Received: by 10.213.65.68 with SMTP id h4csp1610382imn; Mon, 26 Mar 2018 10:50:31 -0700 (PDT) X-Google-Smtp-Source: AG47ELtzbLLs0bTDtaXCrBhvBWXQrjaX4049apMmy/1392U146j/D29DZhcKL/yoKL3jZPluyvM0 X-Received: by 2002:a17:902:8601:: with SMTP id f1-v6mr41727746plo.379.1522086631866; Mon, 26 Mar 2018 10:50:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522086631; cv=none; d=google.com; s=arc-20160816; b=ESgq7yaRrTIMnT3vFCYHrLmK95X6paQ5ETx3KrqIuo+l+cvPzGuDOyTtEAs2Y9vkvX 6+LYodG+A/mb0FQ5XLDz1GYWeyncY0ISmhOC5lZogGZkVrgLIqrvHSV62vghmhKodZCF j9DwO1jJg+GGBDr1w4HpW0+Zey6BJ9XV6LNohCGplKsH0jRTdhKGnFvq/i64itBANRKj 3AWnHIfRrZegCtiFmYuIWhlx2YTentZdhrbrDRc7iPM1Cb88BJiXAgGZockuJY/fcD/o 7swzRb8ntJmlE3NsygL961plS7Nq3IVN29cvTt7FxHxMXjCTufD+3AxrWxXbo9VZ2Xe2 X9Og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=HfZVAmH95OG1ojoCAubqZpexJJIccFvnjZ/zeLdUI5k=; b=a/xAe6apdYAphCUx05VHgdho6gTHTD9ZsSXTizp+GthKH+MphCVha+IneYAXJJAmXo 4cdVKbfuprb5k9mlEbmH1f+gqAyRg/3hClvtB2iBuYQUHQ+sF5jGF+BeKq4/k8wdRo5Y n0S7G7ANK9yWzG0Tac3XJZ8QjHM4wuz794rWbMVr4pGtqMQNBwe7uafWwgp7VL/n3nCz IIQxRYg5poq8Z50FiOY9xL2GKtSO3h+nXvRh5E90sWMWU2y7maD4ccx52nWB+iVEf/lU TuUcA6+dLpQxbLvsg1DvZO3qmCgc3B7q6X/qrRtQtOVDqzuzwZIB8ZNc8xqxPaYc95/E Xt3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l28si1329793pfk.38.2018.03.26.10.50.16; Mon, 26 Mar 2018 10:50:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752677AbeCZRsy (ORCPT + 99 others); Mon, 26 Mar 2018 13:48:54 -0400 Received: from mail.skyhub.de ([5.9.137.197]:33064 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752627AbeCZRsw (ORCPT ); Mon, 26 Mar 2018 13:48:52 -0400 X-Virus-Scanned: Nedap ESD1 at mail.skyhub.de Received: from mail.skyhub.de ([127.0.0.1]) by localhost (blast.alien8.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id l23ICdseegrm; Mon, 26 Mar 2018 19:48:35 +0200 (CEST) Received: from pd.tnic (p200300EC2BC88600791E0C6965666DA9.dip0.t-ipconnect.de [IPv6:2003:ec:2bc8:8600:791e:c69:6566:6da9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id B879E1EC0339; Mon, 26 Mar 2018 19:48:35 +0200 (CEST) Date: Mon, 26 Mar 2018 19:48:00 +0200 From: Borislav Petkov To: "Maciej S. Szmigiero" Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4 08/10] x86/microcode/AMD: Check microcode container file size before accessing it Message-ID: <20180326174759.GD28372@pd.tnic> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 16, 2018 at 12:08:24AM +0100, Maciej S. Szmigiero wrote: > The early loader parse_container() function should check whether the > microcode container file is actually large enough to contain the patch of > an indicated size, just like the late loader does. > > Also, the request_microcode_amd() function should check whether the > container file is actually large enough to contain the header magic value. > > Signed-off-by: Maciej S. Szmigiero > --- > arch/x86/kernel/cpu/microcode/amd.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c > index 4d2116d08754..dc5ed4971879 100644 > --- a/arch/x86/kernel/cpu/microcode/amd.c > +++ b/arch/x86/kernel/cpu/microcode/amd.c > @@ -125,6 +125,9 @@ static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc) > struct microcode_amd *mc; > u32 patch_size; > > + if (size < SECTION_HDR_SIZE) > + break; > + > hdr = (u32 *)buf; > > if (hdr[0] != UCODE_UCODE_TYPE) > @@ -139,6 +142,10 @@ static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc) > buf += SECTION_HDR_SIZE; > size -= SECTION_HDR_SIZE; > > + if (size < sizeof(*mc) || > + size < patch_size) > + break; If you're going to do this here, then call verify_patch_size() but move the pr_err("patch size mismatch\n") outside of the function because printk doesn't work that early. > + > mc = (struct microcode_amd *)buf; > if (eq_id == mc->hdr.processor_rev_id) { > desc->psize = patch_size; > @@ -794,6 +801,10 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device, > } > > ret = UCODE_ERROR; > + if (fw->size < sizeof(u32)) { > + pr_err("microcode container far too short\n"); > + goto fw_release; > + } Instead of doing that here, do the SECTION_HDR_SIZE check above here directly. In general, the code is getting interspersed with a lot of checks and thus becoming unreadable. So instead of doing that, I'd suggest you add functions doing that checking separately: verify_container() verify_equivalence_table() verify_patch() and you call those functions in both paths, first when you get a container, you do verify_container(), then you verify the equivalence table and then you verify each patch one after the other. And so on. The early path will not printk because it is too early but you can state that with a "bool early" argument to those functions. This way you'll pull all that checking before the code looks at the binary data and the paths will remain unencumbered by the checking code. Thx. -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply.