提交 b67775e1 编写于 作者: L Linus Torvalds

Merge tag 'efi-urgent-2020-03-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull EFI fixes from Thomas Gleixner:
 "Two EFI fixes:

   - Prevent a race and buffer overflow in the sysfs efivars interface
     which causes kernel memory corruption.

   - Add the missing NULL pointer checks in efivar_store_raw()"

* tag 'efi-urgent-2020-03-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  efi: Add a sanity check to efivar_store_raw()
  efi: Fix a race and a buffer overflow while reading efivars via sysfs
...@@ -83,13 +83,16 @@ static ssize_t ...@@ -83,13 +83,16 @@ static ssize_t
efivar_attr_read(struct efivar_entry *entry, char *buf) efivar_attr_read(struct efivar_entry *entry, char *buf)
{ {
struct efi_variable *var = &entry->var; struct efi_variable *var = &entry->var;
unsigned long size = sizeof(var->Data);
char *str = buf; char *str = buf;
int ret;
if (!entry || !buf) if (!entry || !buf)
return -EINVAL; return -EINVAL;
var->DataSize = 1024; ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data)) var->DataSize = size;
if (ret)
return -EIO; return -EIO;
if (var->Attributes & EFI_VARIABLE_NON_VOLATILE) if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
...@@ -116,13 +119,16 @@ static ssize_t ...@@ -116,13 +119,16 @@ static ssize_t
efivar_size_read(struct efivar_entry *entry, char *buf) efivar_size_read(struct efivar_entry *entry, char *buf)
{ {
struct efi_variable *var = &entry->var; struct efi_variable *var = &entry->var;
unsigned long size = sizeof(var->Data);
char *str = buf; char *str = buf;
int ret;
if (!entry || !buf) if (!entry || !buf)
return -EINVAL; return -EINVAL;
var->DataSize = 1024; ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data)) var->DataSize = size;
if (ret)
return -EIO; return -EIO;
str += sprintf(str, "0x%lx\n", var->DataSize); str += sprintf(str, "0x%lx\n", var->DataSize);
...@@ -133,12 +139,15 @@ static ssize_t ...@@ -133,12 +139,15 @@ static ssize_t
efivar_data_read(struct efivar_entry *entry, char *buf) efivar_data_read(struct efivar_entry *entry, char *buf)
{ {
struct efi_variable *var = &entry->var; struct efi_variable *var = &entry->var;
unsigned long size = sizeof(var->Data);
int ret;
if (!entry || !buf) if (!entry || !buf)
return -EINVAL; return -EINVAL;
var->DataSize = 1024; ret = efivar_entry_get(entry, &var->Attributes, &size, var->Data);
if (efivar_entry_get(entry, &var->Attributes, &var->DataSize, var->Data)) var->DataSize = size;
if (ret)
return -EIO; return -EIO;
memcpy(buf, var->Data, var->DataSize); memcpy(buf, var->Data, var->DataSize);
...@@ -199,6 +208,9 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) ...@@ -199,6 +208,9 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
u8 *data; u8 *data;
int err; int err;
if (!entry || !buf)
return -EINVAL;
if (in_compat_syscall()) { if (in_compat_syscall()) {
struct compat_efi_variable *compat; struct compat_efi_variable *compat;
...@@ -250,14 +262,16 @@ efivar_show_raw(struct efivar_entry *entry, char *buf) ...@@ -250,14 +262,16 @@ efivar_show_raw(struct efivar_entry *entry, char *buf)
{ {
struct efi_variable *var = &entry->var; struct efi_variable *var = &entry->var;
struct compat_efi_variable *compat; struct compat_efi_variable *compat;
unsigned long datasize = sizeof(var->Data);
size_t size; size_t size;
int ret;
if (!entry || !buf) if (!entry || !buf)
return 0; return 0;
var->DataSize = 1024; ret = efivar_entry_get(entry, &var->Attributes, &datasize, var->Data);
if (efivar_entry_get(entry, &entry->var.Attributes, var->DataSize = datasize;
&entry->var.DataSize, entry->var.Data)) if (ret)
return -EIO; return -EIO;
if (in_compat_syscall()) { if (in_compat_syscall()) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部