Re: [PATCH] firmware: Fix security issue with request_firmware_into_buf()

[rishabhb]

On 2018-08-02 14:58, Luis Chamberlain wrote:
> On Wed, Aug 1, 2018, 4:26 PM Rishabh Bhatnagar
> <rishabhb@xxxxxxxxxxxxxx> wrote:
>
> > When calling request_firmware_into_buf() with the FW_OPT_NOCACHE
> > flag
> > it is expected that firmware is loaded into buffer from memory.
> > But inside alloc_lookup_fw_priv every new firmware that is loaded is
> > added to the firmware cache (fwc) list head. So if any driver
> > requests
> > a firmware that is already loaded the code iterates over the above
> > mentioned list and it can end up giving a pointer to other device
> > driver's
> > firmware buffer.
> > Also the existing copy may either be modified by drivers, remote
> > processors
> > or even freed. This causes a potential security issue with batched
> > requests
> > when using request_firmware_into_buf.
> >
> > Fix alloc_lookup_fw_priv to not add to the fwc head list if
> > FW_OPT_NOCACHE
> > is set, and also don't do the lookup in the list.
> >
> > Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw
> > caching optional")
> >
> > Signed-off-by: Vikram Mulukutla <markivx@xxxxxxxxxxxxxx>
> > Signed-off-by: Rishabh Bhatnagar <rishabhb@xxxxxxxxxxxxxx>
> > ---
>
> Did you test with the tools/testing/selftests/firmware/ scripts? If
> not please do so and report back and confirm no regressions are found.
>
> Brownie points for you to add a test case to show the issue
> highlighted in this patch, and which it fixes. I believe this fix
> should be pushed to stable, so I'll do that after you confirm no
> regressions were found.
>
> The new selftests changed you'd make would not go to stable, however
> there are Linux distributions and 0day that test the latest tools
> directory against older kernels. So this test would help capture gaps
> later.
>
>   Luis

I ran the selftests and observed no regressions with this change.
I'm still working on adding a test case though.

-Rishabh