[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.18] xen/ucode: Fix buffer under-run when parsing AMD containers
commit 2c5f888204d988110fee9823b102f433c6212d9d Author: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx> AuthorDate: Tue Sep 24 15:01:15 2024 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Sep 24 15:01:15 2024 +0200 xen/ucode: Fix buffer under-run when parsing AMD containers The AMD container format has no formal spec. It is, at best, precision guesswork based on AMD's prior contributions to open source projects. The Equivalence Table has both an explicit length, and an expectation of having a NULL entry at the end. Xen was sanity checking the NULL entry, but without confirming that an entry was present, resulting in a read off the front of the buffer. With some manual debugging/annotations this manifests as: (XEN) *** Buf ffff83204c00b19c, eq ffff83204c00b194 (XEN) *** eq: 0c 00 00 00 44 4d 41 00 00 00 00 00 00 00 00 00 aa aa aa aa ^-Actual buffer-------------------^ (XEN) *** installed_cpu: 000c (XEN) microcode: Bad equivalent cpu table (XEN) Parsing microcode blob error -22 When loaded by hypercall, the 4 bytes interpreted as installed_cpu happen to be the containing struct ucode_buf's len field, and luckily will be nonzero. When loaded at boot, it's possible for the access to #PF if the module happens to have been placed on a 2M boundary by the bootloader. Under Linux, it will commonly be the end of the CPIO header. Drop the probe of the NULL entry; Nothing else cares. A container without one is well formed, insofar that we can still parse it correctly. With this dropped, the same container results in: (XEN) microcode: couldn't find any matching ucode in the provided blob! Fixes: 4de936a38aa9 ("x86/ucode/amd: Rework parsing logic in cpu_request_microcode()") Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: a8bf14f6f331d4f428010b4277b67c33f561ed19 master date: 2024-09-13 15:23:30 +0100 --- xen/arch/x86/cpu/microcode/amd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c index d8f7646e88..dc735ee480 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -336,8 +336,7 @@ static struct microcode_patch *cf_check cpu_request_microcode( if ( size < sizeof(*et) || (et = buf)->type != UCODE_EQUIV_CPU_TABLE_TYPE || size - sizeof(*et) < et->len || - et->len % sizeof(et->eq[0]) || - et->eq[(et->len / sizeof(et->eq[0])) - 1].installed_cpu ) + et->len % sizeof(et->eq[0]) ) { printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n"); error = -EINVAL; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |