lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180430090447.GA6509@pd.tnic>
Date:   Mon, 30 Apr 2018 11:04:47 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 2/6] x86/microcode/AMD: Add microcode container data
 checking functions

On Mon, Apr 23, 2018 at 11:34:07PM +0200, Maciej S. Szmigiero wrote:
> This commit adds verify_container(), verify_equivalence_table(),

Avoid beginning the commit message of a patch with "This patch" or "This
commit". It is tautologically useless.

> verify_patch_section() and verify_patch() functions to the AMD microcode
> update driver.
> These functions check whether a passed buffer contains the relevant
> structure, whether it isn't truncated and (for actual microcode patches)
> whether the size of a patch is not too large for a particular CPU family.
> By adding these checks as separate functions the actual microcode loading
> code won't get interspersed with a lot of checks and so will be more
> readable.
> 
> Signed-off-by: Maciej S. Szmigiero <mail@...iej.szmigiero.name>
> ---
>  arch/x86/kernel/cpu/microcode/amd.c | 140 +++++++++++++++++++++++++++++++++++-
>  1 file changed, 137 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
> index dc8ea9a9d962..4fafaf0852d7 100644
> --- a/arch/x86/kernel/cpu/microcode/amd.c
> +++ b/arch/x86/kernel/cpu/microcode/amd.c
> @@ -73,6 +73,142 @@ static u16 find_equiv_id(struct equiv_cpu_entry *equiv_table, u32 sig)
>  	return 0;
>  }
>  
> +/*
> + * Checks whether there is a valid microcode container file at the beginning
> + * of a passed buffer @buf of size @size.
> + * If @early is set this function does not print errors which makes it
> + * usable by the early microcode loader.
> + */
> +static bool verify_container(const u8 *buf, size_t buf_size, bool early)
> +{
> +	u32 cont_magic;
> +
> +	if (buf_size <= CONTAINER_HDR_SZ) {
> +		if (!early)
> +			pr_err("Truncated microcode container header.\n");
> +
> +		return false;
> +	}
> +
> +	cont_magic = *(const u32 *)buf;
> +	if (cont_magic != UCODE_MAGIC) {
> +		if (!early)
> +			pr_err("Invalid magic value (0x%08x).\n", cont_magic);
> +
> +		return false;
> +	}
> +
> +	return true;
> +}
> +
> +/*
> + * Checks whether there is a valid, non-truncated CPU equivalence table
> + * at the beginning of a passed buffer @buf of size @size.
> + * If @early is set this function does not print errors which makes it
> + * usable by the early microcode loader.
> + */
> +static bool verify_equivalence_table(const u8 *buf, size_t buf_size, bool early)
> +{
> +	const u32 *hdr = (const u32 *)buf;
> +	u32 cont_type, equiv_tbl_len;
> +
> +	cont_type = hdr[1];

You need to check the size of buf so that there's enough buf passed in
before you index into it like that.

> +	if (cont_type != UCODE_EQUIV_CPU_TABLE_TYPE) {
> +		if (!early)
> +			pr_err("Wrong microcode container equivalence table type: %u.\n",
> +			       cont_type);
> +
> +		return false;
> +	}
> +
> +	equiv_tbl_len = hdr[2];

And that.

> +	if (equiv_tbl_len < sizeof(struct equiv_cpu_entry) ||
> +	    buf_size - CONTAINER_HDR_SZ < equiv_tbl_len) {
> +		if (!early)
> +			pr_err("Truncated equivalence table.\n");
> +
> +		return false;
> +	}
> +
> +	return true;
> +}
> +
> +/*
> + * Checks whether there is a valid, non-truncated microcode patch section
> + * at the beginning of a passed buffer @buf of size @size.
> + * If @early is set this function does not print errors which makes it
> + * usable by the early microcode loader.
> + */
> +static bool verify_patch_section(const u8 *buf, size_t buf_size, bool early)
> +{
> +	const u32 *hdr = (const u32 *)buf;
> +	u32 patch_type, patch_size;
> +
> +	if (buf_size < SECTION_HDR_SIZE) {
> +		if (!early)
> +			pr_err("Truncated patch section.\n");
> +
> +		return false;
> +	}
> +
> +	patch_type = hdr[0];
> +	patch_size = hdr[1];
> +
> +	if (patch_type != UCODE_UCODE_TYPE) {
> +		if (!early)
> +			pr_err("Invalid type field (%u) in container file section header.\n",
> +				patch_type);
> +
> +		return false;
> +	}
> +
> +	if (patch_size < sizeof(struct microcode_header_amd)) {
> +		if (!early)
> +			pr_err("Patch of size %u too short.\n", patch_size);
> +
> +		return false;
> +	}
> +
> +	if (buf_size - SECTION_HDR_SIZE < patch_size) {
> +		if (!early)
> +			pr_err("Patch of size %u truncated.\n", patch_size);
> +
> +		return false;
> +	}
> +
> +	return true;
> +}
> +
> +static unsigned int verify_patch_size(u8 family, u32 patch_size,
> +				      unsigned int size);

No forward declarations pls.

> +
> +/*
> + * Checks whether a microcode patch located at the beginning of a passed
> + * buffer @buf of size @size is not too large for a particular @family
> + * and is not truncated.
> + * If @early is set this function does not print errors which makes it
> + * usable by the early microcode loader.
> + */
> +static bool verify_patch(u8 family, const u8 *buf, size_t buf_size, bool early)
> +{
> +	const u32 *hdr = (const u32 *)buf;
> +	u32 patch_size = hdr[1];

Just like in the first comment above.

> +
> +	/*
> +	 * The section header length is not included in this indicated size
> +	 * but is present in the leftover file length so we need to subtract
> +	 * it before passing this value to the function below.
> +	 */
> +	if (!verify_patch_size(family, patch_size, buf_size - SECTION_HDR_SIZE)) {
> +		if (!early)
> +			pr_err("Patch of size %u too large.\n", patch_size);
> +
> +		return false;
> +	}
> +
> +	return true;
> +}

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ