releases/4.19.34/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch

   1 From 66a92ecb173c5f1f67d001d17a73a3deb65c5299 Mon Sep 17 00:00:00 2001
   2 From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
   3 Date: Sat, 2 Feb 2019 10:41:12 +0100
   4 Subject: efi/memattr: Don't bail on zero VA if it equals the region's PA
   5
   6 [ Upstream commit 5de0fef0230f3c8d75cff450a71740a7bf2db866 ]
   7
   8 The EFI memory attributes code cross-references the EFI memory map with
   9 the more granular EFI memory attributes table to ensure that they are in
  10 sync before applying the strict permissions to the regions it describes.
  11
  12 Since we always install virtual mappings for the EFI runtime regions to
  13 which these strict permissions apply, we currently perform a sanity check
  14 on the EFI memory descriptor, and ensure that the EFI_MEMORY_RUNTIME bit
  15 is set, and that the virtual address has been assigned.
  16
  17 However, in cases where a runtime region exists at physical address 0x0,
  18 and the virtual mapping equals the physical mapping, e.g., when running
  19 in mixed mode on x86, we encounter a memory descriptor with the runtime
  20 attribute and virtual address 0x0, and incorrectly draw the conclusion
  21 that a runtime region exists for which no virtual mapping was installed,
  22 and give up altogether. The consequence of this is that firmware mappings
  23 retain their read-write-execute permissions, making the system more
  24 vulnerable to attacks.
  25
  26 So let's only bail if the virtual address of 0x0 has been assigned to a
  27 physical region that does not reside at address 0x0.
  28
  29 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
  30 Acked-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
  31 Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
  32 Cc: Alexander Graf <agraf@suse.de>
  33 Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
  34 Cc: Borislav Petkov <bp@alien8.de>
  35 Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
  36 Cc: Jeffrey Hugo <jhugo@codeaurora.org>
  37 Cc: Lee Jones <lee.jones@linaro.org>
  38 Cc: Leif Lindholm <leif.lindholm@linaro.org>
  39 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  40 Cc: Matt Fleming <matt@codeblueprint.co.uk>
  41 Cc: Peter Jones <pjones@redhat.com>
  42 Cc: Peter Zijlstra <peterz@infradead.org>
  43 Cc: Thomas Gleixner <tglx@linutronix.de>
  44 Cc: linux-efi@vger.kernel.org
  45 Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory ...")
  46 Link: http://lkml.kernel.org/r/20190202094119.13230-4-ard.biesheuvel@linaro.org
  47 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  48 Signed-off-by: Sasha Levin <sashal@kernel.org>
  49 ---
  50  drivers/firmware/efi/memattr.c | 2 +-
  51  1 file changed, 1 insertion(+), 1 deletion(-)
  52
  53 diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c
  54 index 8986757eafaf..aac972b056d9 100644
  55 --- a/drivers/firmware/efi/memattr.c
  56 +++ b/drivers/firmware/efi/memattr.c
  57 @@ -94,7 +94,7 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out)
  58
  59                 if (!(md->attribute & EFI_MEMORY_RUNTIME))
  60                         continue;
  61 -               if (md->virt_addr == 0) {
  62 +               if (md->virt_addr == 0 && md->phys_addr != 0) {
  63                         /* no virtual mapping has been installed by the stub */
  64                         break;
  65                 }
  66 --
  67 2.19.1
  68