From patchwork Mon Oct 24 11:29:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 8922
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp434562wru;
        Mon, 24 Oct 2022 05:52:28 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4OmbehUN+F1tKIGv9jfrwqXXICsfK3BFFZm3BpMmzEgk9b0xgAk1EVDiWpAF+ZEEkroC8W
X-Received: by 2002:a05:6402:555:b0:461:a144:e949 with SMTP id
 i21-20020a056402055500b00461a144e949mr7357977edx.45.1666615948235;
        Mon, 24 Oct 2022 05:52:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666615948; cv=none;
        d=google.com; s=arc-20160816;
        b=HH9VVJUhicXo0MsVp2/c1pQKblC0jWtYJj9Mu5RgY+mM5xGRgM6aP+Sj9MCYQLdcp6
         wOWp/NJNuqB/n96rwkIs9qpNsCPndFQHcEVa4GSbituUAtUNggvrjMgJvgHWjfr+AhQI
         1dGY19z3XHf1BId53uapdtiPb8BA8gh+tvDnQv9vscPk+5Bu/oJXhQky27ItnRuyBQm6
         ka/Q9B/JkDEdBYvziwJqJilJQRRF4ERZAIHM3XEoPrFTrBen07+4SwckE15WIeiqmkXG
         fA2of02/DxhO/KlmgnsNL9mxDdcqP5LfW43OIVOePczVWnKB1uQU8mANucHss/cP6ebk
         2Tsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=xsJnZjdB8h4o7Pchn6j94I7tOwoEguonmkzuuQ60Sd0=;
        b=TWiTlN1WGbkVQndThoihUGUH+YLZrGcjIYF3XTfYbWNb/dk7yCvvfVFm64PwDWA4IS
         y6MhDJ3lraNNbxrFrDbYapgggP95yPmeSMdMLYVhF1a+IToxfAB4qyi1mGnsPKVD5jbc
         5UYraCFR3rixG1OUQUobeVrAPHN1nw7tN498IAaXuGWZwNs6r9gc3ThZTgtAey/NQbYM
         8m7lMd77uw90i31THrZxhKBTjIlDJyvv0w2AaptQCH78clOMErV1HKV5a2Mx5hIt/zJq
         fi322ue4nX8KNvV3taDadgugvdwEsvluobIHe2ytRYnhfUjHMC2CCGYEvwiMfXnIo5Pc
         8SuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=AQr1ZJd9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 sc41-20020a1709078a2900b0078d027ceb41si31380645ejc.857.2022.10.24.05.52.01;
        Mon, 24 Oct 2022 05:52:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=AQr1ZJd9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234869AbiJXMte (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Mon, 24 Oct 2022 08:49:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40292 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234473AbiJXMo4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 08:44:56 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8594F5BB;
        Mon, 24 Oct 2022 05:09:31 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 746F8612DA;
        Mon, 24 Oct 2022 12:07:57 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8671FC433C1;
        Mon, 24 Oct 2022 12:07:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666613276;
        bh=UdSoqEBkBwPElrlxMo5agw7TJXBjNCUSgmXNmvuEWhk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=AQr1ZJd9gmy8Qlc82hkkenXE+Uzp4wIpNHL5GEZ0V6vG/8Hpu19M5OFac9pxcr7i9
         tDJAFWN/ggkocJc9kEytCrunxWYc1wTs8cTaT41bjTA76SZ4LRMQxZqBZj4iox76WP
         eXLNSE6eHeyFet8Jqpqp2t2d7ih6HsVA1h2nCpwE=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Micay <danielmicay@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Borislav Petkov <bp@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 075/255] x86/microcode/AMD: Track patch allocation size
 explicitly
Date: Mon, 24 Oct 2022 13:29:45 +0200
Message-Id: <20221024113005.010028078@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113002.471093005@linuxfoundation.org>
References: <20221024113002.471093005@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747573484547251356?=
X-GMAIL-MSGID: =?utf-8?q?1747573484547251356?=

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ]

In preparation for reducing the use of ksize(), record the actual
allocation size for later memcpy(). This avoids copying extra
(uninitialized!) bytes into the patch buffer when the requested
allocation size isn't exactly the size of a kmalloc bucket.
Additionally, fix potential future issues where runtime bounds checking
will notice that the buffer was allocated to a smaller value than
returned by ksize().

Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD")
Suggested-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/microcode.h    | 1 +
 arch/x86/kernel/cpu/microcode/amd.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
index 91a06cef50c1..f73327397b89 100644
--- a/arch/x86/include/asm/microcode.h
+++ b/arch/x86/include/asm/microcode.h
@@ -9,6 +9,7 @@
 struct ucode_patch {
 	struct list_head plist;
 	void *data;		/* Intel uses only this one */
+	unsigned int size;
 	u32 patch_id;
 	u16 equiv_cpu;
 };
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index a0e52bd00ecc..3b82d022dcd4 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -783,6 +783,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover,
 		kfree(patch);
 		return -EINVAL;
 	}
+	patch->size = *patch_size;
 
 	mc_hdr      = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE);
 	proc_id     = mc_hdr->processor_rev_id;
@@ -864,7 +865,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
 		return ret;
 
 	memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
-	memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE));
+	memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE));
 
 	return ret;
 }