[PATCH 15/16] x86/microcode/AMD: Check the equivalence table size when scanning it

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Borislav Petkov <bp@alien8.de>
To: X86 ML <x86@kernel.org>
Cc: "Maciej S . Szmigiero" <mail@maciej.szmigiero.name>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: [PATCH 15/16] x86/microcode/AMD: Check the equivalence table size when scanning it
Date: Wed,  7 Nov 2018 18:02:17 +0100	[thread overview]
Message-ID: <20181107170218.7596-16-bp@alien8.de> (raw)
In-Reply-To: <20181107170218.7596-1-bp@alien8.de>

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

Currently, the code scanning the CPU equivalence table read from a
microcode container file assumes that it actually contains a terminating
zero entry.

Check also the size of this table to make sure that no reads past its
end happen, in case there's no terminating zero entry at the end of the
table.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
[ Adjust to new changes. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
---
 arch/x86/kernel/cpu/microcode/amd.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 99c9928ec240..dc17a5f87f55 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -39,6 +39,7 @@
 #include <asm/msr.h>
 
 static struct equiv_cpu_table {
+	unsigned int num_entries;
 	struct equiv_cpu_entry *entry;
 } equiv_table;
 
@@ -67,13 +68,19 @@ ucode_path[] __maybe_unused = "kernel/x86/microcode/AuthenticAMD.bin";
 
 static u16 find_equiv_id(struct equiv_cpu_table *et, u32 sig)
 {
-	struct equiv_cpu_entry *entry = et->entry;
+	unsigned int i;
 
-	for (; entry && entry->installed_cpu; entry++) {
-		if (sig == entry->installed_cpu)
-			return entry->equiv_cpu;
-	}
+	if (!et || !et->num_entries)
+		return 0;
+
+	for (i = 0; i < et->num_entries; i++) {
+		struct equiv_cpu_entry *e = &et->entry[i];
 
+		if (sig == e->installed_cpu)
+			return e->equiv_cpu;
+
+		e++;
+	}
 	return 0;
 }
 
@@ -302,6 +309,7 @@ static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc)
 	buf = ucode;
 
 	table.entry = (struct equiv_cpu_entry *)(buf + CONTAINER_HDR_SZ);
+	table.num_entries = hdr[2] / sizeof(struct equiv_cpu_entry);
 
 	/*
 	 * Find the equivalence ID of our CPU in this table. Even if this table
@@ -727,6 +735,7 @@ static size_t install_equiv_cpu_table(const u8 *buf, size_t buf_size)
 	}
 
 	memcpy(equiv_table.entry, buf + CONTAINER_HDR_SZ, equiv_tbl_len);
+	equiv_table.num_entries = equiv_tbl_len / sizeof(struct equiv_cpu_entry);
 
 	/* add header length */
 	return equiv_tbl_len + CONTAINER_HDR_SZ;
@@ -735,7 +744,7 @@ static size_t install_equiv_cpu_table(const u8 *buf, size_t buf_size)
 static void free_equiv_cpu_table(void)
 {
 	vfree(equiv_table.entry);
-	equiv_table.entry = NULL;
+	memset(&equiv_table, 0, sizeof(equiv_table));
 }
 
 static void cleanup(void)
-- 
2.19.1

next prev parent reply	other threads:[~2018-11-07 17:02 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-07 17:02 [PATCH 00/16] x86/microcode/AMD: Improve container verification Borislav Petkov
2018-11-07 17:02 ` [PATCH 01/16] x86/microcode/AMD: Subtract SECTION_HDR_SIZE from file leftover length Borislav Petkov
2018-11-07 17:02 ` [PATCH 02/16] x86/microcode/AMD: Add microcode container verification Borislav Petkov
2018-11-07 17:02 ` [PATCH 03/16] x86/microcode/AMD: Move verify_patch_size() up in the file Borislav Petkov
2018-11-19 10:14   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 04/16] x86/microcode/AMD: Clean up per-family patch size checks Borislav Petkov
2018-11-19 10:14   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 05/16] x86/microcode/AMD: Cleanup verify_patch_size() more Borislav Petkov
2018-11-19 10:15   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 06/16] x86/microcode/AMD: Concentrate patch verification Borislav Petkov
2018-11-19 10:15   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 07/16] x86/microcode/AMD: Simplify patch family detection Borislav Petkov
2018-11-19 10:16   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 08/16] x86/microcode/AMD: Move patch family check to verify_patch() Borislav Petkov
2018-11-19 10:16   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 09/16] x86/microcode/AMD: Move chipset-specific check into verify_patch() Borislav Petkov
2018-11-07 17:02 ` [PATCH 10/16] x86/microcode/AMD: Change verify_patch()'s return value Borislav Petkov
2018-11-19 10:18   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 11/16] x86/microcode/AMD: Convert early parser to the new verification routines Borislav Petkov
2018-11-19 10:18   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 12/16] x86/microcode/AMD: Fix container size's type Borislav Petkov
2018-11-10 20:59   ` kbuild test robot
2018-11-19 10:19   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-07 17:02 ` [PATCH 13/16] x86/microcode/AMD: Check microcode container data in the late loader Borislav Petkov
2018-11-19 10:19   ` [tip:x86/microcode] " tip-bot for Maciej S. Szmigiero
2018-11-07 17:02 ` [PATCH 14/16] x86/microcode/AMD: Convert CPU equivalence table variable into a struct Borislav Petkov
2018-11-19 10:20   ` [tip:x86/microcode] " tip-bot for Maciej S. Szmigiero
2018-11-07 17:02 ` Borislav Petkov [this message]
2018-11-19 10:20   ` [tip:x86/microcode] x86/microcode/AMD: Check the equivalence table size when scanning it tip-bot for Maciej S. Szmigiero
2018-11-07 17:02 ` [PATCH 16/16] x86/microcode/AMD: Update copyright Borislav Petkov
2018-11-19 10:21   ` [tip:x86/microcode] " tip-bot for Borislav Petkov
2018-11-25  9:50 ` [PATCH 00/16] x86/microcode/AMD: Improve container verification Pavel Machek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:99c9928ec24 dfblob:dc17a5f87f5 )
 OR (
bs:"[PATCH 15/16] x86/microcode/AMD: Check the equivalence table size when scanning it" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181107170218.7596-16-bp@alien8.de \
    --to=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mail@maciej.szmigiero.name \
    --cc=thomas.lendacky@amd.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox