]> git.baikalelectronics.ru Git - kernel.git/commit
firmware: Fix security issue with request_firmware_into_buf()
authorRishabh Bhatnagar <rishabhb@codeaurora.org>
Fri, 31 Aug 2018 15:43:31 +0000 (08:43 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 12 Sep 2018 07:31:00 +0000 (09:31 +0200)
commit4649279e921967ee381d110ab1497d4762986d53
treee9d435631e8f0dcf969d10eea5528e61389c8883
parentea67be676cd00dd9749231e9bd201e5f0ec98bab
firmware: Fix security issue with request_firmware_into_buf()

When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag
it is expected that firmware is loaded into buffer from memory.
But inside alloc_lookup_fw_priv every new firmware that is loaded is
added to the firmware cache (fwc) list head. So if any driver requests
a firmware that is already loaded the code iterates over the above
mentioned list and it can end up giving a pointer to other device driver's
firmware buffer.
Also the existing copy may either be modified by drivers, remote processors
or even freed. This causes a potential security issue with batched requests
when using request_firmware_into_buf.

Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE
is set, and also don't do the lookup in the list.

Fixes: 3a33a976be ("firmware: provide infrastructure to make fw caching optional")
[mcgrof: broken since feature introduction on v4.8]

Cc: stable@vger.kernel.org # v4.8+
Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/base/firmware_loader/main.c