On Sat, 18 Jan 2020 at 07:30, Qian Cai <cai@xxxxxx> wrote:
>
> The commit 698294704573 ("efi/x86: Split SetVirtualAddresMap() wrappers
> into 32 and 64 bit versions") introduced a KASAN error during boot,
>
> BUG: KASAN: user-memory-access in efi_set_virtual_address_map+0x4d3/0x574
> Read of size 8 at addr 00000000788fee50 by task swapper/0/0
>
> Hardware name: HP ProLiant XL450 Gen9 Server/ProLiant XL450 Gen9
> Server, BIOS U21 05/05/2016
> Call Trace:
> dump_stack+0xa0/0xea
> __kasan_report.cold.8+0xb0/0xc0
> kasan_report+0x12/0x20
> __asan_load8+0x71/0xa0
> efi_set_virtual_address_map+0x4d3/0x574
> efi_enter_virtual_mode+0x5f3/0x64e
> start_kernel+0x53a/0x5dc
> x86_64_start_reservations+0x24/0x26
> x86_64_start_kernel+0xf4/0xfb
> secondary_startup_64+0xb6/0xc0
>
> It points to this line,
>
> status = efi_call(efi.systab->runtime->set_virtual_address_map,
>
> efi.systab->runtime's address is 00000000788fee18 which is an address in
> EFI runtime service and does not have a KASAN shadow page. Fix it by
> doing a copy_from_user() first instead.
>
Can't we just use READ_ONCE_NOCHECK() instead?
> Fixes: 698294704573 ("efi/x86: Split SetVirtualAddresMap() wrappers into 32 and 64 bit versions")
> Signed-off-by: Qian Cai <cai@xxxxxx>
> ---
> arch/x86/platform/efi/efi_64.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
> index 515eab388b56..d6712c9cb9d8 100644
> --- a/arch/x86/platform/efi/efi_64.c
> +++ b/arch/x86/platform/efi/efi_64.c
> @@ -1023,6 +1023,7 @@ efi_status_t __init efi_set_virtual_address_map(unsigned long memory_map_size,
> u32 descriptor_version,
> efi_memory_desc_t *virtual_map)
> {
> + efi_runtime_services_t runtime;
> efi_status_t status;
> unsigned long flags;
> pgd_t *save_pgd = NULL;
> @@ -1041,13 +1042,15 @@ efi_status_t __init efi_set_virtual_address_map(unsigned long memory_map_size,
> efi_switch_mm(&efi_mm);
> }
>
> + if (copy_from_user(&runtime, efi.systab->runtime, sizeof(runtime)))
> + return EFI_ABORTED;
> +
> kernel_fpu_begin();
>
> /* Disable interrupts around EFI calls: */
> local_irq_save(flags);
> - status = efi_call(efi.systab->runtime->set_virtual_address_map,
> - memory_map_size, descriptor_size,
> - descriptor_version, virtual_map);
> + status = efi_call(runtime.set_virtual_address_map, memory_map_size,
> + descriptor_size, descriptor_version, virtual_map);
> local_irq_restore(flags);
>
> kernel_fpu_end();
> --
> 2.21.0 (Apple Git-122.2)
>
