From patchwork Fri Jun 9 08:45:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 103444 Delivered-To: patch@linaro.org Received: by 10.140.91.77 with SMTP id y71csp106681qgd; Fri, 9 Jun 2017 01:53:08 -0700 (PDT) X-Received: by 10.99.9.131 with SMTP id 125mr33087766pgj.178.1496998388256; Fri, 09 Jun 2017 01:53:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1496998388; cv=none; d=google.com; s=arc-20160816; b=Man7g4gi5KQAbd0TgmjJ1XYWXpMlqYySV9Kh6ToZ7+8snzzQlpTPPQrFkFQfsk11bc dVT+NY9doFiFug1CtuMUbhJ54FZpWIsxWAccTF2JH58PITiJcHU9HPl4VXW2eZwUL+93 pSbFV90KhqNs7dB+StSAQ6KyipGhE/f23hPFU94N79WfiXHZy3stUotGzNWgaGer/6IT i91/3jZFK1vxSBurlBvvLCG3PV1QKEOtWFTarjPRXdNL5iJ6bJP4uLqammL7AHw8GyMM vpexoPGldxukly+9bCZIhjb9F7dx3gJqg+37GNjBVEF7D3vaqu4JvYNoEKTmmZGnXl+g q7SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=QhguEqRV37iNXRqzhMC4SjOaQ9cUqfdyOTtKDoejk1g=; b=A8njbgJwp4sN+FQt9zpwk1Ezy2jC2EdylZsnkIGqOIbQG8vtmQIaAkUCusLjns0UDV NJi3COgJrSXRUbwzXq7kdcXjF5+8v943iaM206Oowo19Ynh41j+W/TgRfmkCtSNTV0Jd R+EnKpSMgOLJsuoFWoEgP8VJoOYHClaX0U7+JtJSMHZfEDidRhej3PXm/f1SLNZ3Q1Lg 5Ux445EuSRAKfcVQv1JoOg+uP7x5phFHDdwG2ql9W3RvusAeiob4RXuWD7jWv4C4du2f QnVfPTJ0VOasAnx5H0+q3oghQ7iU1Y4YLS7b9a+5zR6PVKDVCHk2VQXwP4f79Pwt/cN6 kP3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v62si6517851pgd.355.2017.06.09.01.53.07; Fri, 09 Jun 2017 01:53:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751591AbdFIIwq (ORCPT + 25 others); Fri, 9 Jun 2017 04:52:46 -0400 Received: from mail-wm0-f49.google.com ([74.125.82.49]:35174 "EHLO mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751554AbdFIIwl (ORCPT ); Fri, 9 Jun 2017 04:52:41 -0400 Received: by mail-wm0-f49.google.com with SMTP id x70so91741273wme.0 for ; Fri, 09 Jun 2017 01:52:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QhguEqRV37iNXRqzhMC4SjOaQ9cUqfdyOTtKDoejk1g=; b=PNUvn+AeXH56tarrwwRnDjEetVP5fJ3d0477aOKGoBx124jTm9T4khZHwZel4cHbqz 5EeR4l0lUQzYD1Py1CXi2rvW1SvXZjCZQ16f4Z0eiZTYrlB2mQEMludJtXiHPCZ33x8H 6axBxLnokzlxNorI94Gg67DGEJ7YRxI52FLmo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QhguEqRV37iNXRqzhMC4SjOaQ9cUqfdyOTtKDoejk1g=; b=Sd7I633hUk9EBvmioynhr0wR48t/AKgiSPPWCPa7awDPNjR0v7jyG9ahXoUClr4xNI m5HyowS/5yRNtdlDShziNCtSBPnYfMajEaTMEH38ow/4965lF2aYgXrLUR3XjEPJJGDu /rlUtNAkO1lpxFwUISRaN5zU1n37an9zYmGKuJT9MRNVZBnAImeo4fj0E/Ht/LCG/+IF hYB2oWoCx9h1XnNX7FP+QMMF7oHrDttZZNaJ2MLdqXFeAU1XUU45EDM3kz5CgCSTA1zH mP/XZYKB3bS6vyzOOqYRbB+3vwgVWHO/rJBd3JgCe27GJBFHHFPvjnUi145OB57uq7MM 773g== X-Gm-Message-State: AKS2vOwhxPdidRpyC0RXlNi9+eQ6J8QRc5gAQQ5t6aA2u90f2z52Ox+C CP7AWwO6kybKA36J X-Received: by 10.28.24.207 with SMTP id 198mr6357703wmy.86.1496998359500; Fri, 09 Jun 2017 01:52:39 -0700 (PDT) Received: from localhost.localdomain ([160.168.49.111]) by smtp.gmail.com with ESMTPSA id p76sm886815wma.15.2017.06.09.01.52.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Jun 2017 01:52:38 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org, Ingo Molnar , Thomas Gleixner , "H . Peter Anvin" Cc: Dave Young , Ard Biesheuvel , linux-kernel@vger.kernel.org, Matt Fleming Subject: [PATCH] efi: fix boot panic because of invalid bgrt image address Date: Fri, 9 Jun 2017 08:45:58 +0000 Message-Id: <20170609084558.26766-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170609084558.26766-1-ard.biesheuvel@linaro.org> References: <20170609084558.26766-1-ard.biesheuvel@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dave Young Maniaxx reported a kernel boot failure of below: (emulated the panic by using same invalid phys addr in code) There are also a bug in bugzilla.kernel.org: https://bugzilla.kernel.org/show_bug.cgi?id=195633 The reported panic happens after below commit: 7b0a911478c7 efi/x86: Move the EFI BGRT init code to early init code The root cause is the firmware on those machines provides invalid bgrt image addresses. In a kernel before above commit bgrt initializes late and use ioremap to map the image address. Ioremap validate the address, if it is not a valid physical address ioremap just fails and returns. However in current kernel efi bgrt initializes early and uses early_memremap which does not validate the image address, and kernel panic happens. According to ACPI spec the BGRT image address should fall into EFI_BOOT_SERVICES_DATA, see the section 5.2.22.4 of below document: http://www.uefi.org/sites/default/files/resources/ACPI_6_1.pdf Fix this issue by validating the image address in efi_bgrt_init(). If the image address does not fall into any EFI_BOOT_SERVICES_DATA areas we just bail out. BUG: unable to handle kernel paging request at ffffffffff280001 IP: efi_bgrt_init+0xfb/0x153 ... Call Trace: ? bgrt_init+0xbc/0xbc acpi_parse_bgrt+0xe/0x12 acpi_table_parse+0x89/0xb8 acpi_boot_init+0x445/0x4e2 ? acpi_parse_x2apic+0x79/0x79 ? dmi_ignore_irq0_timer_override+0x33/0x33 setup_arch+0xb63/0xc82 ? early_idt_handler_array+0x120/0x120 start_kernel+0xb7/0x443 ? early_idt_handler_array+0x120/0x120 x86_64_start_reservations+0x29/0x2b x86_64_start_kernel+0x154/0x177 secondary_startup_64+0x9f/0x9f Fixes: 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code") Reported-by: Maniaxx Signed-off-by: Dave Young Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/efi-bgrt.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) -- 2.9.3 diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c index 8bf27323f7a3..b58233e4ed71 100644 --- a/drivers/firmware/efi/efi-bgrt.c +++ b/drivers/firmware/efi/efi-bgrt.c @@ -27,6 +27,26 @@ struct bmp_header { u32 size; } __packed; +static bool efi_bgrt_addr_valid(u64 addr) +{ + efi_memory_desc_t *md; + + for_each_efi_memory_desc(md) { + u64 size; + u64 end; + + if (md->type != EFI_BOOT_SERVICES_DATA) + continue; + + size = md->num_pages << EFI_PAGE_SHIFT; + end = md->phys_addr + size; + if (addr >= md->phys_addr && addr < end) + return true; + } + + return false; +} + void __init efi_bgrt_init(struct acpi_table_header *table) { void *image; @@ -36,7 +56,7 @@ void __init efi_bgrt_init(struct acpi_table_header *table) if (acpi_disabled) return; - if (!efi_enabled(EFI_BOOT)) + if (!efi_enabled(EFI_MEMMAP)) return; if (table->length < sizeof(bgrt_tab)) { @@ -65,6 +85,10 @@ void __init efi_bgrt_init(struct acpi_table_header *table) goto out; } + if (!efi_bgrt_addr_valid(bgrt->image_address)) { + pr_notice("Ignoring BGRT: invalid image address\n"); + goto out; + } image = early_memremap(bgrt->image_address, sizeof(bmp_header)); if (!image) { pr_notice("Ignoring BGRT: failed to map image header memory\n");