Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
xen.14764
5e84905c-x86-ucode-AMD-fix-more-potential-buffe...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 5e84905c-x86-ucode-AMD-fix-more-potential-buffer-overruns.patch of Package xen.14764
# Commit 718d1432000079ea7120f6cb770372afe707ce27 # Date 2020-04-01 14:00:12 +0100 # Author Andrew Cooper <andrew.cooper3@citrix.com> # Committer Andrew Cooper <andrew.cooper3@citrix.com> x86/ucode/amd: Fix more potential buffer overruns with microcode parsing cpu_request_microcode() doesn't know the buffer is at least 4 bytes long before inspecting UCODE_MAGIC. install_equiv_cpu_table() doesn't know the boundary of the buffer it is interpreting as an equivalency table. This case was clearly observed at one point in the past, given the subsequent overrun detection, but without comprehending that the damage was already done. Make the logic consistent with container_fast_forward() and pass size_left in to install_equiv_cpu_table(). Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> --- a/xen/arch/x86/microcode_amd.c +++ b/xen/arch/x86/microcode_amd.c @@ -294,11 +294,20 @@ static int get_ucode_from_buffer_amd( static int install_equiv_cpu_table( struct microcode_amd *mc_amd, const void *data, + size_t size_left, size_t *offset) { - const struct mpbhdr *mpbuf = data + *offset + 4; + const struct mpbhdr *mpbuf; const struct equiv_cpu_entry *eq; + if ( size_left < (sizeof(*mpbuf) + 4) || + (mpbuf = data + *offset + 4, + size_left - sizeof(*mpbuf) - 4 < mpbuf->len) ) + { + printk(XENLOG_WARNING "microcode: No space for equivalent cpu table\n"); + return -EINVAL; + } + *offset += mpbuf->len + CONT_HDR_SIZE; /* add header length */ if ( mpbuf->type != UCODE_EQUIV_CPU_TABLE_TYPE ) @@ -413,7 +422,7 @@ static int cpu_request_microcode(unsigne current_cpu_id = cpuid_eax(0x00000001); - if ( *(const uint32_t *)buf != UCODE_MAGIC ) + if ( bufsize < 4 || *(const uint32_t *)buf != UCODE_MAGIC ) { printk(KERN_ERR "microcode: Wrong microcode patch file magic\n"); error = -EINVAL; @@ -443,24 +452,13 @@ static int cpu_request_microcode(unsigne */ while ( offset < bufsize ) { - error = install_equiv_cpu_table(mc_amd, buf, &offset); + error = install_equiv_cpu_table(mc_amd, buf, bufsize - offset, &offset); if ( error ) { printk(KERN_ERR "microcode: installing equivalent cpu table failed\n"); break; } - /* - * Could happen as we advance 'offset' early - * in install_equiv_cpu_table - */ - if ( offset > bufsize ) - { - printk(KERN_ERR "microcode: Microcode buffer overrun\n"); - error = -EINVAL; - break; - } - if ( find_equiv_cpu_id(mc_amd->equiv_cpu_table, current_cpu_id, &equiv_cpu_id) ) break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor