From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: Aravind Gopalakrishnan <aravind.gopalakrishnan@amd.com>
Cc: keir@xen.org, Jan Beulich <JBeulich@suse.com>, xen-devel@lists.xen.org
Subject: Re: [PATCH V2] x86, amd_ucode: Support multiple container files appended together
Date: Wed, 25 Jun 2014 00:04:18 -0400 [thread overview]
Message-ID: <53AA4A42.2090304@oracle.com> (raw)
In-Reply-To: <53A9FED0.7090203@amd.com>
On 06/24/2014 06:42 PM, Aravind Gopalakrishnan wrote:
> On 6/24/2014 2:23 AM, Jan Beulich wrote:
>
>>> @@ -272,14 +304,13 @@ static int get_ucode_from_buffer_amd(
>>> static int install_equiv_cpu_table(
>>> struct microcode_amd *mc_amd,
>>> - const uint32_t *buf,
>>> - size_t *offset)
>>> + const void *data,
>>> + size_t *curr_offset)
>> Is there any strong reason to rename "offset" to "curr_offset", ...
>
> No. Have fixed this.
>
>>> {
>>> + uint32_t *buf = (uint32_t *) (data + *curr_offset);
>>> const struct mpbhdr *mpbuf = (const struct mpbhdr *)&buf[1];
>>> - /* No more data */
>>> - if ( mpbuf->len + 12 >= *offset )
>>> - return -EINVAL;
>> Iirc you and Boris agreed that this check is pointless _here_. But I
>> doubt it can be removed without replacement elsewhere.
>
> For single containers, this check made some sense earlier as we verify
> to see there is *some*
> data beyond the equivalent_table structure.
> Say, mpbuf->len=0 and we return error val; Due to the fact that we
> have already advanced *offset,
> cases when we reach EOF or *offset goes over bufsize is handled in
> container_fast_forward
> function.
>
> For multiple containers, we will always have at least two such
> container headers and hence,
> mpbuf->len + 12 is always less than total_size
>
> If first container for some reason is corrupted and exposes
> mpbuf->len=0, we return EINVAL
> and forward to next container.
> (This is infact one reason to advance *offset earlier. See below)
>
> Now, if the last container were to have mpbuf->len=0,
> As Boris mentioned on earlier thread, we will
> continue because 'if (0+12 >= tot_size) ' is false.
> Here too, we will return EINVAL.
>
> Again, advancing *offset early allows to workaround these issues.
> And this check can be removed as a result.
Let's say we have a single container and the file got truncated (i.e.
bufsize in cpu_request_microcode() is smaller than it should be). Aren't
we now risking doing a memcpy out of too short a buffer?
-boris
next prev parent reply other threads:[~2014-06-25 4:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-23 20:25 [PATCH V2] x86, amd_ucode: Support multiple container files appended together Aravind Gopalakrishnan
2014-06-24 7:23 ` Jan Beulich
2014-06-24 22:42 ` Aravind Gopalakrishnan
2014-06-25 4:04 ` Boris Ostrovsky [this message]
2014-06-25 14:49 ` Aravind Gopalakrishnan
2014-06-25 10:47 ` Jan Beulich
2014-06-25 14:54 ` Aravind Gopalakrishnan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53AA4A42.2090304@oracle.com \
--to=boris.ostrovsky@oracle.com \
--cc=JBeulich@suse.com \
--cc=aravind.gopalakrishnan@amd.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.