[tip:x86/urgent] x86/microcode/intel: Handle truncated microcode images more robustly

tip-bot for Quentin Casasnovas <tipbot@xxxxxxxxx> · Thu, 19 Feb 2015 11:28:30 -0800

Commit-ID:  35a9ff4eec7a1725ac4364972fc6c156e4feedd0
Gitweb:     http://git.kernel.org/tip/35a9ff4eec7a1725ac4364972fc6c156e4feedd0
Author:     Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
AuthorDate: Tue, 3 Feb 2015 13:00:24 +0100
Committer:  Borislav Petkov <bp@xxxxxxx>
CommitDate: Thu, 19 Feb 2015 12:42:23 +0100

x86/microcode/intel: Handle truncated microcode images more robustly

We do not check the input data bounds containing the microcode before
copying a struct microcode_intel_header from it. A specially crafted
microcode could cause the kernel to read invalid memory and lead to a
denial-of-service.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@xxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx>
Link: http://lkml.kernel.org/r/1422964824-22056-3-git-send-email-quentin.casasnovas@xxxxxxxxxx
[ Made error message differ from the next one and flipped comparison. ]
Signed-off-by: Borislav Petkov <bp@xxxxxxx>
---
 arch/x86/kernel/cpu/microcode/intel.c       | 5 +++++
 arch/x86/kernel/cpu/microcode/intel_early.c | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index c6826d1..746e7fd 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -196,6 +196,11 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
 		struct microcode_header_intel mc_header;
 		unsigned int mc_size;
 
+		if (leftover < sizeof(mc_header)) {
+			pr_err("error! Truncated header in microcode data file\n");
+			break;
+		}
+
 		if (get_ucode_data(&mc_header, ucode_ptr, sizeof(mc_header)))
 			break;
 
diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c
index 5e109a3..420eb93 100644
--- a/arch/x86/kernel/cpu/microcode/intel_early.c
+++ b/arch/x86/kernel/cpu/microcode/intel_early.c
@@ -322,6 +322,10 @@ get_matching_model_microcode(int cpu, unsigned long start,
 	int i;
 
 	while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+
+		if (leftover < sizeof(mc_header))
+			break;
+
 		mc_header = (struct microcode_header_intel *)ucode_ptr;
 
 		mc_size = get_totalsize(mc_header);
--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



