Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode sizeverification

From: Borislav Petkov
Date: Thu Apr 14 2011 - 04:19:23 EST

Next message: Aneesh Kumar K.V: "Re: Linux 2.6.39-rc3"
Previous message: Liu Yuan: "[PATCH] video, udlfb: Fix two build warning about 'ignoring return value'"
In reply to: Borislav Petkov: "Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode sizeverification"
Next in thread: Henrique de Moraes Holschuh: "Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode sizeverification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 14, 2011 at 03:41:25AM -0400, Borislav Petkov wrote:

[..]

> > > +static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
> > > +{
> > > + struct cpuinfo_x86 *c = &cpu_data(cpu);
> > > + unsigned int max_size, actual_size;
> > > +
> > > +#define F1XH_MPB_MAX_SIZE 2048
> > > +#define F14H_MPB_MAX_SIZE 1824
> > > +#define F15H_MPB_MAX_SIZE 4096
> > > +
> > > + switch (c->x86) {
> > > + case 0x14:
> > > + max_size = F14H_MPB_MAX_SIZE;
> > > + break;
> > > + case 0x15:
> > > + max_size = F15H_MPB_MAX_SIZE;
> > > + break;
> > > + default:
> > > + max_size = F1XH_MPB_MAX_SIZE;
> > > + break;
> > > + }
> > > +
> > > + actual_size = buf[4] + (buf[5] << 8);
> > > +
> > > + if (actual_size > size || actual_size > max_size) {
> >
> > Surely:
> >
> > if (actual_size + UCODE_CONTAINER_SECTION_HDR > size || ...
>
> Well, not really because the UCODE_CONTAINER_SECTION_HDR is just 8 bytes
> of patch header before each ucode patch and we don't copy it. So the
> first part of the check is to see whether the ucode patch we're looking
> at is incomplete and the ucode file is truncated.
>
> That's why we skip the 8 bytes when we do get_ucode_data() later.

Actually, scratch that. I think you're right - this is a bug in the
original code since the check there ignored those 8 bytes too:

total_size = (unsigned long) (section_hdr[4] + (section_hdr[5] << 8));

printk(KERN_DEBUG "microcode: size %u, total_size %u\n",
size, total_size);

if (total_size > size || total_size > UCODE_MAX_SIZE) {
printk(KERN_ERR "microcode: error: size mismatch\n");
return NULL;
}

Btw, while staring at it, I've found another discrepancy that needs to
be fixed, I'll whip up a patch soon.

Thanks.

--
Regards/Gruss,
Boris.

Advanced Micro Devices GmbH
Einsteinring 24, 85609 Dornach
General Managers: Alberto Bozzo, Andrew Bowd
Registration: Dornach, Gemeinde Aschheim, Landkreis Muenchen
Registergericht Muenchen, HRB Nr. 43632
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Aneesh Kumar K.V: "Re: Linux 2.6.39-rc3"
Previous message: Liu Yuan: "[PATCH] video, udlfb: Fix two build warning about 'ignoring return value'"
In reply to: Borislav Petkov: "Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode sizeverification"
Next in thread: Henrique de Moraes Holschuh: "Re: [Stable-review] [56/74] x86, microcode, AMD: Extend ucode sizeverification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]