• Julius Werner's avatar
    firmware: google: memconsole: Prevent overrun attack on coreboot console · 40fbb238
    Julius Werner authored
    The recent coreboot memory console update (firmware: google: memconsole:
    Adapt to new coreboot ring buffer format) introduced a small security
    issue in the driver: The new driver implementation parses the memory
    console structure again on every access. This is intentional so that
    additional lines added concurrently by runtime firmware can be read out.
    
    However, if an attacker can write to the structure, they could increase
    the size value to a point where the driver would read potentially
    sensitive memory areas from outside the original console buffer during
    the next access. This can be done through /dev/mem, since the console
    buffer usually resides in firmware-reserved memory that is not covered
    by STRICT_DEVMEM.
    
    This patch resolves that problem by reading the buffer's size value only
    once during boot (where we can still trust the structure). Other parts
    of the structure can still be modified at runtime, but the driver's
    bounds checks make sure that it will never read outside the buffer.
    
    Fixes: a5061d02 ("firmware: google: memconsole: Adapt to new coreboot ring buffer format")
    Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    40fbb238
memconsole-coreboot.c 3.78 KB