Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754110AbbBZPte (ORCPT ); Thu, 26 Feb 2015 10:49:34 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:41119 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753816AbbBZPtd (ORCPT ); Thu, 26 Feb 2015 10:49:33 -0500 From: Quentin Casasnovas To: Borislav Petkov Cc: Quentin Casasnovas , lkml , x86 lkml Subject: [PATCH] x86/microcode/intel: Out of bounds memory read when reading extended header. Date: Thu, 26 Feb 2015 16:50:46 +0100 Message-Id: <1424965846-28566-1-git-send-email-quentin.casasnovas@oracle.com> X-Mailer: git-send-email 2.0.5 X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1589 Lines: 40 Improper pointer arithmetics when calculating the address of the extended header could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas --- arch/x86/kernel/cpu/microcode/intel_early.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git arch/x86/kernel/cpu/microcode/intel_early.c arch/x86/kernel/cpu/microcode/intel_early.c index 420eb93..3a6c613 100644 --- arch/x86/kernel/cpu/microcode/intel_early.c +++ arch/x86/kernel/cpu/microcode/intel_early.c @@ -180,8 +180,7 @@ matching_model_microcode(struct microcode_header_intel *mc_header, if (total_size <= data_size + MC_HEADER_SIZE) return UCODE_NFOUND; - ext_header = (struct extended_sigtable *) - mc_header + data_size + MC_HEADER_SIZE; + ext_header = (void *) mc_header + data_size + MC_HEADER_SIZE; ext_sigcount = ext_header->count; ext_sig = (void *)ext_header + EXT_HEADER_SIZE; @@ -457,8 +456,7 @@ static void __ref show_saved_mc(void) if (total_size <= data_size + MC_HEADER_SIZE) continue; - ext_header = (struct extended_sigtable *) - mc_saved_header + data_size + MC_HEADER_SIZE; + ext_header = (void *) mc_saved_header + data_size + MC_HEADER_SIZE; ext_sigcount = ext_header->count; ext_sig = (void *)ext_header + EXT_HEADER_SIZE; -- 2.0.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/