From patchwork Mon Oct 24 11:29:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 8922 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp434562wru; Mon, 24 Oct 2022 05:52:28 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4OmbehUN+F1tKIGv9jfrwqXXICsfK3BFFZm3BpMmzEgk9b0xgAk1EVDiWpAF+ZEEkroC8W X-Received: by 2002:a05:6402:555:b0:461:a144:e949 with SMTP id i21-20020a056402055500b00461a144e949mr7357977edx.45.1666615948235; Mon, 24 Oct 2022 05:52:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666615948; cv=none; d=google.com; s=arc-20160816; b=HH9VVJUhicXo0MsVp2/c1pQKblC0jWtYJj9Mu5RgY+mM5xGRgM6aP+Sj9MCYQLdcp6 wOWp/NJNuqB/n96rwkIs9qpNsCPndFQHcEVa4GSbituUAtUNggvrjMgJvgHWjfr+AhQI 1dGY19z3XHf1BId53uapdtiPb8BA8gh+tvDnQv9vscPk+5Bu/oJXhQky27ItnRuyBQm6 ka/Q9B/JkDEdBYvziwJqJilJQRRF4ERZAIHM3XEoPrFTrBen07+4SwckE15WIeiqmkXG fA2of02/DxhO/KlmgnsNL9mxDdcqP5LfW43OIVOePczVWnKB1uQU8mANucHss/cP6ebk 2Tsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xsJnZjdB8h4o7Pchn6j94I7tOwoEguonmkzuuQ60Sd0=; b=TWiTlN1WGbkVQndThoihUGUH+YLZrGcjIYF3XTfYbWNb/dk7yCvvfVFm64PwDWA4IS y6MhDJ3lraNNbxrFrDbYapgggP95yPmeSMdMLYVhF1a+IToxfAB4qyi1mGnsPKVD5jbc 5UYraCFR3rixG1OUQUobeVrAPHN1nw7tN498IAaXuGWZwNs6r9gc3ThZTgtAey/NQbYM 8m7lMd77uw90i31THrZxhKBTjIlDJyvv0w2AaptQCH78clOMErV1HKV5a2Mx5hIt/zJq fi322ue4nX8KNvV3taDadgugvdwEsvluobIHe2ytRYnhfUjHMC2CCGYEvwiMfXnIo5Pc 8SuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AQr1ZJd9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sc41-20020a1709078a2900b0078d027ceb41si31380645ejc.857.2022.10.24.05.52.01; Mon, 24 Oct 2022 05:52:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AQr1ZJd9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234869AbiJXMte (ORCPT + 99 others); Mon, 24 Oct 2022 08:49:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40292 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234473AbiJXMo4 (ORCPT ); Mon, 24 Oct 2022 08:44:56 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8594F5BB; Mon, 24 Oct 2022 05:09:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 746F8612DA; Mon, 24 Oct 2022 12:07:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8671FC433C1; Mon, 24 Oct 2022 12:07:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666613276; bh=UdSoqEBkBwPElrlxMo5agw7TJXBjNCUSgmXNmvuEWhk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AQr1ZJd9gmy8Qlc82hkkenXE+Uzp4wIpNHL5GEZ0V6vG/8Hpu19M5OFac9pxcr7i9 tDJAFWN/ggkocJc9kEytCrunxWYc1wTs8cTaT41bjTA76SZ4LRMQxZqBZj4iox76WP eXLNSE6eHeyFet8Jqpqp2t2d7ih6HsVA1h2nCpwE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Micay , Kees Cook , Borislav Petkov , Sasha Levin Subject: [PATCH 5.4 075/255] x86/microcode/AMD: Track patch allocation size explicitly Date: Mon, 24 Oct 2022 13:29:45 +0200 Message-Id: <20221024113005.010028078@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024113002.471093005@linuxfoundation.org> References: <20221024113002.471093005@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747573484547251356?= X-GMAIL-MSGID: =?utf-8?q?1747573484547251356?= From: Kees Cook [ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ] In preparation for reducing the use of ksize(), record the actual allocation size for later memcpy(). This avoids copying extra (uninitialized!) bytes into the patch buffer when the requested allocation size isn't exactly the size of a kmalloc bucket. Additionally, fix potential future issues where runtime bounds checking will notice that the buffer was allocated to a smaller value than returned by ksize(). Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD") Suggested-by: Daniel Micay Signed-off-by: Kees Cook Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/ Signed-off-by: Sasha Levin --- arch/x86/include/asm/microcode.h | 1 + arch/x86/kernel/cpu/microcode/amd.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h index 91a06cef50c1..f73327397b89 100644 --- a/arch/x86/include/asm/microcode.h +++ b/arch/x86/include/asm/microcode.h @@ -9,6 +9,7 @@ struct ucode_patch { struct list_head plist; void *data; /* Intel uses only this one */ + unsigned int size; u32 patch_id; u16 equiv_cpu; }; diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c index a0e52bd00ecc..3b82d022dcd4 100644 --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c @@ -783,6 +783,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover, kfree(patch); return -EINVAL; } + patch->size = *patch_size; mc_hdr = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE); proc_id = mc_hdr->processor_rev_id; @@ -864,7 +865,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) return ret; memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); - memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE)); + memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); return ret; }