From: tip-bot for Quentin Casasnovas <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: quentin.casasnovas@oracle.com, linux-kernel@vger.kernel.org,
tglx@linutronix.de, mingo@kernel.org, hpa@zytor.com, bp@suse.de
Subject: [tip:x86/microcode] x86/microcode/intel: Fix out of bounds memory access to the extended header
Date: Tue, 3 Mar 2015 05:00:33 -0800 [thread overview]
Message-ID: <tip-d496a002ae1f02425168e5211c237abee588651a@git.kernel.org> (raw)
In-Reply-To: <20150225094125.GB30434@chrystal.uk.oracle.com>
Commit-ID: d496a002ae1f02425168e5211c237abee588651a
Gitweb: http://git.kernel.org/tip/d496a002ae1f02425168e5211c237abee588651a
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
AuthorDate: Thu, 26 Feb 2015 18:03:59 +0100
Committer: Borislav Petkov <bp@suse.de>
CommitDate: Mon, 2 Mar 2015 20:30:42 +0100
x86/microcode/intel: Fix out of bounds memory access to the extended header
Improper pointer arithmetics when calculating the address of the
extended header could lead to an out of bounds memory read and kernel
panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Link: http://lkml.kernel.org/r/20150225094125.GB30434@chrystal.uk.oracle.com
Signed-off-by: Borislav Petkov <bp@suse.de>
---
arch/x86/kernel/cpu/microcode/intel_early.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c
index 420eb93..3a6c613 100644
--- a/arch/x86/kernel/cpu/microcode/intel_early.c
+++ b/arch/x86/kernel/cpu/microcode/intel_early.c
@@ -180,8 +180,7 @@ matching_model_microcode(struct microcode_header_intel *mc_header,
if (total_size <= data_size + MC_HEADER_SIZE)
return UCODE_NFOUND;
- ext_header = (struct extended_sigtable *)
- mc_header + data_size + MC_HEADER_SIZE;
+ ext_header = (void *) mc_header + data_size + MC_HEADER_SIZE;
ext_sigcount = ext_header->count;
ext_sig = (void *)ext_header + EXT_HEADER_SIZE;
@@ -457,8 +456,7 @@ static void __ref show_saved_mc(void)
if (total_size <= data_size + MC_HEADER_SIZE)
continue;
- ext_header = (struct extended_sigtable *)
- mc_saved_header + data_size + MC_HEADER_SIZE;
+ ext_header = (void *) mc_saved_header + data_size + MC_HEADER_SIZE;
ext_sigcount = ext_header->count;
ext_sig = (void *)ext_header + EXT_HEADER_SIZE;
next prev parent reply other threads:[~2015-03-03 13:00 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-24 10:36 [PATCH 00/13] x86/microcode: Intel early loader cleanups Borislav Petkov
2015-02-24 10:37 ` [PATCH 01/13] x86/microcode/intel: Check if microcode was found before applying Borislav Petkov
2015-02-24 10:37 ` [PATCH 02/13] x86/microcode/intel: Do the mc_saved_src NULL check first Borislav Petkov
2015-02-24 16:20 ` Quentin Casasnovas
2015-02-24 10:37 ` [PATCH 03/13] x86/microcode/intel: Get rid of last arg to load_ucode_intel_bsp() Borislav Petkov
2015-02-24 16:21 ` Quentin Casasnovas
2015-02-24 18:30 ` Borislav Petkov
2015-02-24 10:37 ` [PATCH 04/13] x86/microcode/intel: Simplify load_ucode_intel_bsp() Borislav Petkov
2015-02-24 16:21 ` Quentin Casasnovas
2015-02-24 18:32 ` Borislav Petkov
2015-02-24 10:37 ` [PATCH 05/13] x86/microcode/intel: Make _save_mc() return the updated saved count Borislav Petkov
2015-02-24 16:22 ` Quentin Casasnovas
2015-02-24 10:37 ` [PATCH 06/13] x86/microcode/intel: Sanitize _save_mc() Borislav Petkov
2015-02-24 10:37 ` [PATCH 07/13] x86/microcode/intel: Rename update_match_revision() Borislav Petkov
2015-02-24 16:23 ` Quentin Casasnovas
2015-04-10 11:12 ` Borislav Petkov
2015-04-10 11:54 ` Quentin Casasnovas
2015-04-10 12:09 ` Borislav Petkov
2015-02-24 10:37 ` [PATCH 08/13] x86/microcode: Consolidate family,model, ... code Borislav Petkov
2015-02-24 16:23 ` Quentin Casasnovas
2015-02-24 10:37 ` [PATCH 09/13] x86/microcode/intel: Simplify generic_load_microcode_early() Borislav Petkov
2015-02-24 10:37 ` [PATCH 10/13] x86/microcode/intel: Move mc arg last in get_matching_{microcode|sig} Borislav Petkov
2015-02-24 16:24 ` Quentin Casasnovas
2015-05-05 9:14 ` Borislav Petkov
2015-02-24 10:37 ` [PATCH 11/13] x86/microcode/intel: Sanitize microcode_pointer() Borislav Petkov
2015-02-24 10:37 ` [PATCH 12/13] x86/microcode/intel: Check scan_microcode()'s retval Borislav Petkov
2015-02-24 10:37 ` [PATCH 13/13] x86/microcode/intel: Fix printing of microcode blobs in show_saved_mc() Borislav Petkov
2015-02-24 16:24 ` Quentin Casasnovas
2015-02-24 16:48 ` Borislav Petkov
2015-02-25 9:41 ` Quentin Casasnovas
2015-02-25 17:55 ` Borislav Petkov
2015-03-03 13:00 ` tip-bot for Quentin Casasnovas [this message]
2015-02-24 16:40 ` [PATCH 00/13] x86/microcode: Intel early loader cleanups Quentin Casasnovas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-d496a002ae1f02425168e5211c237abee588651a@git.kernel.org \
--to=tipbot@zytor.com \
--cc=bp@suse.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=quentin.casasnovas@oracle.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox