmware: dmi: handle missing DMI data gracefully 2018-02-03 11:25:20 +01:00
edd.c edd: don't spam log if no EDD information is present 2018-03-27 09:51:23 +02:00
iscsi_ibft_find.c mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
iscsi_ibft.c ibft: Deprecate pci_get_bus_and_slot() 2018-01-11 17:26:55 -06:00
Kconfig firmware: add Intel Stratix10 service layer driver 2018-11-26 20:13:50 +01:00
Makefile firmware: add Intel Stratix10 service layer driver 2018-11-26 20:13:50 +01:00
memmap.c drivers/firmware/memmap.c: modify memblock_alloc to memblock_alloc_nopanic 2019-01-04 13:13:46 -08:00
pcdp.c x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap() for RAM mappings 2017-07-18 11:37:58 +02:00
pcdp.h
psci_checker.c drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests 2018-07-26 00:16:58 -07:00
psci.c firmware/psci: Expose SMCCC version through psci_ops 2018-02-06 22:54:11 +00:00
qcom_scm-32.c firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() 2018-05-24 22:36:45 -05:00
qcom_scm-64.c remoteproc updates for v4.15 2017-11-17 20:14:10 -08:00
qcom_scm.c firmware: qcom: scm: Refactor clock handling 2018-09-14 00:31:52 -05:00
qcom_scm.h remoteproc updates for v4.15 2017-11-17 20:14:10 -08:00
qemu_fw_cfg.c media: headers: fix linux/mod_devicetable.h inclusions 2018-08-02 18:30:54 -04:00
raspberrypi.c firmware: raspberrypi: Switch to SPDX identifier 2018-11-21 14:33:11 +01:00
scpi_pm_domain.c firmware: Convert to using %pOFn instead of device_node.name 2018-10-04 14:16:01 -05:00
stratix10-svc.c firmware: stratix10-svc: fix wrong of_node_put() in init function 2018-12-06 15:42:18 +01:00
ti_sci.c firmware: ti_sci: Provide host-id as an optional dt parameter 2018-08-28 13:22:13 -07:00
ti_sci.h firmware: ti_sci: Switch to SPDX Licensing 2018-05-04 23:10:23 -07:00