Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
xen.14766
5e3bd385-EFI-recheck-variable-name-strings.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 5e3bd385-EFI-recheck-variable-name-strings.patch of Package xen.14766
# Commit ad38db5852f0e30d90c93c6a62b754f2861549e0 # Date 2020-02-06 09:51:17 +0100 # Author Jan Beulich <jbeulich@suse.com> # Committer Jan Beulich <jbeulich@suse.com> EFI: re-check {get,set}-variable name strings after copying in A malicious guest given permission to invoke XENPF_efi_runtime_call may play with the strings underneath Xen sizing them and copying them in. Guard against this by re-checking the copyied in data for consistency with the initial sizing. At the same time also check that the actual copy-in is in fact successful, and switch to the lighter weight non- checking flavor of the function. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -27,6 +27,8 @@ struct efi_rs_state { struct efi_rs_state efi_rs_enter(void); void efi_rs_leave(struct efi_rs_state *); +const CHAR16 *wmemchr(const CHAR16 *s, CHAR16 c, UINTN n); + #ifndef COMPAT #ifndef CONFIG_ARM @@ -194,7 +196,18 @@ void efi_reset_system(bool warm) } #endif /* CONFIG_ARM */ -#endif + +const CHAR16 *wmemchr(const CHAR16 *s, CHAR16 c, UINTN n) +{ + while ( n && *s != c ) + { + --n; + ++s; + } + return n ? s : NULL; +} + +#endif /* COMPAT */ #ifndef CONFIG_ARM /* TODO - disabled until implemented on ARM */ int efi_get_info(uint32_t idx, union xenpf_efi_info *info) @@ -468,7 +481,12 @@ int efi_runtime_call(struct xenpf_efi_ru name = xmalloc_array(CHAR16, ++len); if ( !name ) return -ENOMEM; - __copy_from_guest(name, op->u.get_variable.name, len); + if ( __copy_from_guest(name, op->u.get_variable.name, len) || + wmemchr(name, 0, len) != name + len - 1 ) + { + xfree(name); + return -EIO; + } size = op->u.get_variable.size; if ( size ) @@ -516,7 +534,12 @@ int efi_runtime_call(struct xenpf_efi_ru name = xmalloc_array(CHAR16, ++len); if ( !name ) return -ENOMEM; - __copy_from_guest(name, op->u.set_variable.name, len); + if ( __copy_from_guest(name, op->u.set_variable.name, len) || + wmemchr(name, 0, len) != name + len - 1 ) + { + xfree(name); + return -EIO; + } data = xmalloc_bytes(op->u.set_variable.size); if ( !data )
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor