Re: [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Keir Fraser <keir@xen.org>, Jan Beulich <JBeulich@suse.com>,
	Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
	Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer
Date: Fri, 27 Dec 2013 15:36:27 +0000	[thread overview]
Message-ID: <52BD9E7B.5000708@citrix.com> (raw)
In-Reply-To: <52BD9D24.30008@oracle.com>

On 27/12/2013 15:30, Boris Ostrovsky wrote:
> On 12/27/2013 09:57 AM, Andrew Cooper wrote:
>> It is possible to free the mc_old buffer and the store it for use on
>> in the
>
> I think you don't need *the* store here. And no *on*.

Oops - I refactored my sentence half way through, and missed that on a
reread.

>
>> case of resume.
>>
>> This keeps the old semantics of being able to return an error even
>> after a
>> successful microcode application.
>>
>> Coverity-ID 1146953
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> CC: Keir Fraser <keir@xen.org>
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Boris Ostrovsky <boris.ostrovsky@oracle.com>
>> CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
>> ---
>>   xen/arch/x86/microcode_amd.c |   17 +++++++++--------
>>   1 file changed, 9 insertions(+), 8 deletions(-)
>>
>> diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c
>> index a3ceef8..8ea4e63 100644
>> --- a/xen/arch/x86/microcode_amd.c
>> +++ b/xen/arch/x86/microcode_amd.c
>> @@ -275,7 +275,7 @@ static int cpu_request_microcode(int cpu, const
>> void *buf, size_t bufsize)
>>       struct microcode_amd *mc_amd, *mc_old;
>>       size_t offset = bufsize;
>>       size_t last_offset, applied_offset = 0;
>> -    int error = 0;
>> +    int error = 0, save_error = 1;
>>       struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu);
>>         /* We should bind the task to the CPU */
>> @@ -338,19 +338,20 @@ static int cpu_request_microcode(int cpu, const
>> void *buf, size_t bufsize)
>>        */
>>       if ( applied_offset )
>>       {
>> -        int ret = get_ucode_from_buffer_amd(mc_amd, buf, bufsize,
>> -                                            &applied_offset);
>> -        if ( ret == 0 )
>> -            xfree(mc_old);
>> -        else
>> -            error = ret;
>> +        save_error = get_ucode_from_buffer_amd(
>> +            mc_amd, buf, bufsize, &applied_offset);
>> +
>> +        if ( save_error )
>> +            error = save_error
>>       }
>>   -    if ( !applied_offset || error )
>> +    if ( save_error )
>>       {
>>           xfree(mc_amd);
>>           uci->mc.mc_amd = mc_old;
>>       }
>> +    else
>> +        xfree(mc_old);
>
> Won't this free mc_old (which is where previous microcode lived) even
> if the new buffer didn't have any valid microcode (i.e. applied_offset
> is zero)?
>
> -boris

save_error starts off as 1, and only gets set to 0 on a successful
get_ucode_from_buffer_amd(), so we will only free mc_old in the case
that we have valid microcde in mc_amd.  All other cases free mc_amd and
revert to using mc_old.

~Andrew

>
>
>>       out:
>>       svm_host_osvw_init();
>

next prev parent reply	other threads:[~2013-12-27 15:36 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-27 14:57 [PATCH 0/4] Coverity fixes relating to xmalloc()/xfree() Andrew Cooper
2013-12-27 14:57 ` [PATCH 1/4] common/sysctl: Don't leak status in SYSCTL_page_offline_op Andrew Cooper
2014-01-07 11:33   ` Jan Beulich
2014-01-07 11:34     ` Andrew Cooper
2014-01-07 11:48       ` Jan Beulich
2014-01-07 11:59         ` [Patch v2 " Andrew Cooper
2014-01-13 11:13           ` Andrew Cooper
2014-01-17 17:59           ` Keir Fraser
2013-12-27 14:57 ` [PATCH 2/4] AMD/iommu_detect: Don't leak iommu structure on error paths Andrew Cooper
2013-12-29 17:39   ` Suravee Suthikulpanit
2013-12-27 14:57 ` [PATCH 3/4] AMD/microcode: Avoid use-after-free for the microcode buffer Andrew Cooper
2013-12-27 15:30   ` Boris Ostrovsky
2013-12-27 15:36     ` Andrew Cooper [this message]
2013-12-27 15:50       ` Boris Ostrovsky
2013-12-27 15:57         ` [Patch v2 " Andrew Cooper
2013-12-27 22:43           ` Matthew Daley
2013-12-28 11:24             ` Andrew Cooper
2013-12-28 11:28               ` [Patch v3 " Andrew Cooper
2013-12-27 14:57 ` [PATCH 4/4] VTD/DMAR: free() correct pointer on error from acpi_parse_one_atsr() Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52BD9E7B.5000708@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=keir@xen.org \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.