From patchwork Wed Oct 19 08:26:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 4711
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp213759wrs;
        Wed, 19 Oct 2022 02:11:00 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5t6OubE7zfs3ZIqJyoVhYZABpErvCtN1bAiG9BCSAP/KC2nz8m8kHtqjTR10vSVZualQlN
X-Received: by 2002:a05:6402:27c7:b0:45d:45f0:e6c4 with SMTP id
 c7-20020a05640227c700b0045d45f0e6c4mr6350812ede.325.1666170660531;
        Wed, 19 Oct 2022 02:11:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666170660; cv=none;
        d=google.com; s=arc-20160816;
        b=MXQOhRFmnL8tdj1qxO1iF0WyMKKPWgjw+7lCi9wU3ajIPYzsojk+Wmorfo33K4/yOj
         RqKp5+4Y4QWnZtrVyIlqvX004c4M3ME/EP85WsYBSX6E1ghoqeTEHQfmAdRoXyICHWVh
         d5k/47me+I8MdT13geXAHrIUjdsux+bX2AeuKdCElUSEgwwx7wwRHdcPxQGWM0My4RLQ
         wsz2SgeDEN4WeZp++OuRu9lQdY3nH+wxnT3nD6FmLW9imH/bRT6mZN5kgEw2ZXnHsZqu
         46iOlIgJbOD48lQlMS3o0yKJ4gXFqIWJ9W+jifGjmumr1h4JUbt9epVU1KGRhPnw2tCk
         Jmbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=nTfs9PJCZDLNOu+dE21FTZpjlwAbI6Ad0yqiNqNjXEE=;
        b=elLQLiFmaIApXRl4ktPGCicUxCE6rIBTYuP1/ApCzwkLA/qkRETIR0cfVHQbE3ndfU
         F1WefNOP9GQYa0ERbhNRYKIimpKwizl0M2yFLsaAIak1wCMBz7z+YEXiAD9jPYePTenF
         Na2VzTd57dGRAYCOp7auAONbRoJZkpUUtjRCfjmV3A2wFXIccybsP3FbhOzHy1KhaInh
         ibMInVQkgVmJp3cKqTmRRX2Qzmr1c/KMgUOHcWGgzCtsivU2RoQikn39IPahKf7Gr3zZ
         dQgV4qDZrx+FquwhoahTbyTvMh4UUgkjCYnVgl++E3O/d7xHT9kmXKlHm9dRyzsr9rr4
         4s3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=IBRPN1Aj;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 wu13-20020a170906eecd00b0072f38ecf74asi15221288ejb.794.2022.10.19.02.10.33;
        Wed, 19 Oct 2022 02:11:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=IBRPN1Aj;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232392AbiJSJGB (ORCPT <rfc822;samuel.l.nystrom@gmail.com>
        + 99 others); Wed, 19 Oct 2022 05:06:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49638 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232450AbiJSJES (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Oct 2022 05:04:18 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59EE4AE224;
        Wed, 19 Oct 2022 01:57:37 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 0DE2D6181D;
        Wed, 19 Oct 2022 08:53:37 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1FF81C433C1;
        Wed, 19 Oct 2022 08:53:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666169616;
        bh=DxdqHRq9n3CnM6oqOwqOVl6LE5qMcE9fhLL5nLUgjn8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=IBRPN1AjWBEZ2IfWKKrF9BaRdlaobdrjDtkVork5TcsFGEgE33PT4YhOWZSN5T7hs
         VJZ9LsN0O/18jCuMoMzXDGIsr7pK19dims7egdAp3Z7y4sXlQzOO7vJ9JWKnZgjhfd
         zCVr0HLw13V5JiOM0dLqgEYa6Hsh+DpviVVAxRUg=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Micay <danielmicay@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Borislav Petkov <bp@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 310/862] x86/microcode/AMD: Track patch allocation size
 explicitly
Date: Wed, 19 Oct 2022 10:26:37 +0200
Message-Id: <20221019083303.715483748@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221019083249.951566199@linuxfoundation.org>
References: <20221019083249.951566199@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747106566684415260?=
X-GMAIL-MSGID: =?utf-8?q?1747106566684415260?=

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ]

In preparation for reducing the use of ksize(), record the actual
allocation size for later memcpy(). This avoids copying extra
(uninitialized!) bytes into the patch buffer when the requested
allocation size isn't exactly the size of a kmalloc bucket.
Additionally, fix potential future issues where runtime bounds checking
will notice that the buffer was allocated to a smaller value than
returned by ksize().

Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD")
Suggested-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/microcode.h    | 1 +
 arch/x86/kernel/cpu/microcode/amd.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
index 0c3d3440fe27..aa675783412f 100644
--- a/arch/x86/include/asm/microcode.h
+++ b/arch/x86/include/asm/microcode.h
@@ -9,6 +9,7 @@
 struct ucode_patch {
 	struct list_head plist;
 	void *data;		/* Intel uses only this one */
+	unsigned int size;
 	u32 patch_id;
 	u16 equiv_cpu;
 };
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 8b2fcdfa6d31..615bc6efa1dd 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -788,6 +788,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover,
 		kfree(patch);
 		return -EINVAL;
 	}
+	patch->size = *patch_size;
 
 	mc_hdr      = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE);
 	proc_id     = mc_hdr->processor_rev_id;
@@ -869,7 +870,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
 		return ret;
 
 	memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
-	memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE));
+	memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE));
 
 	return ret;
 }