lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 14 Apr 2011 10:18:54 +0200
From:	Borislav Petkov <bp@...64.org>
To:	Ben Hutchings <ben@...adent.org.uk>
Cc:	"Ostrovsky, Boris" <Boris.Ostrovsky@....com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"stable@...nel.org" <stable@...nel.org>,
	"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
	"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
	"stable-review@...nel.org" <stable-review@...nel.org>,
	"alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>,
	Greg KH <gregkh@...e.de>,
	"Herrmann3, Andreas" <Andreas.Herrmann3@....com>
Subject: Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode size
 verification

On Thu, Apr 14, 2011 at 03:41:25AM -0400, Borislav Petkov wrote:

[..]

> > > +static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
> > > +{
> > > +	struct cpuinfo_x86 *c = &cpu_data(cpu);
> > > +	unsigned int max_size, actual_size;
> > > +
> > > +#define F1XH_MPB_MAX_SIZE 2048
> > > +#define F14H_MPB_MAX_SIZE 1824
> > > +#define F15H_MPB_MAX_SIZE 4096
> > > +
> > > +	switch (c->x86) {
> > > +	case 0x14:
> > > +		max_size = F14H_MPB_MAX_SIZE;
> > > +		break;
> > > +	case 0x15:
> > > +		max_size = F15H_MPB_MAX_SIZE;
> > > +		break;
> > > +	default:
> > > +		max_size = F1XH_MPB_MAX_SIZE;
> > > +		break;
> > > +	}
> > > +
> > > +	actual_size = buf[4] + (buf[5] << 8);
> > > +
> > > +	if (actual_size > size || actual_size > max_size) {
> > 
> > Surely:
> > 
> > 	if (actual_size + UCODE_CONTAINER_SECTION_HDR > size || ...
> 
> Well, not really because the UCODE_CONTAINER_SECTION_HDR is just 8 bytes
> of patch header before each ucode patch and we don't copy it. So the
> first part of the check is to see whether the ucode patch we're looking
> at is incomplete and the ucode file is truncated.
> 
> That's why we skip the 8 bytes when we do get_ucode_data() later.

Actually, scratch that. I think you're right - this is a bug in the
original code since the check there ignored those 8 bytes too:

        total_size = (unsigned long) (section_hdr[4] + (section_hdr[5] << 8));

        printk(KERN_DEBUG "microcode: size %u, total_size %u\n",
               size, total_size);

        if (total_size > size || total_size > UCODE_MAX_SIZE) {
                printk(KERN_ERR "microcode: error: size mismatch\n");
                return NULL;
        }

Btw, while staring at it, I've found another discrepancy that needs to
be fixed, I'll whip up a patch soon.

Thanks.

-- 
Regards/Gruss,
Boris.

Advanced Micro Devices GmbH
Einsteinring 24, 85609 Dornach
General Managers: Alberto Bozzo, Andrew Bowd
Registration: Dornach, Gemeinde Aschheim, Landkreis Muenchen
Registergericht Muenchen, HRB Nr. 43632
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ