lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20180320154147.GA6815@cz.tnic>
Date:   Tue, 20 Mar 2018 16:41:47 +0100
From:   Borislav Petkov <bp@...en8.de>
To:     "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 02/10] x86/microcode/AMD: Check equivalence table
 length in the early loader

On Fri, Mar 16, 2018 at 12:07:50AM +0100, Maciej S. Szmigiero wrote:
> Before loading a CPU equivalence table from a microcode container file we
> need to verify whether this file is actually large enough to contain the
> table of a size indicated in this file.
> If it is not, there is no point of continuing with loading it since
> microcode patches are located after the equivalence table anyway.
> 
> This patch adds these checks to the early loader.
> 
> Signed-off-by: Maciej S. Szmigiero <mail@...iej.szmigiero.name>
> ---
>  arch/x86/kernel/cpu/microcode/amd.c | 35 +++++++++++++++++++++++------------
>  1 file changed, 23 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
> index 6a93be0f771c..138c9fb983f2 100644
> --- a/arch/x86/kernel/cpu/microcode/amd.c
> +++ b/arch/x86/kernel/cpu/microcode/amd.c
> @@ -80,20 +80,33 @@ static u16 find_equiv_id(struct equiv_cpu_entry *equiv_table, u32 sig)
>   * Returns the amount of bytes consumed while scanning. @desc contains all the
>   * data we're going to use in later stages of the application.
>   */
> -static ssize_t parse_container(u8 *ucode, ssize_t size, struct cont_desc *desc)
> +static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc)
>  {
>  	struct equiv_cpu_entry *eq;
> -	ssize_t orig_size = size;
> +	size_t orig_size = size;
>  	u32 *hdr = (u32 *)ucode;
> +	unsigned int cont_magic, cont_type;
> +	size_t equiv_tbl_len;
>  	u16 eq_id;
>  	u8 *buf;
>  
> +	if (size < CONTAINER_HDR_SZ)
> +		return 0;
> +
> +	cont_magic	= hdr[0];
> +	cont_type	= hdr[1];
> +	equiv_tbl_len	= hdr[2];

All three are u32.

>  	/* Am I looking at an equivalence table header? */
> -	if (hdr[0] != UCODE_MAGIC ||
> -	    hdr[1] != UCODE_EQUIV_CPU_TABLE_TYPE ||
> -	    hdr[2] == 0)
> +	if (cont_magic != UCODE_MAGIC ||
> +	    cont_type != UCODE_EQUIV_CPU_TABLE_TYPE ||
> +	    equiv_tbl_len == 0)
>  		return CONTAINER_HDR_SZ;
>  
> +	if (equiv_tbl_len < sizeof(*eq) ||

If you do this, then the above == 0 check can go.

> +	    size - CONTAINER_HDR_SZ < equiv_tbl_len)
> +		return size;
> +
>  	buf = ucode;
>  
>  	eq = (struct equiv_cpu_entry *)(buf + CONTAINER_HDR_SZ);

-- 
Regards/Gruss,
    Boris.

ECO tip #101: Trim your mails when you reply. Srsly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ