Re: [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob.

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Keir Fraser <keir@xen.org>,
	Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
	xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob.
Date: Tue, 24 Sep 2013 10:26:41 -0400	[thread overview]
Message-ID: <5241A121.2000607@oracle.com> (raw)
In-Reply-To: <5241AD7A02000078000F5E40@nat28.tlf.novell.com>

On 09/24/2013 09:19 AM, Jan Beulich wrote:
>>>> On 24.09.13 at 14:10, Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>> Coverity ID: 1055319
>>
>> Coverity identified that when passed a microcode header with a length field of
>> 0, get_ucode_from_buffer_amd() would end up calling memcpy(NULL, data, 0)
>> which is undefined behaviour.
> I think that's at least questionable: memcpy(..., 0) can hardly be
> anything but a no-op, no matter whether either of the two pointers
> in fact is a NULL one.

I think what this patch is trying to prevent is passing NULL pointer to 
memcpy,
not length being zero (if you follow the logic in 
get_ucode_from_buffer_amd() you
will see that destination buffer may not be allocated when length is zero).

AMD APM says

   REP. The REP prefix repeats its associated string instruction the number
   of times specified in the counter register (rCX). It terminates the
   repetition when the value in rCX reaches 0.

So presumably rCX is checked before rDI and memcpy would indeed be a nop.

Still, I think in this particular case (destination can be NULL) the 
patch is
a good thing since we usually (often) check before passing NULL pointer to
routines. Alternatively, we can check 'if (mc_amd->mpb != NULL)'.

-boris

>
> That's not to say that I disagree that strict reading of the C standard
> may indeed yield this undefined, but I don't think we are to hunt
> down all such undefined-nesses. The tool should really stay away
> from hair-splitting, and concentrate on pointing out real issues.
>
> Jan
>
>> While Xen's implementation of memcpy will do the correct thing in this case,
>> any user trying to load a 0 length microcode blob deserves an -EINVAL.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> CC: Keir Fraser <keir@xen.org>
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
>> CC: Boris Ostrovsky <boris.ostrovsky@oracle.com>
>> ---
>>   xen/arch/x86/microcode_amd.c |    2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c
>> index a3ceef8..2c767a9 100644
>> --- a/xen/arch/x86/microcode_amd.c
>> +++ b/xen/arch/x86/microcode_amd.c
>> @@ -202,7 +202,7 @@ static int get_ucode_from_buffer_amd(
>>           return -EINVAL;
>>       }
>>   
>> -    if ( (off + mpbuf->len) > bufsize )
>> +    if ( mpbuf->len == 0 || ((off + mpbuf->len) > bufsize) )
>>       {
>>           printk(KERN_ERR "microcode: Bad data in microcode data file\n");
>>           return -EINVAL;
>> -- 
>> 1.7.10.4
>
>

next prev parent reply	other threads:[~2013-09-24 14:24 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-24 12:10 [PATCH 0/4] Misc Xen fixes identified by Coverity Andrew Cooper
2013-09-24 12:10 ` [PATCH 1/4] xen/irq: irq_to_desc() can't return NULL Andrew Cooper
2013-09-24 13:05   ` Jan Beulich
2013-09-24 12:10 ` [PATCH 2/4] x86/hap: Remove bogus assertion in hap_free_p2m_page() Andrew Cooper
2013-09-24 12:26   ` Tim Deegan
2013-09-24 12:10 ` [PATCH 3/4] common/page_alloc: Remove node id ASSERT()s Andrew Cooper
2013-09-24 13:13   ` Jan Beulich
2013-09-24 12:10 ` [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob Andrew Cooper
2013-09-24 13:19   ` Jan Beulich
2013-09-24 14:26     ` Boris Ostrovsky [this message]
2013-09-24 14:31       ` Jan Beulich
2013-09-24 14:31       ` Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5241A121.2000607@oracle.com \
    --to=boris.ostrovsky@oracle.com \
    --cc=JBeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=keir@xen.org \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).