Received: by 10.223.185.111 with SMTP id b44csp1366362wrg;
        Sat, 10 Mar 2018 04:27:11 -0800 (PST)
X-Google-Smtp-Source: AG47ELsdg7MvupslBdUQj3t0jtVIiPn8/clchUjJboylF3h24dG0BXw0tXnK1Yrn+eba0S4Czc6o
X-Received: by 2002:a17:902:6f17:: with SMTP id w23-v6mr1991558plk.336.1520684831743;
        Sat, 10 Mar 2018 04:27:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520684831; cv=none;
        d=google.com; s=arc-20160816;
        b=yk47bn+GMHgMjW4KdW8Ixd5d5iJuUbTmpOpEhRqUH9Tz6SwwosPR+lfvX4AUy8ggWh
         RTSrM3gnTGqDGYAzDfERXO+kEhVGPqh/nBnzEx0atECwx/bMBJl7CCalIwjx5Q78J+o5
         O3XxgNgt3gqJsN+7db8fgllThsn3ecCNIfy6Hy9DX80pldK2fhLtk3QMk8jK+SmCbpD7
         Tq9r+s6qG92tPa36v0H7EpQDIkz/Qx3fEXNDlcKKGAHm/Wh57kDAEDj4utTNjM9QMUcr
         cGQYJPccOCB+Pt1XKnw3KchlojWfgaDIpEWUuLCN53EnxsqDtD7WiBmpTDsKawoVsgzS
         8Ocw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=UBGqL4PcWc4QnUdch8+qOsSxxOMGrjRC+xCvIxMIKgE=;
        b=I5/rzImttLBngB3a/5QccA0/pK+Th0/BTa3F9udhhBv2YrP57DJly25FjMA92080md
         q7JFmVBDXwdfNf0foiAvsnGVkPEiWqJGirV5a2zpQMTbLaHF4sLeyItPayGs0qXqLCTM
         KEeG9i5xYgL61ngif7V7NeEsfmMtjgrX37Phq9AhXkOlwGdu8nqSzhFw6LGjuDe9R+5n
         3TEx6k7b+DWogcDkKh3nH+oQriBS3MGbQPlf4Jrg6gYSMeoRo1dtxUGW/pTFbMNmZ8cR
         IuuPM/bZL/gSMORtu0wo6qI+cz07vY/Wm7+dvfguARs8HBDgtPoosRaV9MlxEbrLzQwd
         7zIA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b61-v6si2648200plc.385.2018.03.10.04.26.57;
        Sat, 10 Mar 2018 04:27:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752217AbeCJM0E (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Sat, 10 Mar 2018 07:26:04 -0500
Received: from vps-vb.mhejs.net ([37.28.154.113]:58702 "EHLO vps-vb.mhejs.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752085AbeCJM0D (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 10 Mar 2018 07:26:03 -0500
Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.90_1)
        (envelope-from <mail@maciej.szmigiero.name>)
        id 1eudZY-0001bB-PP; Sat, 10 Mar 2018 13:26:00 +0100
Subject: Re: [PATCH] x86/microcode/AMD: check microcode file sanity before
 loading it
To:     Borislav Petkov <bp@alien8.de>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        linux-kernel@vger.kernel.org
References: <34e9d679-2eca-90cf-9a95-3864f0be060e@maciej.szmigiero.name>
 <20180310091838.GA8261@pd.tnic>
From:   "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
Message-ID: <2cfade76-7d3d-38be-8da6-5927a043a91b@maciej.szmigiero.name>
Date:   Sat, 10 Mar 2018 13:26:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180310091838.GA8261@pd.tnic>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10.03.2018 10:18, Borislav Petkov wrote:
> On Sat, Mar 10, 2018 at 01:34:45AM +0100, Maciej S. Szmigiero wrote:
>> Currently, it is very easy to make the AMD microcode update driver crash
>> or spin on a malformed microcode file since it does very little
>> consistency checking on data loaded from such file.
> 
> Sorry but if one has enough permissions to install malformed microcode,
> crashing the loader is the least of your problems. IOW, I don't see the
> justification for the unnecessary complication with all those checks.

While I agree this is not a security problem, I cannot agree that these
checks are unnecessary driver complication.

First, these checks are really just very basic checks like "check
whether the loaded file is long enough to actually contain some
structure before accessing it" or "don't iterate an array in file
without checking if it actually has a terminating element" or "check
whether microcode patch length isn't something like 2GB before allocating
memory for it".

Without them, it is easy to crash the driver when just playing with
microcode files (and it turns out that AMD-released microcode files in
linux-firmware actually don't contain the newest microcode versions,
even for older CPUs).

Second, since these checks happen only on a microcode file load
(something that 99.9% of systems probably will do just once at boot
time) it is hardly a performance-critical path.

Third, we still do check consistency of data provided to various
root-only syscalls (and these might be much more performance-critical
than this code).
 
> Thx.
> 

Thanks,
Maciej