Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions
From: Andy Lutomirski
Date: Tue Feb 20 2018 - 18:19:30 EST
On Tue, Feb 20, 2018 at 7:18 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> On 02/15/2018 10:22 AM, Joe Konno wrote:
>>
>> From: Joe Konno <joe.konno@xxxxxxxxx>
>>
>> Efivarfs nodes are created with group and world readable permissions.
>> Reading certain EFI variables trigger SMIs. So, this is a potential DoS
>> surface.
>>
>> Make permissions more restrictive-- only the owner may read or write to
>> created inodes.
>>
>> Suggested-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
>> Reported-by: Tony Luck <tony.luck@xxxxxxxxx>
>> Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
>> Cc: Matthew Garrett <matthew.garrett@xxxxxxxxxx>
>> Cc: Jeremy Kerr <jk@xxxxxxxxxx>
>> Cc: linux-efi@xxxxxxxxxxxxxxx
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Joe Konno <joe.konno@xxxxxxxxx>
>
>
> The discussion in this thread has gone on too long, so:
>
> Acked-by: Andy Lutomirski <luto@xxxxxxxxxx>
>
> And yes, this patch will break a couple of minor usecases, but IMO those
> usecases deserve to break.
Alternatively, a patch like this (untested but straightforward) might
be a little more effective and easier to undo in userspace for anyone
who may be adversely affected:
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 5b68e4294faa..88c7163c0ac1 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -207,7 +207,7 @@ static int efivarfs_fill_super(struct super_block
*sb, void *data, int silent)
sb->s_d_op = &efivarfs_d_ops;
sb->s_time_gran = 1;
- inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0755, 0, true);
+ inode = efivarfs_get_inode(sb, NULL, S_IFDIR | 0700, 0, true);
if (!inode)
return -ENOMEM;
inode->i_op = &efivarfs_dir_inode_operations;
If you prefer that, I'd be happy to re-send it for real.
--Andy