lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a2275167-f650-b73f-0de8-1aa78b3281ed@maciej.szmigiero.name>
Date:   Sat, 23 Jun 2018 00:33:24 +0200
From:   "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH 2/2] x86/microcode/AMD: Check patch size for all known CPU
 families

Previously, the AMD microcode update driver has only checked the indicated
microcode patch size for patches for the currently running CPU family.
Patches for other families had their size trusted without further
verification.

Introduce such check for all CPU families known to the driver so if we spot
a patch that is longer than expected for its family we'll carefully skip
over only the expected length to make sure we don't miss good patches in
case the indicated patch size was something nonsensically huge.

Signed-off-by: Maciej S. Szmigiero <mail@...iej.szmigiero.name>
---
This is part 2/2 of a replacement for
"[PATCH v7 3/9] x86/microcode/AMD: Integrate verify_patch_size() into verify_patch()".

 arch/x86/kernel/cpu/microcode/amd.c | 67 ++++++++++++++++-------------
 1 file changed, 37 insertions(+), 30 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 53820b92aabb..04a298da4c21 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -201,43 +201,31 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
 	hdr = (const u32 *)buf;
 	patch_size = hdr[1];
 
-	if (buf_size - SECTION_HDR_SIZE < patch_size) {
+	if (buf_size - SECTION_HDR_SIZE < sizeof(*mc_hdr)) {
 		if (!early)
-			pr_err("Patch of size %u truncated.\n", patch_size);
+			pr_err("Truncated patch header.\n");
 
 		*crnt_size = buf_size;
 		return false;
 	}
 
-	/*
-	 * Set a patch length limit of slightly less than U32_MAX to
-	 * prevent overflowing 32-bit variables holding the whole
-	 * patch section size.
-	 */
-	if (patch_size > U32_MAX - SECTION_HDR_SIZE) {
-		if (!early)
-			pr_err("Patch of size %u too large.\n", patch_size);
-
-		*crnt_size = SECTION_HDR_SIZE + PATCH_MAX_SIZE;
-		return false;
-	}
-
-	*crnt_size = SECTION_HDR_SIZE + patch_size;
-
 	mc_hdr = (const struct microcode_header_amd *)(buf + SECTION_HDR_SIZE);
 	patch_fam = 0xf + (mc_hdr->processor_rev_id >> 12);
 
-	/* Is the patch for the proper CPU family? */
-	if (family != patch_fam)
-		return false;
-
+	/*
+	 * Check whether patch_size isn't something nonsensically huge so
+	 * we don't skip over good patches by mistake.
+	 */
 #define F1XH_MPB_MAX_SIZE 2048
 #define F14H_MPB_MAX_SIZE 1824
 #define F15H_MPB_MAX_SIZE 4096
 #define F16H_MPB_MAX_SIZE 3458
 #define F17H_MPB_MAX_SIZE 3200
 
-	switch (family) {
+	switch (patch_fam) {
+	case 0x10 ... 0x13:
+		max_size = F1XH_MPB_MAX_SIZE;
+		break;
 	case 0x14:
 		max_size = F14H_MPB_MAX_SIZE;
 		break;
@@ -251,22 +239,41 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
 		max_size = F17H_MPB_MAX_SIZE;
 		break;
 	default:
-		max_size = F1XH_MPB_MAX_SIZE;
+		/*
+		 * Don't know the max size for future families...
+		 * Set a patch length limit of slightly less than U32_MAX to
+		 * prevent overflowing 32-bit variables holding the whole
+		 * patch section size.
+		 */
+		max_size = U32_MAX - SECTION_HDR_SIZE;
 		break;
 	}
 
-	/*
-	 * The section header length is not included in this indicated size
-	 * but is present in the leftover file length so we need to subtract
-	 * it from the leftover file length.
-	 */
-	if (patch_size > min_t(u32, buf_size - SECTION_HDR_SIZE, max_size)) {
+	if (patch_size > max_size) {
+		if (!early)
+			pr_err("Patch of size %u exceeds family %u maximum.\n",
+			       patch_size, (unsigned int)patch_fam);
+
+		*crnt_size = min_t(unsigned int,
+				   SECTION_HDR_SIZE + max_size,
+				   buf_size);
+		return false;
+	}
+
+	if (buf_size - SECTION_HDR_SIZE < patch_size) {
 		if (!early)
-			pr_err("Patch of size %u too large.\n", patch_size);
+			pr_err("Patch of size %u truncated.\n", patch_size);
 
+		*crnt_size = buf_size;
 		return false;
 	}
 
+	*crnt_size = SECTION_HDR_SIZE + patch_size;
+
+	/* Is the patch for the proper CPU family? */
+	if (family != patch_fam)
+		return false;
+
 	return true;
 }
 
-- 
2.17.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ