From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob. Date: Tue, 24 Sep 2013 13:10:38 +0100 Message-ID: <1380024638-14983-5-git-send-email-andrew.cooper3@citrix.com> References: <1380024638-14983-1-git-send-email-andrew.cooper3@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1380024638-14983-1-git-send-email-andrew.cooper3@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Xen-devel Cc: Andrew Cooper , Boris Ostrovsky , Keir Fraser , Suravee Suthikulpanit , Jan Beulich List-Id: xen-devel@lists.xenproject.org Coverity ID: 1055319 Coverity identified that when passed a microcode header with a length field of 0, get_ucode_from_buffer_amd() would end up calling memcpy(NULL, data, 0) which is undefined behaviour. While Xen's implementation of memcpy will do the correct thing in this case, any user trying to load a 0 length microcode blob deserves an -EINVAL. Signed-off-by: Andrew Cooper CC: Keir Fraser CC: Jan Beulich CC: Suravee Suthikulpanit CC: Boris Ostrovsky --- xen/arch/x86/microcode_amd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c index a3ceef8..2c767a9 100644 --- a/xen/arch/x86/microcode_amd.c +++ b/xen/arch/x86/microcode_amd.c @@ -202,7 +202,7 @@ static int get_ucode_from_buffer_amd( return -EINVAL; } - if ( (off + mpbuf->len) > bufsize ) + if ( mpbuf->len == 0 || ((off + mpbuf->len) > bufsize) ) { printk(KERN_ERR "microcode: Bad data in microcode data file\n"); return -EINVAL; -- 1.7.10.4