From 505f1957c5746663adde613c7dea3a9f224bb3e9 Mon Sep 17 00:00:00 2001
From: Ma Wupeng <mawupeng1@huawei.com>
Date: Wed, 21 Jun 2023 10:31:40 +0800
Subject: [PATCH 1/2] efi: Fix UAF for arm64 when enable efi_fake_mem

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7F3NP
CVE: NA

--------------------------------

Efi fake mem support for arm64 is introduced for debug propose
only. However efi_memmap_init_late in arm_enable_runtime_services
will free this memory which will lead to UAF on efi.memmap.map.

In order to slove this, clear efi.memmap.flags to skip free.
Since efi map is never freed in arm64, this will not lead to
memroy leak.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
(cherry picked from commit 6b455c10a0a6e84111b6bbf1c9c38a36337e2aea)
---
 drivers/firmware/efi/fake_mem.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/firmware/efi/fake_mem.c b/drivers/firmware/efi/fake_mem.c
index 6e0f34a38171..be7d13ef91d2 100644
--- a/drivers/firmware/efi/fake_mem.c
+++ b/drivers/firmware/efi/fake_mem.c
@@ -61,6 +61,19 @@ static void __init efi_fake_range(struct efi_mem_range *efi_range)
 	/* swap into new EFI memmap */
 	early_memunmap(new_memmap, data.size);
 
+#ifdef CONFIG_ARM64
+	/*
+	 * Efi fake mem support for arm64 is introduced for debug propose
+	 * only. However efi_memmap_init_late in arm_enable_runtime_services
+	 * will free this memory which will lead to UAF on efi.memmap.map.
+	 *
+	 * In order to slove this, clear efi.memmap.flags to skip free.
+	 * Since efi map is never freed in arm64, this will not lead to
+	 * memroy leak.
+	 */
+	data.flags &= ~(EFI_MEMMAP_SLAB | EFI_MEMMAP_MEMBLOCK);
+#endif
+
 	efi_memmap_install(&data);
 }
 
-- 
Gitee


From 31478980dc99d0c6b4dd06179e7ddef0104d0c4e Mon Sep 17 00:00:00 2001
From: Ma Wupeng <mawupeng1@huawei.com>
Date: Wed, 21 Jun 2023 10:31:41 +0800
Subject: [PATCH 2/2] config: Disable EFI_FAKE_MEMMAP support for arm64 by
 default

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7F3NP
CVE: NA

--------------------------------

EFI_FAKE_MEMMAP is used specific memory range by updating original
(firmware provided) EFI memmap. This can only be used for debug
propose. Disable it by default.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
(cherry picked from commit 13ecd6fc7492b15a3e05c5b8094414180712d01e)
---
 arch/arm64/configs/openeuler_defconfig | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig
index eb4ee0522446..bdf6957bf551 100644
--- a/arch/arm64/configs/openeuler_defconfig
+++ b/arch/arm64/configs/openeuler_defconfig
@@ -659,8 +659,7 @@ CONFIG_FW_CFG_SYSFS=y
 CONFIG_EFI_ESRT=y
 CONFIG_EFI_VARS_PSTORE=y
 CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y
-CONFIG_EFI_FAKE_MEMMAP=y
-CONFIG_EFI_MAX_FAKE_MEM=8
+# CONFIG_EFI_FAKE_MEMMAP is not set
 CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_PARAMS_FROM_FDT=y
 CONFIG_EFI_RUNTIME_WRAPPERS=y
-- 
Gitee