|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.13] x86/ucode/amd: Fix more potential buffer overruns with microcode parsing
commit b3e08a6657bc7df96276a6039cd8f368709e13b8
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Apr 9 09:19:51 2020 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Apr 9 09:19:51 2020 +0200
x86/ucode/amd: Fix more potential buffer overruns with microcode parsing
cpu_request_microcode() doesn't know the buffer is at least 4 bytes long
before inspecting UCODE_MAGIC.
install_equiv_cpu_table() doesn't know the boundary of the buffer it is
interpreting as an equivalency table. This case was clearly observed at one
point in the past, given the subsequent overrun detection, but without
comprehending that the damage was already done.
Make the logic consistent with container_fast_forward() and pass size_left
in
to install_equiv_cpu_table().
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 718d1432000079ea7120f6cb770372afe707ce27
master date: 2020-04-01 14:00:12 +0100
---
xen/arch/x86/microcode_amd.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c
index 5d85b94575..846cf099e8 100644
--- a/xen/arch/x86/microcode_amd.c
+++ b/xen/arch/x86/microcode_amd.c
@@ -318,11 +318,20 @@ static int get_ucode_from_buffer_amd(
static int install_equiv_cpu_table(
struct microcode_amd *mc_amd,
const void *data,
+ size_t size_left,
size_t *offset)
{
- const struct mpbhdr *mpbuf = data + *offset + 4;
+ const struct mpbhdr *mpbuf;
const struct equiv_cpu_entry *eq;
+ if ( size_left < (sizeof(*mpbuf) + 4) ||
+ (mpbuf = data + *offset + 4,
+ size_left - sizeof(*mpbuf) - 4 < mpbuf->len) )
+ {
+ printk(XENLOG_WARNING "microcode: No space for equivalent cpu
table\n");
+ return -EINVAL;
+ }
+
*offset += mpbuf->len + CONT_HDR_SIZE; /* add header length */
if ( mpbuf->type != UCODE_EQUIV_CPU_TABLE_TYPE )
@@ -436,7 +445,7 @@ static struct microcode_patch *cpu_request_microcode(const
void *buf,
current_cpu_id = cpuid_eax(0x00000001);
- if ( *(const uint32_t *)buf != UCODE_MAGIC )
+ if ( bufsize < 4 || *(const uint32_t *)buf != UCODE_MAGIC )
{
printk(KERN_ERR "microcode: Wrong microcode patch file magic\n");
error = -EINVAL;
@@ -466,24 +475,13 @@ static struct microcode_patch
*cpu_request_microcode(const void *buf,
*/
while ( offset < bufsize )
{
- error = install_equiv_cpu_table(mc_amd, buf, &offset);
+ error = install_equiv_cpu_table(mc_amd, buf, bufsize - offset,
&offset);
if ( error )
{
printk(KERN_ERR "microcode: installing equivalent cpu table
failed\n");
break;
}
- /*
- * Could happen as we advance 'offset' early
- * in install_equiv_cpu_table
- */
- if ( offset > bufsize )
- {
- printk(KERN_ERR "microcode: Microcode buffer overrun\n");
- error = -EINVAL;
- break;
- }
-
if ( find_equiv_cpu_id(mc_amd->equiv_cpu_table, current_cpu_id,
&equiv_cpu_id) )
break;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |