Received: by 10.192.165.148 with SMTP id m20csp4281234imm; Mon, 30 Apr 2018 15:27:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpvNlyWXH2Oxl7sSa8cq/0mk5TGL2sdziZV8IhjLM0RFfreXVDo5Db++P1CAUROCC5WNu8u X-Received: by 2002:a63:a704:: with SMTP id d4-v6mr11341067pgf.324.1525127269789; Mon, 30 Apr 2018 15:27:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525127269; cv=none; d=google.com; s=arc-20160816; b=A6wYIle/IA2NYwdUFeX3chC+tO1LGV6B1EUU64JQlQtQK3qOrrgMjHa8qxMesrtG2o U04mIaQ12sz0PYzVm4qbGC/DusGtSxMSTf1Hg074Y0sVg6L5BitkPlglpiWmqaixyQNC CNY3vEkPi4ORTbsk6NXR5VwBaOnoBs/g/ZPfcd3E7la/FdWGFTawaf4lMOVNcLgptXTI Zv3NLb0uxlTBR3pk/CTpH1uFroDGj2HYpEiP4vU5yMboaotHg69RkNjsaxkUPRvmkcr9 dNkvk+NLYWuj02lUqJojRdeGtWclTQRucah1SYhvnQUxaNPokQXnlSi5A3XLLSU1+Itf ps4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=9YQpzv/NBO7oAWCLjxDZsiApsZrA2agtUyKpS2hLrCo=; b=Wht1VHB7jw+xinYjWZWlZbdsAhsBZgVXOB/Y0FtyMvBMtv3nVvGj8gZzdStU7j+/gu hfKSjz9c5i/GHpeb1zsg5zY61dkCu/ru60lD1nMTrCyVb3zLUo81nHzLvikTG7a7I9ho RHTUYmoG1j8J3+wDcuVU5K7KVcoPiXbyIQtPuZ55XmUPwR25KRGijPzxdRQymAqAgl6a e67s0tjrnL0i6CsV/hQk3TuhMNdRgVVzgdodJWwSTREzMrAdx6AUipc1C6O/BA0iIBW+ o7Ba9/JXbXam8Q5OLk9dRBnFOVyArdVR62ih2N/kTegXelsggsYaiSiB6DPbMd2Aw9Vy bmIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c41-v6si8320299plj.503.2018.04.30.15.27.33; Mon, 30 Apr 2018 15:27:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753900AbeD3W1X (ORCPT + 99 others); Mon, 30 Apr 2018 18:27:23 -0400 Received: from vps-vb.mhejs.net ([37.28.154.113]:44066 "EHLO vps-vb.mhejs.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751772AbeD3W1W (ORCPT ); Mon, 30 Apr 2018 18:27:22 -0400 Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from ) id 1fDHGP-0004CE-UJ; Tue, 01 May 2018 00:27:17 +0200 Subject: Re: [PATCH v5 2/6] x86/microcode/AMD: Add microcode container data checking functions To: Borislav Petkov Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org References: <20180430090447.GA6509@pd.tnic> From: "Maciej S. Szmigiero" Message-ID: Date: Tue, 1 May 2018 00:27:17 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180430090447.GA6509@pd.tnic> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30.04.2018 11:04, Borislav Petkov wrote: > On Mon, Apr 23, 2018 at 11:34:07PM +0200, Maciej S. Szmigiero wrote: >> --- a/arch/x86/kernel/cpu/microcode/amd.c >> +++ b/arch/x86/kernel/cpu/microcode/amd.c >> +/* >> + * Checks whether there is a valid, non-truncated CPU equivalence table >> + * at the beginning of a passed buffer @buf of size @size. >> + * If @early is set this function does not print errors which makes it >> + * usable by the early microcode loader. >> + */ >> +static bool verify_equivalence_table(const u8 *buf, size_t buf_size, bool early) >> +{ >> + const u32 *hdr = (const u32 *)buf; >> + u32 cont_type, equiv_tbl_len; >> + >> + cont_type = hdr[1]; > > You need to check the size of buf so that there's enough buf passed in > before you index into it like that. These checking functions are supposed to be called in order: first verify_container() verifies the basic container, then verify_equivalence_table() verifies the equivalence table while not repeating the checks that were already done by the former function. >> + if (cont_type != UCODE_EQUIV_CPU_TABLE_TYPE) { >> + if (!early) >> + pr_err("Wrong microcode container equivalence table type: %u.\n", >> + cont_type); >> + >> + return false; >> + } >> + >> + equiv_tbl_len = hdr[2]; > > And that. Same situation here. >> + >> +/* >> + * Checks whether a microcode patch located at the beginning of a passed >> + * buffer @buf of size @size is not too large for a particular @family >> + * and is not truncated. >> + * If @early is set this function does not print errors which makes it >> + * usable by the early microcode loader. >> + */ >> +static bool verify_patch(u8 family, const u8 *buf, size_t buf_size, bool early) >> +{ >> + const u32 *hdr = (const u32 *)buf; >> + u32 patch_size = hdr[1]; > > Just like in the first comment above. > And a similar situation here - verify_patch() does not verify things that were already checked by verify_container() or verify_patch_section(). Thanks, Maciej