1. Patchew
  2. linux
  3. View series

[PATCH] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()

Michael Zhivich posted 1 patch 2 months, 2 weeks ago
There is a newer version of this series
arch/x86/kernel/cpu/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()
Posted by Michael Zhivich 2 months, 2 weeks ago 
Note: I believe this change only applies to stable backports.

For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved
bitfield in zen_patch_rev union on the stack may be garbage.  If so, it will
prevent correct microcode check when consulting p.ucode_rev, resulting in
incorrect mitigation selection.

Signed-off-by: Michael Zhivich <mzhivich@akamai.com>
Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
---
 arch/x86/kernel/cpu/amd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index efd42ee9d1cc..91b21814ce8c 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -371,7 +371,7 @@ static void bsp_determine_snp(struct cpuinfo_x86 *c)
 static bool amd_check_tsa_microcode(void)
 {
 	struct cpuinfo_x86 *c = &boot_cpu_data;
-	union zen_patch_rev p;
+	union zen_patch_rev p = {0};
 	u32 min_rev = 0;
 
 	p.ext_fam	= c->x86 - 0xf;
-- 
2.34.1
Re: [PATCH] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()
Posted by Borislav Petkov 2 months, 2 weeks ago 
On Mon, Jul 21, 2025 at 07:07:12PM -0400, Michael Zhivich wrote:
> Note: I believe this change only applies to stable backports.

Right, I need to go look in detail which of the 5.10-6.12 stable trees
which got this variant, do have CONFIG_INIT_STACK_NONE.

> For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved
> bitfield in zen_patch_rev union on the stack may be garbage.  If so, it will
> prevent correct microcode check when consulting p.ucode_rev, resulting in
> incorrect mitigation selection.

Uuuh, nasty. Good catch.

> Signed-off-by: Michael Zhivich <mzhivich@akamai.com>
> Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
> ---
>  arch/x86/kernel/cpu/amd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index efd42ee9d1cc..91b21814ce8c 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -371,7 +371,7 @@ static void bsp_determine_snp(struct cpuinfo_x86 *c)
>  static bool amd_check_tsa_microcode(void)
>  {
>  	struct cpuinfo_x86 *c = &boot_cpu_data;
> -	union zen_patch_rev p;
> +	union zen_patch_rev p = {0};

Instead of doing this...

>  	u32 min_rev = 0;
>  
>  	p.ext_fam	= c->x86 - 0xf;

... you should assign __reserved here to 0 too and put a comment above
it why we're doing that.

This will save us the init writes to 0 which get overwritten with the
actual f/m/s anyway.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.