git.monstr.eu Git - linux-2.6-microblaze.git/commit

author	Nathan Lynch <nathanl@linux.ibm.com>
	Tue, 12 Dec 2023 17:01:52 +0000 (11:01 -0600)
committer	Michael Ellerman <mpe@ellerman.id.au>
	Wed, 13 Dec 2023 10:38:20 +0000 (21:38 +1100)
commit	e7582edb78619abb4ebf0a6e1fed125dcd7243b6
tree	528aaa30585c843a03e7c2a38c4b069aed070901	tree \| snapshot
parent	9592aa5ad59e736727fe7894e6e820e2d851abcf	commit \| diff

powerpc/rtas: Move token validation from block_rtas_call() to sys_rtas()

The rtas system call handler sys_rtas() delegates certain input
validation steps to a helper function: block_rtas_call(). One of these
steps ensures that the user-supplied token value maps to a known RTAS
function. This is done by performing a "reverse" token-to-function
lookup via rtas_token_to_function_untrusted() to obtain an
rtas_function object.

In changes to come, sys_rtas() itself will need the function
descriptor for the token. To prepare:

* Move the lookup and validation up into sys_rtas() and pass the
  resulting rtas_function pointer to block_rtas_call(), which is
  otherwise unconcerned with the token value.

* Change block_rtas_call() to report the RTAS function name instead of
  the token value on validation failures, since it can now rely on
  having a valid function descriptor.

One behavior change is that sys_rtas() now silently errors out when
passed a bad token, before calling block_rtas_call(). So we will no
longer log "RTAS call blocked - exploit attempt?" on invalid
tokens. This is consistent with how sys_rtas() currently handles other
"metadata" (nargs and nret), while block_rtas_call() is primarily
concerned with validating the arguments to be passed to specific RTAS
functions.

Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231212-papr-sys_rtas-vs-lockdown-v6-5-e9eafd0c8c6c@linux.ibm.com