Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5527547imm;
        Tue, 19 Jun 2018 11:51:39 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKcd6NHd4ti3At1P0NJizi2hewRI0FGNpyTLqrQcY45iYh7NyuLWCECrkxUpKfEIq+r/e0c
X-Received: by 2002:a62:df89:: with SMTP id d9-v6mr19255302pfl.147.1529434299068;
        Tue, 19 Jun 2018 11:51:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529434299; cv=none;
        d=google.com; s=arc-20160816;
        b=xJzUGGaQuFSRKZKa4RutBgSCstVdYny+rUPBt7KbEcqU3U6lpYY4BwoU9b72Bc5l5i
         jRT0+S69kC9Tdeg7QnnXo0pO4xUIP+wnNml7a7etRVTilFCkIEuxZHQMbhQgfDP+tQUn
         zA9+kuaeLYnr3kVOW5qPFIdkgWuUZ61+fpPQQksOgmgOteWY0xBemQDZvvgf3jsT/HQG
         w+LDp190EBsNqJ2mD4ogfHsrR6A2SsxkbV+l1U9raDJ7UrmRJJpf7cL6lBsZR2swhztw
         q/0S6DsqizNxrkvcD+smEHDvVxV17LDX5W7jcWDJ9xsrCMQLsvtPb7FbnDO1u3g3DjGC
         iqrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=HJ6QU6aOX7McVSuDBi+NanRdKntYyq4eZM9Xn5DQBs8=;
        b=ar0W8I+GKhonHH/ppvSAiWK8y9WNI8zOL+j9eAW1xEJk0muzTWQ4XIP7kUp64ndoB/
         QlyYkvO6RHi/o/MKgQ2mpZ1164CdXjTD8g0wE5GyBkSG5ymVwU90SQPo1lEYFzMIQ9Qi
         SKoSzPaoc8ibaUdmw1dHdDyncHKlNZmo8YRKVcumEn2ozd1w10Xa2At/iS47tx/b/42o
         77wIg+zimwTtx7Kr8vMV/U9BWs3wKrJ4VMrXEcjfcieXsDCOp0dTbVg4n5gS4vsEyRq0
         XpY5dICscCpm3aKI0bCD+Tytufyoq+SDZItK6eVV5O34ltlkSwZAB5EBQMvQQt8gGR+q
         JS5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t13-v6si297055pgs.661.2018.06.19.11.51.25;
        Tue, 19 Jun 2018 11:51:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1030563AbeFSSt2 (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Tue, 19 Jun 2018 14:49:28 -0400
Received: from vps-vb.mhejs.net ([37.28.154.113]:39578 "EHLO vps-vb.mhejs.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1030283AbeFSSrv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jun 2018 14:47:51 -0400
Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.90_1)
        (envelope-from <mail@maciej.szmigiero.name>)
        id 1fVLfI-0003Vv-Bg; Tue, 19 Jun 2018 20:47:40 +0200
From:   "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
To:     Borislav Petkov <bp@alien8.de>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH v7 3/9] x86/microcode/AMD: Integrate verify_patch_size() into verify_patch()
Date:   Tue, 19 Jun 2018 20:47:33 +0200
Message-Id: <39d0efb50538e4a1a06da693559bb13b060ad676.1529424596.git.mail@maciej.szmigiero.name>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <cover.1529424596.git.mail@maciej.szmigiero.name>
References: <cover.1529424596.git.mail@maciej.szmigiero.name>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Integrating verify_patch_size() into verify_patch() allows us to check
whether the indicated patch size makes sense for its indicated CPU family -
for all CPU families known to the driver.

If we spot a patch that is longer than expected for its family we'll
carefully skip over only the expected length to make sure we don't miss
good patches in case the indicated patch size was something nonsensically
huge.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
---
 arch/x86/kernel/cpu/microcode/amd.c | 131 ++++++++++++----------------
 1 file changed, 57 insertions(+), 74 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 120778771909..67147e784c0e 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -176,9 +176,6 @@ static bool verify_patch_section(const u8 *buf, size_t buf_size, bool early)
 	return true;
 }
 
-static unsigned int verify_patch_size(u8 family, u32 patch_size,
-				      unsigned int size);
-
 /*
  * Check whether there is a valid, non-truncated microcode patch of the
  * right size for a particular family @family at the beginning of a passed
@@ -192,7 +189,7 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
 			 unsigned int *crnt_size, bool early)
 {
 	const u32 *hdr;
-	u32 patch_size;
+	u32 patch_size, max_size;
 	const struct microcode_header_amd *mc_hdr;
 	u8 patch_fam;
 
@@ -204,48 +201,79 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
 	hdr = (const u32 *)buf;
 	patch_size = hdr[1];
 
-	if (buf_size - SECTION_HDR_SIZE < patch_size) {
+	if (buf_size - SECTION_HDR_SIZE < sizeof(*mc_hdr)) {
 		if (!early)
-			pr_err("Patch of size %u truncated.\n", patch_size);
+			pr_err("Truncated patch header.\n");
 
 		*crnt_size = buf_size;
 		return false;
 	}
 
+	mc_hdr = (const struct microcode_header_amd *)(buf + SECTION_HDR_SIZE);
+	patch_fam = 0xf + (mc_hdr->processor_rev_id >> 12);
+
 	/*
-	 * Set a patch length limit of slightly less than U32_MAX to
-	 * prevent overflowing 32-bit variables holding the whole
-	 * patch section size.
+	 * Check whether patch_size isn't something nonsensically huge so
+	 * we don't skip over good patches by mistake.
 	 */
-	if (patch_size > U32_MAX - SECTION_HDR_SIZE) {
-		if (!early)
-			pr_err("Patch of size %u too large.\n", patch_size);
+#define F1XH_MPB_MAX_SIZE 2048
+#define F14H_MPB_MAX_SIZE 1824
+#define F15H_MPB_MAX_SIZE 4096
+#define F16H_MPB_MAX_SIZE 3458
+#define F17H_MPB_MAX_SIZE 3200
 
-		*crnt_size = SECTION_HDR_SIZE + PATCH_MAX_SIZE;
-		return false;
+	switch (patch_fam) {
+	case 0x10 ... 0x13:
+		max_size = F1XH_MPB_MAX_SIZE;
+		break;
+	case 0x14:
+		max_size = F14H_MPB_MAX_SIZE;
+		break;
+	case 0x15:
+		max_size = F15H_MPB_MAX_SIZE;
+		break;
+	case 0x16:
+		max_size = F16H_MPB_MAX_SIZE;
+		break;
+	case 0x17:
+		max_size = F17H_MPB_MAX_SIZE;
+		break;
+	default:
+		/*
+		 * Don't know the max size for future families...
+		 * Set a patch length limit of slightly less than U32_MAX to
+		 * prevent overflowing 32-bit variables holding the whole
+		 * patch section size.
+		 */
+		max_size = U32_MAX - SECTION_HDR_SIZE;
+		break;
 	}
 
-	*crnt_size = SECTION_HDR_SIZE + patch_size;
-
-	mc_hdr = (const struct microcode_header_amd *)(buf + SECTION_HDR_SIZE);
-	patch_fam = 0xf + (mc_hdr->processor_rev_id >> 12);
+	if (patch_size > max_size) {
+		if (!early)
+			pr_err("Patch of size %u exceeds family maximum.\n",
+			       patch_size);
 
-	/* Is the patch for the proper CPU family? */
-	if (family != patch_fam)
+		*crnt_size = min_t(unsigned int,
+				   SECTION_HDR_SIZE + max_size,
+				   buf_size);
 		return false;
+	}
 
-	/*
-	 * The section header length is not included in this indicated size
-	 * but is present in the leftover file length so we need to subtract
-	 * it before passing this value to the function below.
-	 */
-	if (!verify_patch_size(family, patch_size, buf_size - SECTION_HDR_SIZE)) {
+	if (buf_size - SECTION_HDR_SIZE < patch_size) {
 		if (!early)
-			pr_err("Patch of size %u too large.\n", patch_size);
+			pr_err("Patch of size %u truncated.\n", patch_size);
 
+		*crnt_size = buf_size;
 		return false;
 	}
 
+	*crnt_size = SECTION_HDR_SIZE + patch_size;
+
+	/* Is the patch for the proper CPU family? */
+	if (family != patch_fam)
+		return false;
+
 	return true;
 }
 
@@ -637,45 +665,6 @@ static int collect_cpu_info_amd(int cpu, struct cpu_signature *csig)
 	return 0;
 }
 
-/*
- * Check whether the passed remaining file @size is large enough to contain a
- * patch of the indicated @patch_size (and also whether this size does not
- * exceed the per-family maximum).
- */
-static unsigned int verify_patch_size(u8 family, u32 patch_size, unsigned int size)
-{
-	u32 max_size;
-
-#define F1XH_MPB_MAX_SIZE 2048
-#define F14H_MPB_MAX_SIZE 1824
-#define F15H_MPB_MAX_SIZE 4096
-#define F16H_MPB_MAX_SIZE 3458
-#define F17H_MPB_MAX_SIZE 3200
-
-	switch (family) {
-	case 0x14:
-		max_size = F14H_MPB_MAX_SIZE;
-		break;
-	case 0x15:
-		max_size = F15H_MPB_MAX_SIZE;
-		break;
-	case 0x16:
-		max_size = F16H_MPB_MAX_SIZE;
-		break;
-	case 0x17:
-		max_size = F17H_MPB_MAX_SIZE;
-		break;
-	default:
-		max_size = F1XH_MPB_MAX_SIZE;
-		break;
-	}
-
-	if (patch_size > min_t(u32, size, max_size))
-		return 0;
-
-	return patch_size;
-}
-
 static enum ucode_state apply_microcode_amd(int cpu)
 {
 	struct cpuinfo_x86 *c = &cpu_data(cpu);
@@ -765,7 +754,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover)
 {
 	struct microcode_header_amd *mc_hdr;
 	struct ucode_patch *patch;
-	unsigned int patch_size, crnt_size, ret;
+	unsigned int patch_size, crnt_size;
 	u32 proc_fam;
 	u16 proc_id;
 
@@ -791,13 +780,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover)
 		return crnt_size;
 	}
 
-	/*
-	 * The section header length is not included in this indicated size
-	 * but is present in the leftover file length so we need to subtract
-	 * it before passing this value to the function below.
-	 */
-	ret = verify_patch_size(family, patch_size, leftover - SECTION_HDR_SIZE);
-	if (!ret) {
+	if (!verify_patch(family, fw, leftover, &crnt_size, false)) {
 		pr_err("Patch-ID 0x%08x: size mismatch.\n", mc_hdr->patch_id);
 		return crnt_size;
 	}