cve/published/2023/CVE-2023-52463.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52463: efivarfs: force RO when remounting if SetVariable is not supported

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 efivarfs: force RO when remounting if SetVariable is not supported

 If SetVariable at runtime is not supported by the firmware we never assign
 a callback for that function. At the same time mount the efivarfs as
 RO so no one can call that.  However, we never check the permission flags
 when someone remounts the filesystem as RW. As a result this leads to a
 crash looking like this:

 $ mount -o remount,rw /sys/firmware/efi/efivars
 $ efi-updatevar -f PK.auth PK

 [  303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 [  303.280482] Mem abort info:
 [  303.280854]   ESR = 0x0000000086000004
 [  303.281338]   EC = 0x21: IABT (current EL), IL = 32 bits
 [  303.282016]   SET = 0, FnV = 0
 [  303.282414]   EA = 0, S1PTW = 0
 [  303.282821]   FSC = 0x04: level 0 translation fault
 [  303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000
 [  303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
 [  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
 [  303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6
 [  303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1
 [  303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023
 [  303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 [  303.292123] pc : 0x0
 [  303.292443] lr : efivar_set_variable_locked+0x74/0xec
 [  303.293156] sp : ffff800008673c10
 [  303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000
 [  303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027
 [  303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000
 [  303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000
 [  303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54
 [  303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4
 [  303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002
 [  303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201
 [  303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc
 [  303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000
 [  303.303341] Call trace:
 [  303.303679]  0x0
 [  303.303938]  efivar_entry_set_get_size+0x98/0x16c
 [  303.304585]  efivarfs_file_write+0xd0/0x1a4
 [  303.305148]  vfs_write+0xc4/0x2e4
 [  303.305601]  ksys_write+0x70/0x104
 [  303.306073]  __arm64_sys_write+0x1c/0x28
 [  303.306622]  invoke_syscall+0x48/0x114
 [  303.307156]  el0_svc_common.constprop.0+0x44/0xec
 [  303.307803]  do_el0_svc+0x38/0x98
 [  303.308268]  el0_svc+0x2c/0x84
 [  303.308702]  el0t_64_sync_handler+0xf4/0x120
 [  303.309293]  el0t_64_sync+0x190/0x194
 [  303.309794] Code: ???????? ???????? ???????? ???????? (????????)
 [  303.310612] ---[ end trace 0000000000000000 ]---

 Fix this by adding a .reconfigure() function to the fs operations which
 we can use to check the requested flags and deny anything that's not RO
 if the firmware doesn't implement SetVariable at runtime.

 The Linux kernel CVE team has assigned CVE-2023-52463 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 5.10.209 with commit 94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 5.15.148 with commit 2aa141f8bc580f8f9811dfe4e0e6009812b73826
 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.1.75 with commit d4a9aa7db574a0da64307729cc031fb68597aa8b
 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.6.14 with commit 0049fe7e4a85849bdd778cdb72e51a791ff3d737
 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.7.2 with commit d4a714873db0866cc471521114eeac4a5072d548
 	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.8 with commit 0e8d2444168dd519fea501599d150e62718ed2fe
 	Issue introduced in 5.7.11 with commit 552952e51fad35670459674bcb8a03bd96fe4646

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52463
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/efivarfs/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
 	https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826
 	https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b
 	https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737
 	https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548
 	https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52463: efivarfs: force RO when remounting if SetVariable is not supported

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	efivarfs: force RO when remounting if SetVariable is not supported

	If SetVariable at runtime is not supported by the firmware we never assign
	a callback for that function. At the same time mount the efivarfs as
	RO so no one can call that. However, we never check the permission flags
	when someone remounts the filesystem as RW. As a result this leads to a
	crash looking like this:

	$ mount -o remount,rw /sys/firmware/efi/efivars
	$ efi-updatevar -f PK.auth PK

	[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
	[ 303.280482] Mem abort info:
	[ 303.280854] ESR = 0x0000000086000004
	[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits
	[ 303.282016] SET = 0, FnV = 0
	[ 303.282414] EA = 0, S1PTW = 0
	[ 303.282821] FSC = 0x04: level 0 translation fault
	[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000
	[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
	[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
	[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6
	[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1
	[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023
	[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	[ 303.292123] pc : 0x0
	[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec
	[ 303.293156] sp : ffff800008673c10
	[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000
	[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027
	[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000
	[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000
	[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54
	[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4
	[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002
	[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201
	[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc
	[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000
	[ 303.303341] Call trace:
	[ 303.303679] 0x0
	[ 303.303938] efivar_entry_set_get_size+0x98/0x16c
	[ 303.304585] efivarfs_file_write+0xd0/0x1a4
	[ 303.305148] vfs_write+0xc4/0x2e4
	[ 303.305601] ksys_write+0x70/0x104
	[ 303.306073] __arm64_sys_write+0x1c/0x28
	[ 303.306622] invoke_syscall+0x48/0x114
	[ 303.307156] el0_svc_common.constprop.0+0x44/0xec
	[ 303.307803] do_el0_svc+0x38/0x98
	[ 303.308268] el0_svc+0x2c/0x84
	[ 303.308702] el0t_64_sync_handler+0xf4/0x120
	[ 303.309293] el0t_64_sync+0x190/0x194
	[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)
	[ 303.310612] ---[ end trace 0000000000000000 ]---

	Fix this by adding a .reconfigure() function to the fs operations which
	we can use to check the requested flags and deny anything that's not RO
	if the firmware doesn't implement SetVariable at runtime.

	The Linux kernel CVE team has assigned CVE-2023-52463 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 5.10.209 with commit 94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 5.15.148 with commit 2aa141f8bc580f8f9811dfe4e0e6009812b73826
	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.1.75 with commit d4a9aa7db574a0da64307729cc031fb68597aa8b
	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.6.14 with commit 0049fe7e4a85849bdd778cdb72e51a791ff3d737
	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.7.2 with commit d4a714873db0866cc471521114eeac4a5072d548
	Issue introduced in 5.8 with commit f88814cc2578c121e6edef686365036db72af0ed and fixed in 6.8 with commit 0e8d2444168dd519fea501599d150e62718ed2fe
	Issue introduced in 5.7.11 with commit 552952e51fad35670459674bcb8a03bd96fe4646

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52463
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/efivarfs/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
	https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826
	https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b
	https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737
	https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548
	https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe