|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.18] x86/boot: Fix microcode module handling during PVH boot
commit 9043f31c4085c4f7db7b5fb0bdbf7a2eae0408ce
Author: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
AuthorDate: Tue Oct 29 16:42:16 2024 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 29 16:42:16 2024 +0100
x86/boot: Fix microcode module handling during PVH boot
As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
transition period"), the use of __va(mbi->mods_addr) constitutes a
use-after-free on the PVH boot path.
This pattern has been in use since before PVH support was added. Inside a
PVH
VM, it will go unnoticed as long as the microcode container parser doesn't
choke on the random data it finds.
The use within early_microcode_init() happens to be safe because it's prior
to
move_xen(). microcode_init_cache() is after move_xen(), and therefore
unsafe.
Plumb the boot_info pointer down, replacing module_map and mbi.
Importantly,
bi->mods[].mod is a safe way to access the module list during PVH boot.
Note: microcode_scan_module() is still bogusly stashing a bootstrap_map()'d
pointer in ucode_blob.data, which constitutes a different
use-after-free, and only works in general because of a second bug.
This
is unrelated to PVH, and needs untangling differently.
Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
master commit: 8ddf63a252a6eae6e619ba2df9ad6b6f82e660c1
master date: 2024-10-23 18:14:24 +0100
---
xen/arch/x86/cpu/microcode/core.c | 21 +++++++++++----------
xen/arch/x86/include/asm/microcode.h | 7 +++++--
xen/arch/x86/setup.c | 4 ++--
3 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/xen/arch/x86/cpu/microcode/core.c
b/xen/arch/x86/cpu/microcode/core.c
index 8a47f4471f..2ee0db5b21 100644
--- a/xen/arch/x86/cpu/microcode/core.c
+++ b/xen/arch/x86/cpu/microcode/core.c
@@ -151,9 +151,9 @@ custom_param("ucode", parse_ucode);
static void __init microcode_scan_module(
unsigned long *module_map,
- const multiboot_info_t *mbi)
+ const multiboot_info_t *mbi,
+ const module_t mod[])
{
- module_t *mod = (module_t *)__va(mbi->mods_addr);
uint64_t *_blob_start;
unsigned long _blob_size;
struct cpio_data cd;
@@ -203,10 +203,9 @@ static void __init microcode_scan_module(
static void __init microcode_grab_module(
unsigned long *module_map,
- const multiboot_info_t *mbi)
+ const multiboot_info_t *mbi,
+ const module_t mod[])
{
- module_t *mod = (module_t *)__va(mbi->mods_addr);
-
if ( ucode_mod_idx < 0 )
ucode_mod_idx += mbi->mods_count;
if ( ucode_mod_idx <= 0 || ucode_mod_idx >= mbi->mods_count ||
@@ -215,7 +214,7 @@ static void __init microcode_grab_module(
ucode_mod = mod[ucode_mod_idx];
scan:
if ( ucode_scan )
- microcode_scan_module(module_map, mbi);
+ microcode_scan_module(module_map, mbi, mod);
}
static struct microcode_ops __ro_after_init ucode_ops;
@@ -801,7 +800,8 @@ static int __init early_update_cache(const void *data,
size_t len)
}
int __init microcode_init_cache(unsigned long *module_map,
- const struct multiboot_info *mbi)
+ const struct multiboot_info *mbi,
+ const module_t mods[])
{
int rc = 0;
@@ -810,7 +810,7 @@ int __init microcode_init_cache(unsigned long *module_map,
if ( ucode_scan )
/* Need to rescan the modules because they might have been relocated */
- microcode_scan_module(module_map, mbi);
+ microcode_scan_module(module_map, mbi, mods);
if ( ucode_mod.mod_end )
rc = early_update_cache(bootstrap_map(&ucode_mod),
@@ -857,7 +857,8 @@ static int __init early_microcode_update_cpu(void)
}
int __init early_microcode_init(unsigned long *module_map,
- const struct multiboot_info *mbi)
+ const struct multiboot_info *mbi,
+ const module_t mods[])
{
const struct cpuinfo_x86 *c = &boot_cpu_data;
int rc = 0;
@@ -906,7 +907,7 @@ int __init early_microcode_init(unsigned long *module_map,
return -ENODEV;
}
- microcode_grab_module(module_map, mbi);
+ microcode_grab_module(module_map, mbi, mods);
if ( ucode_mod.mod_end || ucode_blob.size )
rc = early_microcode_update_cpu();
diff --git a/xen/arch/x86/include/asm/microcode.h
b/xen/arch/x86/include/asm/microcode.h
index 62ce3418f7..bfb1820d21 100644
--- a/xen/arch/x86/include/asm/microcode.h
+++ b/xen/arch/x86/include/asm/microcode.h
@@ -3,6 +3,7 @@
#include <xen/types.h>
#include <xen/percpu.h>
+#include <xen/multiboot.h>
#include <public/xen.h>
@@ -24,9 +25,11 @@ DECLARE_PER_CPU(struct cpu_signature, cpu_sig);
void microcode_set_module(unsigned int idx);
int microcode_update(XEN_GUEST_HANDLE(const_void), unsigned long len);
int early_microcode_init(unsigned long *module_map,
- const struct multiboot_info *mbi);
+ const struct multiboot_info *mbi,
+ const module_t mods[]);
int microcode_init_cache(unsigned long *module_map,
- const struct multiboot_info *mbi);
+ const struct multiboot_info *mbi,
+ const module_t mods[]);
int microcode_update_one(void);
#endif /* ASM_X86__MICROCODE_H */
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 18503300e7..1d5d3f8a66 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -1316,7 +1316,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
* TODO: load ucode earlier once multiboot modules become accessible
* at an earlier stage.
*/
- early_microcode_init(module_map, mbi);
+ early_microcode_init(module_map, mbi, mod);
if ( xen_phys_start )
{
@@ -1842,7 +1842,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
timer_init();
- microcode_init_cache(module_map, mbi); /* Needs xmalloc() */
+ microcode_init_cache(module_map, mbi, mod); /* Needs xmalloc() */
tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.18
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |