Improper pointer arithmetics when calculating the address of the extended
header could lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <[email protected]>
---
arch/x86/kernel/cpu/microcode/intel_early.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git arch/x86/kernel/cpu/microcode/intel_early.c arch/x86/kernel/cpu/microcode/intel_early.c
index 420eb93..3a6c613 100644
--- arch/x86/kernel/cpu/microcode/intel_early.c
+++ arch/x86/kernel/cpu/microcode/intel_early.c
@@ -180,8 +180,7 @@ matching_model_microcode(struct microcode_header_intel *mc_header,
if (total_size <= data_size + MC_HEADER_SIZE)
return UCODE_NFOUND;
- ext_header = (struct extended_sigtable *)
- mc_header + data_size + MC_HEADER_SIZE;
+ ext_header = (void *) mc_header + data_size + MC_HEADER_SIZE;
ext_sigcount = ext_header->count;
ext_sig = (void *)ext_header + EXT_HEADER_SIZE;
@@ -457,8 +456,7 @@ static void __ref show_saved_mc(void)
if (total_size <= data_size + MC_HEADER_SIZE)
continue;
- ext_header = (struct extended_sigtable *)
- mc_saved_header + data_size + MC_HEADER_SIZE;
+ ext_header = (void *) mc_saved_header + data_size + MC_HEADER_SIZE;
ext_sigcount = ext_header->count;
ext_sig = (void *)ext_header + EXT_HEADER_SIZE;
--
2.0.5
On Thu, Feb 26, 2015 at 04:50:46PM +0100, Quentin Casasnovas wrote:
> Improper pointer arithmetics when calculating the address of the extended
> header could lead to an out of bounds memory read and kernel panic.
>
> Signed-off-by: Quentin Casasnovas <[email protected]>
Applied, thanks.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
--