| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1631526273-2257451-1-git-send-email-jiasheng@iscas.ac.cn>
Date: Mon, 13 Sep 2021 09:44:33 +0000
From: Jiasheng Jiang <jiasheng@...as.ac.cn>
To: bp@...en8.de, tglx@...utronix.de, mingo@...hat.com, x86@...nel.org,
hpa@...or.com
Cc: linux-kernel@...r.kernel.org, Jiasheng Jiang <jiasheng@...as.ac.cn>
Subject: [PATCH 3/6 RESEND] x86/microcode/amd: Potentially delete invalid pointer
Directly use __list_del() to remove 'p->plist' might be unsafe,
as we can see from the __list_del_entry_valid() of 'lib/list_debug.c'
that p->plist->prev or p->plist->next may be the LIST_POISON,
or p->list is not a valid double list.
In that case, __list_del() will be corruption.
Therefore, we suggest that __list_del_entry_valid()
should be added in front of the __list_del() in free_cache.
Signed-off-by: Jiasheng Jiang <jiasheng@...as.ac.cn>
---
arch/x86/kernel/cpu/microcode/amd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 3d4a483..e589cff 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -626,6 +626,8 @@ static void free_cache(void)
struct ucode_patch *p, *tmp;
list_for_each_entry_safe(p, tmp, µcode_cache, plist) {
+ if (!__list_del_entry_valid(&p->plist))
+ continue;
__list_del(p->plist.prev, p->plist.next);
kfree(p->data);
kfree(p);
--
2.7.4
Powered by blists - more mailing lists