From patchwork Mon Apr 10 10:30:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 97068 Delivered-To: patch@linaro.org Received: by 10.182.246.10 with SMTP id xs10csp1288556obc; Mon, 10 Apr 2017 03:30:57 -0700 (PDT) X-Received: by 10.84.160.6 with SMTP id n6mr66098714pla.178.1491820256997; Mon, 10 Apr 2017 03:30:56 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si13246290pfl.160.2017.04.10.03.30.56; Mon, 10 Apr 2017 03:30:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752659AbdDJKa4 (ORCPT + 2 others); Mon, 10 Apr 2017 06:30:56 -0400 Received: from mail-wr0-f172.google.com ([209.85.128.172]:36505 "EHLO mail-wr0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751442AbdDJKa4 (ORCPT ); Mon, 10 Apr 2017 06:30:56 -0400 Received: by mail-wr0-f172.google.com with SMTP id c55so72078961wrc.3 for ; Mon, 10 Apr 2017 03:30:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=x4Oqwf41uFMJoDC2cBDeHLZiRextL2GZLExGckxkUj0=; b=TDVt1zVjYNbpPB4SP2C/rCnmmvIot3hUzmimoGA3MPrsT8SSxWPdbwATzrfcfBrBmc ZD1J/1S0ZVAPvgMpCYdwmdYuC3kKD5TXW9oYY+PbjhpReTzVCHUHHke60TW+dVXGJb9g Uo3pwY1kb/Hq6ucPArfeZZ0Xy5M4G6dIgPjvU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=x4Oqwf41uFMJoDC2cBDeHLZiRextL2GZLExGckxkUj0=; b=FOWNIemEfCPmpU4TNwrigkim9y8tvmrTGSGuGQQYUyseAPrdcDEpvoE04sl4dsCnSA TbiXlIqwi6gzHs/N/0V1ac4ETQfBdz9EB9D95NqtEe/RBu8a73TuMJDk3ccFDRIkArkq IZGvzzeKUYojYB9ptDmwEygX2RgtvevN0HzHshVFofXp+vWh3M62s75Mgh+2RaJjWiXt yD60pATy46qQ06PGvSDWgEPPEyCrPwmIMtv85rfSI0c+cE92jdbQlSsrdzToXu9YYjnR TClg0uOcL2Gc00dO37NNI4zp6S3X8znILf6P5/ZCoels6fDzDmOUQMuPjzB8kTaiUMWd K8Vg== X-Gm-Message-State: AFeK/H0XLawRohp+WfF4lmkEltMzZHZydePAVNt/vLXIhcOcPEZvISj+Ew7aUYvqkFqZ7rOv X-Received: by 10.223.139.146 with SMTP id o18mr46435292wra.61.1491820254570; Mon, 10 Apr 2017 03:30:54 -0700 (PDT) Received: from localhost.localdomain ([196.85.182.219]) by smtp.gmail.com with ESMTPSA id t202sm9712766wmt.3.2017.04.10.03.30.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Apr 2017 03:30:53 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , James Morse , Mark Rutland , Catalin Marinas , Matt Fleming , Ingo Molnar Subject: [PATCH] efi/libstub: arm/arm64: don't use TASK_SIZE when randomising the RT space Date: Mon, 10 Apr 2017 11:30:38 +0100 Message-Id: <20170410103038.20117-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org As reported by James, Catalin and Mark, commit e69176d68d26 ("ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region") results in a crash in the firmware regardless of whether KASLR is in effect or not, and whether the firmware implements EFI_RNG_PROTOCOL or not. Mark has identified the root cause to be the inappropriate use of TASK_SIZE in the stub, which arm64 defines as #define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \ TASK_SIZE_32 : TASK_SIZE_64) and testing thread flags at this point results in the dereference of pointers in uninitialized structures. So instead, introduce a preprocessor symbol EFI_RT_VIRTUAL_LIMIT and define it to TASK_SIZE_64 on arm64 and TASK_SIZE on ARM, both of which are compile time constants. Also, change the 'headroom' variable to static const to force an error if this changes in the future. Cc: James Morse Cc: Mark Rutland Cc: Catalin Marinas Cc: Matt Fleming Cc: Ingo Molnar Signed-off-by: Ard Biesheuvel --- Apologies for the breakage. On the systems I have tested, sp_el0 apparently pointed somewhere sane when I inadvertently dereferenced it, and the resulting addresses looked sufficiently random to me. Ingo, once we have some confirmation that this makes the problem go away, could you please take this straight into efi/core? Thanks. drivers/firmware/efi/libstub/arm-stub.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Tested-by: Mark Rutland Tested-by: James Morse Tested-by: Catalin Marinas diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index 1e45ec51b094..34010ff3b77e 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -32,6 +32,12 @@ #define EFI_RT_VIRTUAL_BASE SZ_512M #define EFI_RT_VIRTUAL_SIZE SZ_512M +#ifdef CONFIG_ARM64 +#define EFI_RT_VIRTUAL_LIMIT TASK_SIZE_64 +#else +#define EFI_RT_VIRTUAL_LIMIT TASK_SIZE +#endif + static u64 virtmap_base = EFI_RT_VIRTUAL_BASE; efi_status_t efi_open_volume(efi_system_table_t *sys_table_arg, @@ -236,8 +242,9 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, * shift of 21 bit positions into account when scaling * the headroom value using a 32-bit random value. */ - u64 headroom = TASK_SIZE - EFI_RT_VIRTUAL_BASE - - EFI_RT_VIRTUAL_SIZE; + static const u64 headroom = EFI_RT_VIRTUAL_LIMIT - + EFI_RT_VIRTUAL_BASE - + EFI_RT_VIRTUAL_SIZE; u32 rnd; status = efi_get_random_bytes(sys_table, sizeof(rnd),