lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160227194430.GC19798@khazad-dum.debian.net>
Date:	Sat, 27 Feb 2016 16:44:30 -0300
From:	Henrique de Moraes Holschuh <hmh@....eng.br>
To:	Chris Bainbridge <chris.bainbridge@...il.com>
Cc:	Borislav Petkov <bp@...en8.de>, x86@...nel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/microcode: Change checksum to u32

On Sat, 27 Feb 2016, Chris Bainbridge wrote:
> > So what is ubsan complaining about?
> 
>         /* calculate the checksum */
>         orig_sum = 0;
>         i = (MC_HEADER_SIZE + data_size) / DWSIZE;
>         while (i--)
>                 orig_sum += ((int *)mc)[i];
> 
> The checksum is the additive sum of all the 32-bit values, but 32-bit
> addition overflow is undefined for signed ints. For comparison the
> checksum function from iucode-tool uses u32:
> 
> intel_ucode_status_t intel_ucode_check_microcode(const void * const uc,
> int strict)
> {
> 	...
> 
>         uint32_t sum, orig_sum;
>         unsigned int i;
>         uint32_t *p;
> 
> 	...
> 
>         /* Calculate the checksum.  We exclude the extended table as it
>          * also has to have a zero checksum, in order to get better
>          * coverage */
>         orig_sum = 0;
>         i = (INTEL_UC_V1_HEADER_SIZE + data_size) / sizeof(uint32_t);
>         p = (uint32_t *)uc;
>         while (i--) {
>                 orig_sum  += *p;
>                 p++;
>         }

iucode-tool does it that way because:

[Excerpt from the Intel 64 and IA‐32 Architectures Software Developer's
Manual, Volume 3A: System Programming Guide]:

	9.11.5 Microcode Update Checksum

	Each microcode update contains a DWORD checksum located in the
	update header.  It is software’s responsibility to ensure that a
	microcode update is not corrupt.  To check for a corrupt microcode
	update, software must perform a unsigned DWORD (32-bit) checksum of
	the microcode update.

	Even though some fields are signed, the checksum procedure treats
	all DWORDs as unsigned.  Microcode updates with a header version
	equal to 00000001H must sum all DWORDs that comprise the microcode
	update.  A valid checksum check will yield a value of 00000000H. Any
	other value indicates the microcode update is corrupt and should not
	be loaded."


And "sum" will always overflow 32 bits on valid microcode, as the end result
must be zero and has to warp-around for that to happen.  Since the checksum
algorithm really needs modulo-2^32 addition, it is best to be upfront about
it...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ