On 12/24/2012 07:00 PM, joeyli wrote: > 於 五,2012-12-21 於 19:05 +0800,Lingzhu Xiang 提到: >> The following reproducer triggers certain bugs in efivarfs_file_write. >> >> #!/bin/bash >> p=/sys/firmware/efi/efivars >> mount -t efivarfs - $p >> cat $p/Lang-*>$p/test-12341234-1234-1234-1234-123412341234 >> umount $p >> mount -t efivarfs - $p >> echo -en "\0\0\0\0">$p/test-12341234-1234-1234-1234-123412341234 > > The problem is check EFI_VARIABLE_MASK in efivars.c that is not enough > for deny use 0x00000000 attributes. > > Per UEFI spec, runtime variable at least need has attributes > EFI_VARIABLE_BOOTSERVICE_ACCESS and EFI_VARIABLE_RUNTIME_ACCESS. > Otherwise UEFI BIOS will occur unexpected error. > > Please try the following patch. Thank you for your patch. Per UEFI spec, echo -en "\0\0\0\0" should be equivalent to deleting. This is what efivarfs_unlink is doing but I wanted to avoid its underflowing when reproducing this. This still reproduces the bug and passes the check in your patch: echo -en "\x07\0\0\0" >$p/test-12341234-1234-1234-1234-123412341234 > diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c > index 7b1c374..7aeb4a5 100644 > --- a/drivers/firmware/efivars.c > +++ b/drivers/firmware/efivars.c > @@ -706,6 +706,10 @@ static ssize_t efivarfs_file_write(struct file *file, > if (attributes& ~(EFI_VARIABLE_MASK)) > return -EINVAL; > > + if (!((attributes& EFI_VARIABLE_BOOTSERVICE_ACCESS)&& > + (attributes& EFI_VARIABLE_RUNTIME_ACCESS))) > + return -EINVAL; > + > efivars = var->efivars; -- Lingzhu Xiang -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
