Re: [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Keir Fraser <keir@xen.org>, Jan Beulich <JBeulich@suse.com>,
	Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
	Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer
Date: Fri, 27 Dec 2013 10:30:44 -0500	[thread overview]
Message-ID: <52BD9D24.30008@oracle.com> (raw)
In-Reply-To: <1388156253-14509-4-git-send-email-andrew.cooper3@citrix.com>

On 12/27/2013 09:57 AM, Andrew Cooper wrote:
> It is possible to free the mc_old buffer and the store it for use on in the

I think you don't need *the* store here. And no *on*.

> case of resume.
>
> This keeps the old semantics of being able to return an error even after a
> successful microcode application.
>
> Coverity-ID 1146953
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: Keir Fraser <keir@xen.org>
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Boris Ostrovsky <boris.ostrovsky@oracle.com>
> CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
> ---
>   xen/arch/x86/microcode_amd.c |   17 +++++++++--------
>   1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c
> index a3ceef8..8ea4e63 100644
> --- a/xen/arch/x86/microcode_amd.c
> +++ b/xen/arch/x86/microcode_amd.c
> @@ -275,7 +275,7 @@ static int cpu_request_microcode(int cpu, const void *buf, size_t bufsize)
>       struct microcode_amd *mc_amd, *mc_old;
>       size_t offset = bufsize;
>       size_t last_offset, applied_offset = 0;
> -    int error = 0;
> +    int error = 0, save_error = 1;
>       struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu);
>   
>       /* We should bind the task to the CPU */
> @@ -338,19 +338,20 @@ static int cpu_request_microcode(int cpu, const void *buf, size_t bufsize)
>        */
>       if ( applied_offset )
>       {
> -        int ret = get_ucode_from_buffer_amd(mc_amd, buf, bufsize,
> -                                            &applied_offset);
> -        if ( ret == 0 )
> -            xfree(mc_old);
> -        else
> -            error = ret;
> +        save_error = get_ucode_from_buffer_amd(
> +            mc_amd, buf, bufsize, &applied_offset);
> +
> +        if ( save_error )
> +            error = save_error
>       }
>   
> -    if ( !applied_offset || error )
> +    if ( save_error )
>       {
>           xfree(mc_amd);
>           uci->mc.mc_amd = mc_old;
>       }
> +    else
> +        xfree(mc_old);

Won't this free mc_old (which is where previous microcode lived) even if 
the new buffer didn't have any valid microcode (i.e. applied_offset is 
zero)?

-boris


>   
>     out:
>       svm_host_osvw_init();

next prev parent reply	other threads:[~2013-12-27 15:30 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-27 14:57 [PATCH 0/4] Coverity fixes relating to xmalloc()/xfree() Andrew Cooper
2013-12-27 14:57 ` [PATCH 1/4] common/sysctl: Don't leak status in SYSCTL_page_offline_op Andrew Cooper
2014-01-07 11:33   ` Jan Beulich
2014-01-07 11:34     ` Andrew Cooper
2014-01-07 11:48       ` Jan Beulich
2014-01-07 11:59         ` [Patch v2 " Andrew Cooper
2014-01-13 11:13           ` Andrew Cooper
2014-01-17 17:59           ` Keir Fraser
2013-12-27 14:57 ` [PATCH 2/4] AMD/iommu_detect: Don't leak iommu structure on error paths Andrew Cooper
2013-12-29 17:39   ` Suravee Suthikulpanit
2013-12-27 14:57 ` [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer Andrew Cooper
2013-12-27 15:30   ` Boris Ostrovsky [this message]
2013-12-27 15:36     ` Andrew Cooper
2013-12-27 15:50       ` Boris Ostrovsky
2013-12-27 15:57         ` [Patch v2 " Andrew Cooper
2013-12-27 22:43           ` Matthew Daley
2013-12-28 11:24             ` Andrew Cooper
2013-12-28 11:28               ` [Patch v3 " Andrew Cooper
2013-12-27 14:57 ` [PATCH 4/4] VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr() Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52BD9D24.30008@oracle.com \
    --to=boris.ostrovsky@oracle.com \
    --cc=JBeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=keir@xen.org \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.