Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp1700652ybb; Fri, 29 Mar 2019 09:31:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4zZ8+CinjMnqzCwO+YaxqcGrGGsraLatNVetKTm7DbzB1ZFIim8tAT9jlXnpXlQNhETRs X-Received: by 2002:a17:902:8c8b:: with SMTP id t11mr48781433plo.148.1553877115922; Fri, 29 Mar 2019 09:31:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553877115; cv=none; d=google.com; s=arc-20160816; b=n0YWd4uoOrkgoaFayWbVKWQKkflxDACMRBELCO5y+T5MVoi7turWhKbx+R2PZNvn1X AzDQ2wNGm9L1Jl/AZ0IqRRWJdVEFuSD+DO5RZZklizUb3vFtZ5n/ZwAw+FoQsisxACFZ tfSRy3hn4YpPMixX2HS5qujgmPC9OsZiXOpHt+mpsOPSOV9q8h5yXAQhHGtJzIgu1mcK +2hqujdZU7o0YqIojAJzE+o78UnKFRPCPo2wVDz+UrJwE+HIj8SRzgEDZR2J9NAcU+Ws vgoQmpVtICkJ+1Amkw+8/Y1+aUUzyqLkCI/VSSkkghAOC15zGuZ1o8gBias7tPycUXiw QBSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=BIUYSdViMIn+To2mUC3qZ7zEN+7GQ3ySY+V/Ekd7gP4=; b=lmbLZWwwuu8cPLdutxZd/5s/CT+cSXZmykNfYupplBlV+zqZ2mX8gV2IfRx5HfWMCB qlVbqpqJh+Q4ih37F/xoI+eP8/UGonjAfHF6ubSNoUwoAMpK9UCPYwtf3tW3xedlLvU7 QH5cVuezGFcDZHp2JjzjnU+7xx1OvvkzUJy2HFvgo6CEQ2QjlrzjWf+TCLGVDXrShuMV iyoRiFwQL5RViKVF9IBx//wBQFLg6ynFIHiOIu2TMqZGm3EhkxLJcPKbnACwW3NSYwAA qWUStygVaI+1hJIYMDSa83/6DUc3adPgx4EFgrzmHx34JtgdedEJHM53UETrS5OcIX8L 9+Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=niEwRLur; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g8si2251892pgn.92.2019.03.29.09.31.40; Fri, 29 Mar 2019 09:31:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=niEwRLur; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729790AbfC2Qa7 (ORCPT + 99 others); Fri, 29 Mar 2019 12:30:59 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:33614 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728839AbfC2Qa7 (ORCPT ); Fri, 29 Mar 2019 12:30:59 -0400 Received: by mail-qt1-f201.google.com with SMTP id k5so2798516qte.0 for ; Fri, 29 Mar 2019 09:30:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=BIUYSdViMIn+To2mUC3qZ7zEN+7GQ3ySY+V/Ekd7gP4=; b=niEwRLurvDXcYbjApsEODSo8Ky7sRAWmZAjk2/6GINGFAC7BFsrO+3l/pEmJ7o5Mnz gy1SHrct0idcSDWXiz3nlVqchIJgPWWDbKrhIrx8CPstxa+CvUPBvgaTJrvWXvtL4xEO AIP4Vvm37UlS8MNCD9HEgLZOHXZ5sI2qpHVlwYAes/CE9ECj9e41ANfKPJUesYTV/aJy HXey0uafvnSVhFHADEqBjlISPbDeN0w/FxhKDXPZ0P6Rh7DbEqe30QbIbp/p3zTryjn5 R+0zQf7PGIvhTpPAvZIyCPkFHOYzqQy0EusYZId30Isp7cHcB91S6SrkYS06FrFjoI6D UOPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=BIUYSdViMIn+To2mUC3qZ7zEN+7GQ3ySY+V/Ekd7gP4=; b=DrkZftwLKD2gXqaz5D9odSP8pY7aMIcT+QVVpmF2VG2mHYYpwWmASYpvwNegcrRj1L 8rB1Khc5OWLm5TjRqcBwsPbTT3ctfDesRTo/CfybRM/8mH6oE5IUM3xjxMRQXogn8+Df DE0buyiv7/IiBlPhA8HVxrbEfR64gR4qsV9GBF8k2YJ2SyMMhYCnWTHJects5OIViVeC B/JioXhCQM/XosLq2im86dy3iIq+6KEuTmWDvOb+iz3rXRRyvnulpyS0vOyaOLadDPLX ofa/yCKBspVha3tAs3MPYYS4SyGTUEOybsh4WR0I1CXCsLN0mIh62TGArZQpxr7C7jii 2yog== X-Gm-Message-State: APjAAAXX03xsl12kmxafHKf/r94Zm/ufDc6Ng3s6oNSnqRCgBxdWMAAE iN2mB9+9invueSQmbmPMzUTc4eqchQ== X-Received: by 2002:a0c:f851:: with SMTP id g17mr3301508qvo.11.1553877057693; Fri, 29 Mar 2019 09:30:57 -0700 (PDT) Date: Fri, 29 Mar 2019 17:30:45 +0100 In-Reply-To: <20190329163047.223508-1-jannh@google.com> Message-Id: <20190329163047.223508-2-jannh@google.com> Mime-Version: 1.0 References: <20190329163047.223508-1-jannh@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH v2 2/4] x86/microcode: Fix __user annotations around generic_load_microcode() From: Jann Horn To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , jannh@google.com Cc: x86@kernel.org, linux-kernel@vger.kernel.org, Qiaowei Ren Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org generic_load_microcode() deals with a pointer that can be either a kernel pointer or a user pointer. Pass it around as a __user pointer so that it can't be dereferenced accidentally while its address space is unknown. Use explicit casts to convert between __user and __kernel to inform the checker that these address space conversions are intentional. Signed-off-by: Jann Horn --- arch/x86/kernel/cpu/microcode/intel.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c index 16936a24795c..e8ef65c275c7 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -861,11 +861,13 @@ static enum ucode_state apply_microcode_intel(int cpu) return ret; } -static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size, - int (*get_ucode_data)(void *, const void *, size_t)) +static enum ucode_state generic_load_microcode(int cpu, + const void __user *data, size_t size, + int (*get_ucode_data)(void *, const void __user *, size_t)) { struct ucode_cpu_info *uci = ucode_cpu_info + cpu; - u8 *ucode_ptr = data, *new_mc = NULL, *mc = NULL; + const u8 __user *ucode_ptr = data; + u8 *new_mc = NULL, *mc = NULL; int new_rev = uci->cpu_sig.rev; unsigned int leftover = size; unsigned int curr_mc_size = 0, new_mc_size = 0; @@ -945,9 +947,10 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size, return ret; } -static int get_ucode_fw(void *to, const void *from, size_t n) +static int get_ucode_fw(void *to, const void __user *from, size_t n) { - memcpy(to, from, n); + /* cast paired with request_microcode_fw() */ + memcpy(to, (const void __force *)from, n); return 0; } @@ -993,7 +996,8 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device, return UCODE_NFOUND; } - ret = generic_load_microcode(cpu, (void *)firmware->data, + /* cast paired with get_ucode_fw() */ + ret = generic_load_microcode(cpu, (void __force __user *)firmware->data, firmware->size, &get_ucode_fw); release_firmware(firmware); @@ -1001,7 +1005,7 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device, return ret; } -static int get_ucode_user(void *to, const void *from, size_t n) +static int get_ucode_user(void *to, const void __user *from, size_t n) { return copy_from_user(to, from, n); } @@ -1012,7 +1016,7 @@ request_microcode_user(int cpu, const void __user *buf, size_t size) if (is_blacklisted(cpu)) return UCODE_NFOUND; - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); + return generic_load_microcode(cpu, buf, size, &get_ucode_user); } static struct microcode_ops microcode_intel_ops = { -- 2.21.0.392.gf8f6787159e-goog