[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] x86/ucode/amd: Fix OoB read in cpu_request_microcode()
commit 1cbc4d89c45cba3929f1c0cb4bca0b000c4f174b Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue Feb 9 22:10:54 2021 +0000 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Wed Feb 10 13:23:51 2021 +0000 x86/ucode/amd: Fix OoB read in cpu_request_microcode() verify_patch_size() is a maximum size check, and doesn't have a minimum bound. If the microcode container encodes a blob with a length less than 64 bytes, the subsequent calls to microcode_fits()/compare_header() may read off the end of the buffer. Fixes: 4de936a38a ("x86/ucode/amd: Rework parsing logic in cpu_request_microcode()") Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> --- xen/arch/x86/cpu/microcode/amd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c index 5255028af7..3e51e53c1f 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -349,6 +349,7 @@ static struct microcode_patch *cpu_request_microcode(const void *buf, size_t siz if ( size < sizeof(*mc) || (mc = buf)->type != UCODE_UCODE_TYPE || size - sizeof(*mc) < mc->len || + mc->len < sizeof(struct microcode_patch) || (!skip_ucode && !verify_patch_size(mc->len)) ) { printk(XENLOG_ERR "microcode: Bad microcode data\n"); -- generated by git-patchbot for /home/xen/git/xen.git#master
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |