1 files changed, 196 insertions, 0 deletions
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
index d25599f2a3f8..47408e802ab6 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len)
        }
 }
+static bool
+validate_device_path(struct efi_variable *var, int match, u8 *buffer,
+                     unsigned long len)
+{
+        struct efi_generic_dev_path *node;
+        int offset = 0;
+        node = (struct efi_generic_dev_path *)buffer;
+        if (len < sizeof(*node))
+                return false;
+        while (offset <= len - sizeof(*node) &&
+               node->length >= sizeof(*node) &&
+                node->length <= len - offset) {
+                offset += node->length;
+                if ((node->type == EFI_DEV_END_PATH ||
+                     node->type == EFI_DEV_END_PATH2) &&
+                    node->sub_type == EFI_DEV_END_ENTIRE)
+                        return true;
+                node = (struct efi_generic_dev_path *)(buffer + offset);
+        }
+        /*
+         * If we're here then either node->length pointed past the end
+         * of the buffer or we reached the end of the buffer without
+         * finding a device path end node.
+         */
+        return false;
+}
+static bool
+validate_boot_order(struct efi_variable *var, int match, u8 *buffer,
+                    unsigned long len)
+{
+        /* An array of 16-bit integers */
+        if ((len % 2) != 0)
+                return false;
+        return true;
+}
+static bool
+validate_load_option(struct efi_variable *var, int match, u8 *buffer,
+                     unsigned long len)
+{
+        u16 filepathlength;
+        int i, desclength = 0, namelen;
+        namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
+        /* Either "Boot" or "Driver" followed by four digits of hex */
+        for (i = match; i < match+4; i++) {
+                if (var->VariableName[i] > 127 ||
+                    hex_to_bin(var->VariableName[i] & 0xff) < 0)
+                        return true;
+        }
+        /* Reject it if there's 4 digits of hex and then further content */
+        if (namelen > match + 4)
+                return false;
+        /* A valid entry must be at least 8 bytes */
+        if (len < 8)
+                return false;
+        filepathlength = buffer[4] | buffer[5] << 8;
+        /*
+         * There's no stored length for the description, so it has to be
+         * found by hand
+         */
+        desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
+        /* Each boot entry must have a descriptor */
+        if (!desclength)
+                return false;
+        /*
+         * If the sum of the length of the description, the claimed filepath
+         * length and the original header are greater than the length of the
+         * variable, it's malformed
+         */
+        if ((desclength + filepathlength + 6) > len)
+                return false;
+        /*
+         * And, finally, check the filepath
+         */
+        return validate_device_path(var, match, buffer + desclength + 6,
+                                    filepathlength);
+}
+static bool
+validate_uint16(struct efi_variable *var, int match, u8 *buffer,
+                unsigned long len)
+{
+        /* A single 16-bit integer */
+        if (len != 2)
+                return false;
+        return true;
+}
+static bool
+validate_ascii_string(struct efi_variable *var, int match, u8 *buffer,
+                      unsigned long len)
+{
+        int i;
+        for (i = 0; i < len; i++) {
+                if (buffer[i] > 127)
+                        return false;
+                if (buffer[i] == 0)
+                        return true;
+        }
+        return false;
+}
+struct variable_validate {
+        char *name;
+        bool (*validate)(struct efi_variable *var, int match, u8 *data,
+                         unsigned long len);
+};
+static const struct variable_validate variable_validate[] = {
+        { "BootNext", validate_uint16 },
+        { "BootOrder", validate_boot_order },
+        { "DriverOrder", validate_boot_order },
+        { "Boot*", validate_load_option },
+        { "Driver*", validate_load_option },
+        { "ConIn", validate_device_path },
+        { "ConInDev", validate_device_path },
+        { "ConOut", validate_device_path },
+        { "ConOutDev", validate_device_path },
+        { "ErrOut", validate_device_path },
+        { "ErrOutDev", validate_device_path },
+        { "Timeout", validate_uint16 },
+        { "Lang", validate_ascii_string },
+        { "PlatformLang", validate_ascii_string },
+        { "", NULL },
+};
+static bool
+validate_var(struct efi_variable *var, u8 *data, unsigned long len)
+{
+        int i;
+        u16 *unicode_name = var->VariableName;
+        for (i = 0; variable_validate[i].validate != NULL; i++) {
+                const char *name = variable_validate[i].name;
+                int match;
+                for (match = 0; ; match++) {
+                        char c = name[match];
+                        u16 u = unicode_name[match];
+                        /* All special variables are plain ascii */
+                        if (u > 127)
+                                return true;
+                        /* Wildcard in the matching name means we've matched */
+                        if (c == '*')
+                                return variable_validate[i].validate(var,
+                                                             match, data, len);
+                        /* Case sensitive match */
+                        if (c != u)
+                                break;
+                        /* Reached the end of the string while matching */
+                        if (!c)
+                                return variable_validate[i].validate(var,
+                                                             match, data, len);
+                }
+        }
+        return true;
+}
 static efi_status_t
 get_var_data_locked(struct efivars *efivars, struct efi_variable *var)
 {
@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
                return -EINVAL;
        }
+        if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
+            validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
+                printk(KERN_ERR "efivars: Malformed variable content\n");
+                return -EINVAL;
+        }
        spin_lock(&efivars->lock);
        status = efivars->ops->set_variable(new_var->VariableName,
                                            &new_var->VendorGuid,
@@ -626,6 +816,12 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
        if (!capable(CAP_SYS_ADMIN))
                return -EACCES;
+        if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
+            validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
+                printk(KERN_ERR "efivars: Malformed variable content\n");
+                return -EINVAL;
+        }
        spin_lock(&efivars->lock);
        /*

diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c index d25599f2a3f8..47408e802ab6 100644 --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c
@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t a, const efi_char16_t b, size_t len)
191	}	191	}
192	}	192	}
193		193
		194	static bool
		195	validate_device_path(struct efi_variable var, int match, u8 buffer,
		196	unsigned long len)
		197	{
		198	struct efi_generic_dev_path *node;
		199	int offset = 0;
		200
		201	node = (struct efi_generic_dev_path *)buffer;
		202
		203	if (len < sizeof(*node))
		204	return false;
		205
		206	while (offset <= len - sizeof(*node) &&
		207	node->length >= sizeof(*node) &&
		208	node->length <= len - offset) {
		209	offset += node->length;
		210
		211	if ((node->type == EFI_DEV_END_PATH \|\|
		212	node->type == EFI_DEV_END_PATH2) &&
		213	node->sub_type == EFI_DEV_END_ENTIRE)
		214	return true;
		215
		216	node = (struct efi_generic_dev_path *)(buffer + offset);
		217	}
		218
		219	/*
		220	* If we're here then either node->length pointed past the end
		221	* of the buffer or we reached the end of the buffer without
		222	* finding a device path end node.
		223	*/
		224	return false;
		225	}
		226
		227	static bool
		228	validate_boot_order(struct efi_variable var, int match, u8 buffer,
		229	unsigned long len)
		230	{
		231	/* An array of 16-bit integers */
		232	if ((len % 2) != 0)
		233	return false;
		234
		235	return true;
		236	}
		237
		238	static bool
		239	validate_load_option(struct efi_variable var, int match, u8 buffer,
		240	unsigned long len)
		241	{
		242	u16 filepathlength;
		243	int i, desclength = 0, namelen;
		244
		245	namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
		246
		247	/* Either "Boot" or "Driver" followed by four digits of hex */
		248	for (i = match; i < match+4; i++) {
		249	if (var->VariableName[i] > 127 \|\|
		250	hex_to_bin(var->VariableName[i] & 0xff) < 0)
		251	return true;
		252	}
		253
		254	/* Reject it if there's 4 digits of hex and then further content */
		255	if (namelen > match + 4)
		256	return false;
		257
		258	/* A valid entry must be at least 8 bytes */
		259	if (len < 8)
		260	return false;
		261
		262	filepathlength = buffer[4] \| buffer[5] << 8;
		263
		264	/*
		265	* There's no stored length for the description, so it has to be
		266	* found by hand
		267	*/
		268	desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
		269
		270	/* Each boot entry must have a descriptor */
		271	if (!desclength)
		272	return false;
		273
		274	/*
		275	* If the sum of the length of the description, the claimed filepath
		276	* length and the original header are greater than the length of the
		277	* variable, it's malformed
		278	*/
		279	if ((desclength + filepathlength + 6) > len)
		280	return false;
		281
		282	/*
		283	* And, finally, check the filepath
		284	*/
		285	return validate_device_path(var, match, buffer + desclength + 6,
		286	filepathlength);
		287	}
		288
		289	static bool
		290	validate_uint16(struct efi_variable var, int match, u8 buffer,
		291	unsigned long len)
		292	{
		293	/* A single 16-bit integer */
		294	if (len != 2)
		295	return false;
		296
		297	return true;
		298	}
		299
		300	static bool
		301	validate_ascii_string(struct efi_variable var, int match, u8 buffer,
		302	unsigned long len)
		303	{
		304	int i;
		305
		306	for (i = 0; i < len; i++) {
		307	if (buffer[i] > 127)
		308	return false;
		309
		310	if (buffer[i] == 0)
		311	return true;
		312	}
		313
		314	return false;
		315	}
		316
		317	struct variable_validate {
		318	char *name;
		319	bool (validate)(struct efi_variable var, int match, u8 *data,
		320	unsigned long len);
		321	};
		322
		323	static const struct variable_validate variable_validate[] = {
		324	{ "BootNext", validate_uint16 },
		325	{ "BootOrder", validate_boot_order },
		326	{ "DriverOrder", validate_boot_order },
		327	{ "Boot*", validate_load_option },
		328	{ "Driver*", validate_load_option },
		329	{ "ConIn", validate_device_path },
		330	{ "ConInDev", validate_device_path },
		331	{ "ConOut", validate_device_path },
		332	{ "ConOutDev", validate_device_path },
		333	{ "ErrOut", validate_device_path },
		334	{ "ErrOutDev", validate_device_path },
		335	{ "Timeout", validate_uint16 },
		336	{ "Lang", validate_ascii_string },
		337	{ "PlatformLang", validate_ascii_string },
		338	{ "", NULL },
		339	};
		340
		341	static bool
		342	validate_var(struct efi_variable var, u8 data, unsigned long len)
		343	{
		344	int i;
		345	u16 *unicode_name = var->VariableName;
		346
		347	for (i = 0; variable_validate[i].validate != NULL; i++) {
		348	const char *name = variable_validate[i].name;
		349	int match;
		350
		351	for (match = 0; ; match++) {
		352	char c = name[match];
		353	u16 u = unicode_name[match];
		354
		355	/* All special variables are plain ascii */
		356	if (u > 127)
		357	return true;
		358
		359	/* Wildcard in the matching name means we've matched */
		360	if (c == '*')
		361	return variable_validate[i].validate(var,
		362	match, data, len);
		363
		364	/* Case sensitive match */
		365	if (c != u)
		366	break;
		367
		368	/* Reached the end of the string while matching */
		369	if (!c)
		370	return variable_validate[i].validate(var,
		371	match, data, len);
		372	}
		373	}
		374
		375	return true;
		376	}
		377
194	static efi_status_t	378	static efi_status_t
195	get_var_data_locked(struct efivars efivars, struct efi_variable var)	379	get_var_data_locked(struct efivars efivars, struct efi_variable var)
196	{	380	{
@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry entry, const char buf, size_t count)
324	return -EINVAL;	508	return -EINVAL;
325	}	509	}
326		510
		511	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 \|\|
		512	validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
		513	printk(KERN_ERR "efivars: Malformed variable content\n");
		514	return -EINVAL;
		515	}
		516
327	spin_lock(&efivars->lock);	517	spin_lock(&efivars->lock);
328	status = efivars->ops->set_variable(new_var->VariableName,	518	status = efivars->ops->set_variable(new_var->VariableName,
329	&new_var->VendorGuid,	519	&new_var->VendorGuid,
@@ -626,6 +816,12 @@ static ssize_t efivar_create(struct file filp, struct kobject kobj,
626	if (!capable(CAP_SYS_ADMIN))	816	if (!capable(CAP_SYS_ADMIN))
627	return -EACCES;	817	return -EACCES;
628		818
		819	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 \|\|
		820	validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
		821	printk(KERN_ERR "efivars: Malformed variable content\n");
		822	return -EINVAL;
		823	}
		824
629	spin_lock(&efivars->lock);	825	spin_lock(&efivars->lock);
630		826
631	/*	827	/*