[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.18] xen/ucode: Fix buffer under-run when parsing AMD containers



commit 2c5f888204d988110fee9823b102f433c6212d9d
Author:     Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
AuthorDate: Tue Sep 24 15:01:15 2024 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 24 15:01:15 2024 +0200

    xen/ucode: Fix buffer under-run when parsing AMD containers
    
    The AMD container format has no formal spec.  It is, at best, precision
    guesswork based on AMD's prior contributions to open source projects.  The
    Equivalence Table has both an explicit length, and an expectation of having 
a
    NULL entry at the end.
    
    Xen was sanity checking the NULL entry, but without confirming that an entry
    was present, resulting in a read off the front of the buffer.  With some
    manual debugging/annotations this manifests as:
    
      (XEN) *** Buf ffff83204c00b19c, eq ffff83204c00b194
      (XEN) *** eq: 0c 00 00 00 44 4d 41 00 00 00 00 00 00 00 00 00 aa aa aa aa
                                ^-Actual buffer-------------------^
      (XEN) *** installed_cpu: 000c
      (XEN) microcode: Bad equivalent cpu table
      (XEN) Parsing microcode blob error -22
    
    When loaded by hypercall, the 4 bytes interpreted as installed_cpu happen to
    be the containing struct ucode_buf's len field, and luckily will be nonzero.
    
    When loaded at boot, it's possible for the access to #PF if the module 
happens
    to have been placed on a 2M boundary by the bootloader.  Under Linux, it 
will
    commonly be the end of the CPIO header.
    
    Drop the probe of the NULL entry; Nothing else cares.  A container without 
one
    is well formed, insofar that we can still parse it correctly.  With this
    dropped, the same container results in:
    
      (XEN) microcode: couldn't find any matching ucode in the provided blob!
    
    Fixes: 4de936a38aa9 ("x86/ucode/amd: Rework parsing logic in 
cpu_request_microcode()")
    Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: a8bf14f6f331d4f428010b4277b67c33f561ed19
    master date: 2024-09-13 15:23:30 +0100
---
 xen/arch/x86/cpu/microcode/amd.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index d8f7646e88..dc735ee480 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -336,8 +336,7 @@ static struct microcode_patch *cf_check 
cpu_request_microcode(
         if ( size < sizeof(*et) ||
              (et = buf)->type != UCODE_EQUIV_CPU_TABLE_TYPE ||
              size - sizeof(*et) < et->len ||
-             et->len % sizeof(et->eq[0]) ||
-             et->eq[(et->len / sizeof(et->eq[0])) - 1].installed_cpu )
+             et->len % sizeof(et->eq[0]) )
         {
             printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n");
             error = -EINVAL;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.18



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.