This is a note to let you know that I've just added the patch titled
arm64: efi: Limit allocations to 48-bit addressable physical region
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
arm64-efi-limit-allocations-to-48-bit-addressable-physical-region.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable+bounces-25894-greg=kroah.com@xxxxxxxxxxxxxxx Mon Mar 4 12:20:47 2024
From: Ard Biesheuvel <ardb+git@xxxxxxxxxx>
Date: Mon, 4 Mar 2024 12:19:39 +0100
Subject: arm64: efi: Limit allocations to 48-bit addressable physical region
To: stable@xxxxxxxxxxxxxxx
Cc: linux-efi@xxxxxxxxxxxxxxx, Ard Biesheuvel <ardb@xxxxxxxxxx>
Message-ID: <20240304111937.2556102-21-ardb+git@xxxxxxxxxx>
From: Ard Biesheuvel <ardb+git@xxxxxxxxxx>
From: Ard Biesheuvel <ardb@xxxxxxxxxx>
[ Commit a37dac5c5dcfe0f1fd58513c16cdbc280a47f628 upstream ]
The UEFI spec does not mention or reason about the configured size of
the virtual address space at all, but it does mention that all memory
should be identity mapped using a page size of 4 KiB.
This means that a LPA2 capable system that has any system memory outside
of the 48-bit addressable physical range and follows the spec to the
letter may serve page allocation requests from regions of memory that
the kernel cannot access unless it was built with LPA2 support and
enables it at runtime.
So let's ensure that all page allocations are limited to the 48-bit
range.
Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/arm64/include/asm/efi.h | 1 +
drivers/firmware/efi/libstub/alignedmem.c | 2 ++
drivers/firmware/efi/libstub/arm64-stub.c | 5 +++--
drivers/firmware/efi/libstub/efistub.h | 4 ++++
drivers/firmware/efi/libstub/mem.c | 2 ++
drivers/firmware/efi/libstub/randomalloc.c | 2 +-
6 files changed, 13 insertions(+), 3 deletions(-)
--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -103,6 +103,7 @@ static inline void free_screen_info(stru
}
#define EFI_ALLOC_ALIGN SZ_64K
+#define EFI_ALLOC_LIMIT ((1UL << 48) - 1)
/*
* On ARM systems, virtually remapped UEFI runtime services are set up in two
--- a/drivers/firmware/efi/libstub/alignedmem.c
+++ b/drivers/firmware/efi/libstub/alignedmem.c
@@ -29,6 +29,8 @@ efi_status_t efi_allocate_pages_aligned(
efi_status_t status;
int slack;
+ max = min(max, EFI_ALLOC_LIMIT);
+
if (align < EFI_ALLOC_ALIGN)
align = EFI_ALLOC_ALIGN;
--- a/drivers/firmware/efi/libstub/arm64-stub.c
+++ b/drivers/firmware/efi/libstub/arm64-stub.c
@@ -191,10 +191,11 @@ efi_status_t handle_kernel_image(unsigne
if (status != EFI_SUCCESS) {
if (!check_image_region((u64)_text, kernel_memsize)) {
efi_err("FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region\n");
- } else if (IS_ALIGNED((u64)_text, min_kimg_align)) {
+ } else if (IS_ALIGNED((u64)_text, min_kimg_align) &&
+ (u64)_end < EFI_ALLOC_LIMIT) {
/*
* Just execute from wherever we were loaded by the
- * UEFI PE/COFF loader if the alignment is suitable.
+ * UEFI PE/COFF loader if the placement is suitable.
*/
*image_addr = (u64)_text;
*reserve_size = 0;
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -29,6 +29,10 @@
#define EFI_ALLOC_ALIGN EFI_PAGE_SIZE
#endif
+#ifndef EFI_ALLOC_LIMIT
+#define EFI_ALLOC_LIMIT ULONG_MAX
+#endif
+
extern bool efi_nochunk;
extern bool efi_nokaslr;
extern int efi_loglevel;
--- a/drivers/firmware/efi/libstub/mem.c
+++ b/drivers/firmware/efi/libstub/mem.c
@@ -89,6 +89,8 @@ efi_status_t efi_allocate_pages(unsigned
efi_physical_addr_t alloc_addr;
efi_status_t status;
+ max = min(max, EFI_ALLOC_LIMIT);
+
if (EFI_ALLOC_ALIGN > EFI_PAGE_SIZE)
return efi_allocate_pages_aligned(size, addr, max,
EFI_ALLOC_ALIGN,
--- a/drivers/firmware/efi/libstub/randomalloc.c
+++ b/drivers/firmware/efi/libstub/randomalloc.c
@@ -29,7 +29,7 @@ static unsigned long get_entry_num_slots
return 0;
region_end = min(md->phys_addr + md->num_pages * EFI_PAGE_SIZE - 1,
- (u64)ULONG_MAX);
+ (u64)EFI_ALLOC_LIMIT);
if (region_end < size)
return 0;
Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are
queue-6.1/x86-decompressor-avoid-magic-offsets-for-efi-handover-entrypoint.patch
queue-6.1/x86-efistub-avoid-placing-the-kernel-below-load_physical_addr.patch
queue-6.1/x86-efistub-avoid-legacy-decompressor-when-doing-efi-boot.patch
queue-6.1/x86-efistub-perform-4-5-level-paging-switch-from-the-stub.patch
queue-6.1/x86-boot-rename-conflicting-boot_params-pointer-to-boot_params_ptr.patch
queue-6.1/x86-efistub-perform-snp-feature-test-while-running-in-the-firmware.patch
queue-6.1/x86-efistub-simplify-and-clean-up-handover-entry-code.patch
queue-6.1/efi-libstub-add-memory-attribute-protocol-definitions.patch
queue-6.1/efi-libstub-add-limit-argument-to-efi_random_alloc.patch
queue-6.1/efi-x86-fix-the-missing-kaslr_flag-bit-in-boot_params-hdr.loadflags.patch
queue-6.1/arm64-efi-limit-allocations-to-48-bit-addressable-physical-region.patch
queue-6.1/x86-efistub-prefer-efi-memory-attributes-protocol-over-dxe-services.patch
queue-6.1/efi-efivars-prevent-double-registration.patch
queue-6.1/x86-boot-efistub-assign-global-boot_params-variable.patch
queue-6.1/x86-efistub-clear-bss-in-efi-handover-protocol-entrypoint.patch
queue-6.1/x86-decompressor-factor-out-kernel-decompression-and-relocation.patch
queue-6.1/efi-x86-avoid-physical-kaslr-on-older-dell-systems.patch
