Received: by 10.223.176.5 with SMTP id f5csp3446005wra; Mon, 29 Jan 2018 13:17:59 -0800 (PST) X-Google-Smtp-Source: AH8x227QP4BADYnPG+flZyqmFVQLRpWKUjsZCUmzmDrXiYCXPlO3av80k5wDRdj3jSI/F4dlZXMg X-Received: by 10.99.4.198 with SMTP id 189mr22856081pge.210.1517260679507; Mon, 29 Jan 2018 13:17:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517260679; cv=none; d=google.com; s=arc-20160816; b=JQhPMCvti31TVwvGhD+oIt/0jvbYzsmJQSbE3AtbPb0JySZ0o6KpfCnxZGvcSYg3jE nF12JZzlRWOIS7SoCgtAyN7DwCYPcJX3+Mpqo16/t1bNezNoBR9JVOltDHemXvTNOm2V GpXwDRKLYTYWFijsdUPwAC3JMipyCjn1sR2mMYlyGtpa3Udd+cx787MhCw/S2I2xI5PT W5g+5E2zy9bJYJ4mD28feuuOUso9WZFQV/FhpI96RXEsj2bA8a+5N4AvyOiP86TXW8+9 f+JyvGyYnGO0+j4n55IB+u4089vaILMoSOrfXdVZF2iSaauW+q8sewHlmm1nMPs5aA7A XiXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ebDufz0cyoNBi9qoZM/O8Y6jfEV+UHZJJjOem0Ktc0U=; b=0XXHVzxWVvg9L2EmZtPQmcaDgbuyPRv+4INHO9ImPSoQxXGGFmcaFsYJ8NOZYWgkdo 7DPw9WVK85bgJXhwoxNXa2iRwyM2ncOiJxwgjuHslWgwRdtZIypMEX3juU9uXmIuGr9B 82Ek0ivpMJ4zbdARCtRFgvJwG2qWB0ZZ+HExPTmkY4zicYYibI8VTdYj8bKYSrAE4HtC BTRTCNp1g5DJ11TDxAybAlHoHDU7/0kVnmRiJZKOLr1DUR2GgJNgS5aHlqWRsXrZH2H6 zqJhbun/zK9qRmLjIgLi2aL50fTqKYDl7aYtGzOC+MqF5DODvOUxqKD85pca5leS7S/q 7hpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n14si443795pgt.469.2018.01.29.13.17.44; Mon, 29 Jan 2018 13:17:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752529AbeA2VRQ (ORCPT + 99 others); Mon, 29 Jan 2018 16:17:16 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:42604 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752270AbeA2UEa (ORCPT ); Mon, 29 Jan 2018 15:04:30 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 90DEE3030; Mon, 29 Jan 2018 13:10:31 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, higuita@gmx.net, Borislav Petkov , Thomas Gleixner Subject: [PATCH 4.14 62/71] x86/microcode: Fix again accessing initrd after having been freed Date: Mon, 29 Jan 2018 13:57:30 +0100 Message-Id: <20180129123831.759347763@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123827.271171825@linuxfoundation.org> References: <20180129123827.271171825@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Borislav Petkov commit 1d080f096fe33f031d26e19b3ef0146f66b8b0f1 upstream. Commit 24c2503255d3 ("x86/microcode: Do not access the initrd after it has been freed") fixed attempts to access initrd from the microcode loader after it has been freed. However, a similar KASAN warning was reported (stack trace edited): smpboot: Booting Node 0 Processor 1 APIC 0x11 ================================================================== BUG: KASAN: use-after-free in find_cpio_data+0x9b5/0xa50 Read of size 1 at addr ffff880035ffd000 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.14.8-slack #7 Hardware name: System manufacturer System Product Name/A88X-PLUS, BIOS 3003 03/10/2016 Call Trace: dump_stack print_address_description kasan_report ? find_cpio_data __asan_report_load1_noabort find_cpio_data find_microcode_in_initrd __load_ucode_amd load_ucode_amd_ap load_ucode_ap After some investigation, it turned out that a merge was done using the wrong side to resolve, leading to picking up the previous state, before the 24c2503255d3 fix. Therefore the Fixes tag below contains a merge commit. Revert the mismerge by catching the save_microcode_in_initrd_amd() retval and thus letting the function exit with the last return statement so that initrd_gone can be set to true. Fixes: f26483eaedec ("Merge branch 'x86/urgent' into x86/microcode, to resolve conflicts") Reported-by: Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Link: https://bugzilla.kernel.org/show_bug.cgi?id=198295 Link: https://lkml.kernel.org/r/20180123104133.918-2-bp@alien8.de Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/microcode/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -239,7 +239,7 @@ static int __init save_microcode_in_init break; case X86_VENDOR_AMD: if (c->x86 >= 0x10) - return save_microcode_in_initrd_amd(cpuid_eax(1)); + ret = save_microcode_in_initrd_amd(cpuid_eax(1)); break; default: break;