From patchwork Fri Mar 21 19:42:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Nepomnyashih X-Patchwork-Id: 875320 Received: from mail.nppct.ru (mail.nppct.ru [195.133.245.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B76918FC75 for ; Fri, 21 Mar 2025 19:42:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.133.245.4 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742586180; cv=none; b=At0x8FavwCR2g4HvJsCF1vNiigmM+WpS1SDIlzHps56GZsTdaG87YDWgTqXWQHmUNjgeZNbDy20tXInJ5viB+FRx4Zm1hF7pT5adeoRRCsrBt4eC00sxsBujsJLx9/y5I+sxaeKvCLmhHCg9oc9mGTvZDT1ttF3gCXKNbX0O1aI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742586180; c=relaxed/simple; bh=r+9rFxKYels7aSBQsUwzD3uvlUggPtmt0su+Trdw/gM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VOp75CbXjWOrnyH9jRyDXZtr+weImdTh8sYcp9jVjeigNj7MrpPXieP9JBCe5rA1o8jRDLzM94wk+OY0wq6dzN5VlPvDzQFZAOCFQwqks1otEE+NgjtGqTF3AYUc2Z1Gea+W5tyG3leyxp89XZR/tHx3zGkeNhc6B+rSumgyUg8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru; spf=pass smtp.mailfrom=nppct.ru; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b=FyXF57qu; arc=none smtp.client-ip=195.133.245.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nppct.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b="FyXF57qu" Received: from mail.nppct.ru (localhost [127.0.0.1]) by mail.nppct.ru (Postfix) with ESMTP id 483051C1652 for ; Fri, 21 Mar 2025 22:42:54 +0300 (MSK) Authentication-Results: mail.nppct.ru (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=nppct.ru DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nppct.ru; h= content-transfer-encoding:mime-version:x-mailer:message-id:date :date:subject:subject:to:from:from; s=dkim; t=1742586168; x= 1743450169; bh=r+9rFxKYels7aSBQsUwzD3uvlUggPtmt0su+Trdw/gM=; b=F yXF57qu+nVE4I3OzfK9arvEeOkfdLBPTTT0nJUQdJ4mHovh4+LQgqysnOLcPCVPy 0yrjLoCpRbJzhbDadDtBnpqbG9e1xz8Iza/g1URx304iUdgQWELNKJyEy2pRdpiK cbzmoetkog7Yn9noM2nI0Qr/W4rbO/lAgK19Ttbe9w= X-Virus-Scanned: Debian amavisd-new at mail.nppct.ru Received: from mail.nppct.ru ([127.0.0.1]) by mail.nppct.ru (mail.nppct.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id X65EQhCEjpAN for ; Fri, 21 Mar 2025 22:42:48 +0300 (MSK) Received: from localhost.localdomain (unknown [87.249.24.51]) by mail.nppct.ru (Postfix) with ESMTPSA id 45B8E1C0604; Fri, 21 Mar 2025 22:42:35 +0300 (MSK) From: Alexey Nepomnyashih To: Ard Biesheuvel Cc: Alexey Nepomnyashih , Jeremy Kerr , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Jiao Zhou , Matthew Garrett Subject: [PATCH 6.1 v2 1/2] efivarfs: Add uid/gid mount options Date: Fri, 21 Mar 2025 19:42:26 +0000 Message-ID: <20250321194230.1928571-1-sdl@nppct.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Jiao Zhou commit 5329aa5101f73c451bcd48deaf3f296685849d9c upstream. Allow UEFI variables to be modified by non-root processes in order to run sandboxed code. This doesn't change the behavior of mounting efivarfs unless uid/gid are specified; by default both are set to root. Signed-off-by: Jiao Zhou Acked-by: Matthew Garrett Signed-off-by: Ard Biesheuvel Signed-off-by: Alexey Nepomnyashih --- fs/efivarfs/inode.c | 4 +++ fs/efivarfs/internal.h | 9 ++++++ fs/efivarfs/super.c | 68 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c index b3dc7ff42400..e93f2afd6741 100644 --- a/fs/efivarfs/inode.c +++ b/fs/efivarfs/inode.c @@ -21,8 +21,12 @@ struct inode *efivarfs_get_inode(struct super_block *sb, dev_t dev, bool is_removable) { struct inode *inode = new_inode(sb); + struct efivarfs_fs_info *fsi = sb->s_fs_info; + struct efivarfs_mount_opts *opts = &fsi->mount_opts; if (inode) { + inode->i_uid = opts->uid; + inode->i_gid = opts->gid; inode->i_ino = get_next_ino(); inode->i_mode = mode; inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); diff --git a/fs/efivarfs/internal.h b/fs/efivarfs/internal.h index dcb973d8736c..0762c0a1d207 100644 --- a/fs/efivarfs/internal.h +++ b/fs/efivarfs/internal.h @@ -9,6 +9,15 @@ #include #include +struct efivarfs_mount_opts { + kuid_t uid; + kgid_t gid; +}; + +struct efivarfs_fs_info { + struct efivarfs_mount_opts mount_opts; +}; + struct efi_variable { efi_char16_t VariableName[EFI_VAR_NAME_LEN/sizeof(efi_char16_t)]; efi_guid_t VendorGuid; diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index b8c4641ed152..b4f1c46ea06f 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -24,10 +25,26 @@ static void efivarfs_evict_inode(struct inode *inode) clear_inode(inode); } +static int efivarfs_show_options(struct seq_file *m, struct dentry *root) +{ + struct super_block *sb = root->d_sb; + struct efivarfs_fs_info *sbi = sb->s_fs_info; + struct efivarfs_mount_opts *opts = &sbi->mount_opts; + + if (!uid_eq(opts->uid, GLOBAL_ROOT_UID)) + seq_printf(m, ",uid=%u", + from_kuid_munged(&init_user_ns, opts->uid)); + if (!gid_eq(opts->gid, GLOBAL_ROOT_GID)) + seq_printf(m, ",gid=%u", + from_kgid_munged(&init_user_ns, opts->gid)); + return 0; +} + static const struct super_operations efivarfs_ops = { .statfs = simple_statfs, .drop_inode = generic_delete_inode, .evict_inode = efivarfs_evict_inode, + .show_options = efivarfs_show_options, }; /* @@ -183,6 +200,45 @@ static int efivarfs_destroy(struct efivar_entry *entry, void *data) return 0; } +enum { + Opt_uid, Opt_gid, +}; + +static const struct fs_parameter_spec efivarfs_parameters[] = { + fsparam_u32("uid", Opt_uid), + fsparam_u32("gid", Opt_gid), + {}, +}; + +static int efivarfs_parse_param(struct fs_context *fc, struct fs_parameter *param) +{ + struct efivarfs_fs_info *sbi = fc->s_fs_info; + struct efivarfs_mount_opts *opts = &sbi->mount_opts; + struct fs_parse_result result; + int opt; + + opt = fs_parse(fc, efivarfs_parameters, param, &result); + if (opt < 0) + return opt; + + switch (opt) { + case Opt_uid: + opts->uid = make_kuid(current_user_ns(), result.uint_32); + if (!uid_valid(opts->uid)) + return -EINVAL; + break; + case Opt_gid: + opts->gid = make_kgid(current_user_ns(), result.uint_32); + if (!gid_valid(opts->gid)) + return -EINVAL; + break; + default: + return -EINVAL; + } + + return 0; +} + static int efivarfs_fill_super(struct super_block *sb, struct fs_context *fc) { struct inode *inode = NULL; @@ -236,11 +292,22 @@ static int efivarfs_reconfigure(struct fs_context *fc) static const struct fs_context_operations efivarfs_context_ops = { .get_tree = efivarfs_get_tree, + .parse_param = efivarfs_parse_param, .reconfigure = efivarfs_reconfigure, }; static int efivarfs_init_fs_context(struct fs_context *fc) { + struct efivarfs_fs_info *sfi; + + sfi = kzalloc(sizeof(*sfi), GFP_KERNEL); + if (!sfi) + return -ENOMEM; + + sfi->mount_opts.uid = GLOBAL_ROOT_UID; + sfi->mount_opts.gid = GLOBAL_ROOT_GID; + + fc->s_fs_info = sfi; fc->ops = &efivarfs_context_ops; return 0; } @@ -261,6 +328,7 @@ static struct file_system_type efivarfs_type = { .name = "efivarfs", .init_fs_context = efivarfs_init_fs_context, .kill_sb = efivarfs_kill_sb, + .parameters = efivarfs_parameters, }; static __init int efivarfs_init(void) From patchwork Fri Mar 21 19:42:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Nepomnyashih X-Patchwork-Id: 875528 Received: from mail.nppct.ru (mail.nppct.ru [195.133.245.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF74B22F3BD for ; Fri, 21 Mar 2025 19:42:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.133.245.4 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742586181; cv=none; b=hVfKAUps/QiWMQLgl9sneI+VhNoDikrI86oGOSNmVtxheDlX+Dye4/tmp2O2Rvr7H6m2bB8F1mhmhbaMDlUANZfRtOkX58P+EkRZWYobWCqbc/Y64wh1+qmwzZ4m44yo/JFml1WNr4VZh4uyPliTIWyiBwsLYUjMhXhWvCxPA9E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742586181; c=relaxed/simple; bh=IXQN5BTQ19593M6co8XOYDcmJETVcL3hfZgdPxFtgsc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XHZFr2L0p566XAFPmA8h1JecPbFG5UNM/3KkYYjH2Jvc04bveVXv8xvsj5aS22xaHDCw28ahZCJevVUbqZ8yHa0KBWxWJhJUw2rWl4Gu8eTQNXOULF2x0O+LvsZHtIIDPbJZw31AIl/RdbQwutkYrnn9TdxjdxVW5B+4x4ET5+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru; spf=pass smtp.mailfrom=nppct.ru; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b=rb1KorFi; arc=none smtp.client-ip=195.133.245.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nppct.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b="rb1KorFi" Received: from mail.nppct.ru (localhost [127.0.0.1]) by mail.nppct.ru (Postfix) with ESMTP id 284EE1C17AF for ; Fri, 21 Mar 2025 22:42:56 +0300 (MSK) Authentication-Results: mail.nppct.ru (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=nppct.ru DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nppct.ru; h= content-transfer-encoding:mime-version:references:in-reply-to :x-mailer:message-id:date:date:subject:subject:to:from:from; s= dkim; t=1742586175; x=1743450176; bh=IXQN5BTQ19593M6co8XOYDcmJET VcL3hfZgdPxFtgsc=; b=rb1KorFiUrlsky8uVOB4xxcHwjfkYjNQzaY2UTrifmD L58U5/he+wgdXZy7EvqDinIgketwswt63OnctEykSTP+udsCTWYoTTKn1dgkvoe1 lKsPf1ZhZf7TOOQwc4PdEVeHuIUfSqXupnoGmvJdU4RJche5My0RSIn/eKuvqLXY = X-Virus-Scanned: Debian amavisd-new at mail.nppct.ru Received: from mail.nppct.ru ([127.0.0.1]) by mail.nppct.ru (mail.nppct.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id r5CDphd9N2gN for ; Fri, 21 Mar 2025 22:42:55 +0300 (MSK) Received: from localhost.localdomain (unknown [87.249.24.51]) by mail.nppct.ru (Postfix) with ESMTPSA id 1F4821C0604; Fri, 21 Mar 2025 22:42:55 +0300 (MSK) From: Alexey Nepomnyashih To: Ard Biesheuvel Cc: Alexey Nepomnyashih , Jeremy Kerr , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, syzbot+1902c359bfcaf39c46f2@syzkaller.appspotmail.com, syzbot+246ea4feed277471958a@syzkaller.appspotmail.com Subject: [PATCH 6.1 v2 2/2] efivarfs: Move efivarfs list into superblock s_fs_info Date: Fri, 21 Mar 2025 19:42:27 +0000 Message-ID: <20250321194230.1928571-2-sdl@nppct.ru> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250321194230.1928571-1-sdl@nppct.ru> References: <20250321194230.1928571-1-sdl@nppct.ru> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Ard Biesheuvel commit cdb46a8aefbf7fd36772bb206aaaf7e45d7cf8f6 upstream. syzbot reports issues with concurrent fsopen()/fsconfig() invocations on efivarfs, which are the result of the fact that the efivarfs list (which caches the names and GUIDs of existing EFI variables) is a global structure. In normal use, these issues are unlikely to trigger, even in the presence of multiple mounts of efivarfs, but the execution pattern used by the syzkaller reproducer may result in multiple instances of the superblock that share the global efivarfs list, and this causes list corruption when the list is reinitialized by one user while another is traversing it. So let's move the list head into the superblock s_fs_info field, so that it will never be shared between distinct instances of the superblock. In the common case, there will still be a single instance of this list, but in the artificial syzkaller case, no list corruption can occur any longer. Reported-by: syzbot+1902c359bfcaf39c46f2@syzkaller.appspotmail.com Signed-off-by: Ard Biesheuvel Reported-by: syzbot+246ea4feed277471958a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=246ea4feed277471958a Signed-off-by: Alexey Nepomnyashih --- fs/efivarfs/inode.c | 3 ++- fs/efivarfs/internal.h | 6 +++--- fs/efivarfs/super.c | 19 ++++++++++--------- fs/efivarfs/vars.c | 5 +++-- 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c index e93f2afd6741..3b5b956dbf44 100644 --- a/fs/efivarfs/inode.c +++ b/fs/efivarfs/inode.c @@ -77,6 +77,7 @@ static bool efivarfs_valid_name(const char *str, int len) static int efivarfs_create(struct user_namespace *mnt_userns, struct inode *dir, struct dentry *dentry, umode_t mode, bool excl) { + struct efivarfs_fs_info *info = dir->i_sb->s_fs_info; struct inode *inode = NULL; struct efivar_entry *var; int namelen, i = 0, err = 0; @@ -114,7 +115,7 @@ static int efivarfs_create(struct user_namespace *mnt_userns, struct inode *dir, inode->i_private = var; kmemleak_ignore(var); - err = efivar_entry_add(var, &efivarfs_list); + err = efivar_entry_add(var, &info->efivarfs_list); if (err) goto out; diff --git a/fs/efivarfs/internal.h b/fs/efivarfs/internal.h index 0762c0a1d207..0abf4bf2bb73 100644 --- a/fs/efivarfs/internal.h +++ b/fs/efivarfs/internal.h @@ -16,6 +16,7 @@ struct efivarfs_mount_opts { struct efivarfs_fs_info { struct efivarfs_mount_opts mount_opts; + struct list_head efivarfs_list; }; struct efi_variable { @@ -33,7 +34,8 @@ struct efivar_entry { struct kobject kobj; }; -int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *), +int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *, + struct list_head *), void *data, bool duplicates, struct list_head *head); int efivar_entry_add(struct efivar_entry *entry, struct list_head *head); @@ -63,6 +65,4 @@ extern struct inode *efivarfs_get_inode(struct super_block *sb, const struct inode *dir, int mode, dev_t dev, bool is_removable); -extern struct list_head efivarfs_list; - #endif /* EFIVAR_FS_INTERNAL_H */ diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index b4f1c46ea06f..71d850bdedfa 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -18,8 +18,6 @@ #include "internal.h" -LIST_HEAD(efivarfs_list); - static void efivarfs_evict_inode(struct inode *inode) { clear_inode(inode); @@ -119,7 +117,8 @@ static struct dentry *efivarfs_alloc_dentry(struct dentry *parent, char *name) } static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, - unsigned long name_size, void *data) + unsigned long name_size, void *data, + struct list_head *list) { struct super_block *sb = (struct super_block *)data; struct efivar_entry *entry; @@ -171,7 +170,7 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, } __efivar_entry_get(entry, NULL, &size, NULL); - __efivar_entry_add(entry, &efivarfs_list); + __efivar_entry_add(entry, list); /* copied by the above to local storage in the dentry. */ kfree(name); @@ -241,6 +240,7 @@ static int efivarfs_parse_param(struct fs_context *fc, struct fs_parameter *para static int efivarfs_fill_super(struct super_block *sb, struct fs_context *fc) { + struct efivarfs_fs_info *sfi = sb->s_fs_info; struct inode *inode = NULL; struct dentry *root; int err; @@ -266,11 +266,10 @@ static int efivarfs_fill_super(struct super_block *sb, struct fs_context *fc) if (!root) return -ENOMEM; - INIT_LIST_HEAD(&efivarfs_list); - - err = efivar_init(efivarfs_callback, (void *)sb, true, &efivarfs_list); + err = efivar_init(efivarfs_callback, (void *)sb, true, + &sfi->efivarfs_list); if (err) - efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL); + efivar_entry_iter(efivarfs_destroy, &sfi->efivarfs_list, NULL); return err; } @@ -304,6 +303,8 @@ static int efivarfs_init_fs_context(struct fs_context *fc) if (!sfi) return -ENOMEM; + INIT_LIST_HEAD(&sfi->efivarfs_list); + sfi->mount_opts.uid = GLOBAL_ROOT_UID; sfi->mount_opts.gid = GLOBAL_ROOT_GID; @@ -319,7 +320,7 @@ static void efivarfs_kill_sb(struct super_block *sb) kill_litter_super(sb); /* Remove all entries and destroy */ - efivar_entry_iter(efivarfs_destroy, &efivarfs_list, NULL); + efivar_entry_iter(efivarfs_destroy, &sfi->efivarfs_list, NULL); kfree(sfi); } diff --git a/fs/efivarfs/vars.c b/fs/efivarfs/vars.c index 13bc60698955..2ad377818d0f 100644 --- a/fs/efivarfs/vars.c +++ b/fs/efivarfs/vars.c @@ -369,7 +369,8 @@ static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid, * * Returns 0 on success, or a kernel error code on failure. */ -int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *), +int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *, + struct list_head *), void *data, bool duplicates, struct list_head *head) { unsigned long variable_name_size = 512; @@ -421,7 +422,7 @@ int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *), status = EFI_NOT_FOUND; } else { err = func(variable_name, vendor_guid, - variable_name_size, data); + variable_name_size, data, head); if (err) status = EFI_NOT_FOUND; }