From nobody Fri May 3 05:11:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1585409458; cv=none; d=zohomail.com; s=zohoarc; b=Wkt+SvjhvBUqdoWcyJ+uy7J/9KO0A6+fkf/FI31amvemYZ/fWNaBM2pS2tNbFKi3+XaTFTPI+gcCMBK9nIYuaj1+fXCDTQLB4nSgn1xYAkQ8woHqKhbE/AQTORY+xE0YzKAzMKfFE/ZSuegEr4YjtEGEM3fhM+NtyurphY6HWas= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1585409458; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=YXSTno+UDHOUQKJd9zDlafW4H/rJxuS1mb95pNvZ6hE=; b=YSrLZ0kLcN/zE9OZESqDs3TF+ngHLARsVL2Aae5ANuknyM+qVPZMX+pKywt0k8yK9eNGJ4RzMzcnmhUnG4k4LG+TJgyyZxEoUunFGM7hww5X3GiM6NpoUdUTdYQkdytai3pu8ttvPnA8CEaG5wM6cP4B2Md2/GZ7HLeOELRPCP4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1585409458100531.6451902344406; Sat, 28 Mar 2020 08:30:58 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jIDPP-0002LU-J1; Sat, 28 Mar 2020 15:30:03 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jIDPO-00029o-0Y for xen-devel@lists.xenproject.org; Sat, 28 Mar 2020 15:30:02 +0000 Received: from esa1.hc3370-68.iphmx.com (unknown [216.71.145.142]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id fce89696-7108-11ea-a6c1-bc764e2007e4; Sat, 28 Mar 2020 15:30:01 +0000 (UTC) X-Inumbo-ID: fce89696-7108-11ea-a6c1-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1585409401; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=g8gFnr0vlifHLe76yyY0foJsDip+yVT1RevcQEw5R9U=; b=Lad+4EzYicPVUIXfHf88nbs1WMiHBMEbVG6YODQRhswBAELM9Aj/72Np HpbHAmSB9kcm/cxmCQKQGUe8aLC1IwSnpIe67gMRVUeTqN0X5P40JXAPC ExKPgzLW/5qc5OvUr+N8qTSXoiK4OEHEaNi2Xhxr59dfcQtbZ9qq0gjjF M=; Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa1.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: R1x09Ym4NQhm1YzinpYuGHi5tfMRxIOnqbYpPsHAnLBv9Ile8tf1RTA3hCUe4+JgVPnbkgOkp5 n7LLGajRJ1rpDlVazbivK+fGJuHu4XaFS/T0r9N8fKKhc535erHJLB/XogOI3zfy4EYFBs4eSf 0pXlYWWQ0hAyP3vePZdFY6GtuZdbnoZNThvYHYgVUzD1gNkjTWtJLJZFFMpxvve1a9k7FRGS4o ZuZM2ejA0Xcubyi7sGL/nO/Dm4cie90rmjKLmu1VO2Jc2CqVyQJHguQPHDuwpP8Ol16V04QVhS d98= X-SBRS: 2.7 X-MesageID: 15020862 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.72,316,1580792400"; d="scan'208";a="15020862" From: Andrew Cooper To: Xen-devel Date: Sat, 28 Mar 2020 15:29:54 +0000 Message-ID: <20200328152954.6224-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Subject: [Xen-devel] [PATCH] x86/ucode/amd: Fix more potential buffer overruns with microcode parsing X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) cpu_request_microcode() doesn't know the buffer is at least 4 bytes long before inspecting UCODE_MAGIC. install_equiv_cpu_table() doesn't know the boundary of the buffer it is interpreting as an equivalency table. This case was clearly observed at one point in the past, given the subsequent overrun detection, but without comprehending that the damage was already done. Make the logic consistent with container_fast_forward() and pass size_left = in to install_equiv_cpu_table(). Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 --- xen/arch/x86/cpu/microcode/amd.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/= amd.c index 6bf3a054d3..796745e928 100644 --- a/xen/arch/x86/cpu/microcode/amd.c +++ b/xen/arch/x86/cpu/microcode/amd.c @@ -303,11 +303,20 @@ static int get_ucode_from_buffer_amd( static int install_equiv_cpu_table( struct microcode_amd *mc_amd, const void *data, + size_t size_left, size_t *offset) { - const struct mpbhdr *mpbuf =3D data + *offset + 4; + const struct mpbhdr *mpbuf; const struct equiv_cpu_entry *eq; =20 + if ( size_left < (sizeof(*mpbuf) + 4) || + (mpbuf =3D data + *offset + 4, + size_left - sizeof(*mpbuf) - 4 < mpbuf->len) ) + { + printk(XENLOG_WARNING "microcode: No space for equivalent cpu tabl= e\n"); + return -EINVAL; + } + *offset +=3D mpbuf->len + CONT_HDR_SIZE; /* add header length */ =20 if ( mpbuf->type !=3D UCODE_EQUIV_CPU_TABLE_TYPE ) @@ -417,7 +426,8 @@ static struct microcode_patch *cpu_request_microcode(co= nst void *buf, =20 current_cpu_id =3D cpuid_eax(0x00000001); =20 - if ( *(const uint32_t *)buf !=3D UCODE_MAGIC ) + if ( bufsize < 4 || + *(const uint32_t *)buf !=3D UCODE_MAGIC ) { printk(KERN_ERR "microcode: Wrong microcode patch file magic\n"); error =3D -EINVAL; @@ -447,24 +457,13 @@ static struct microcode_patch *cpu_request_microcode(= const void *buf, */ while ( offset < bufsize ) { - error =3D install_equiv_cpu_table(mc_amd, buf, &offset); + error =3D install_equiv_cpu_table(mc_amd, buf, bufsize - offset, &= offset); if ( error ) { printk(KERN_ERR "microcode: installing equivalent cpu table fa= iled\n"); break; } =20 - /* - * Could happen as we advance 'offset' early - * in install_equiv_cpu_table - */ - if ( offset > bufsize ) - { - printk(KERN_ERR "microcode: Microcode buffer overrun\n"); - error =3D -EINVAL; - break; - } - if ( find_equiv_cpu_id(mc_amd->equiv_cpu_table, current_cpu_id, &equiv_cpu_id) ) break; --=20 2.11.0