|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob.
Coverity ID: 1055319
Coverity identified that when passed a microcode header with a length field of
0, get_ucode_from_buffer_amd() would end up calling memcpy(NULL, data, 0)
which is undefined behaviour.
While Xen's implementation of memcpy will do the correct thing in this case,
any user trying to load a 0 length microcode blob deserves an -EINVAL.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CC: Keir Fraser <keir@xxxxxxx>
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>
CC: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
---
xen/arch/x86/microcode_amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c
index a3ceef8..2c767a9 100644
--- a/xen/arch/x86/microcode_amd.c
+++ b/xen/arch/x86/microcode_amd.c
@@ -202,7 +202,7 @@ static int get_ucode_from_buffer_amd(
return -EINVAL;
}
- if ( (off + mpbuf->len) > bufsize )
+ if ( mpbuf->len == 0 || ((off + mpbuf->len) > bufsize) )
{
printk(KERN_ERR "microcode: Bad data in microcode data file\n");
return -EINVAL;
--
1.7.10.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |