From patchwork Mon Oct 24 11:28:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 9435
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp479219wru;
        Mon, 24 Oct 2022 07:18:43 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM7D9UmRU8BQeLmkCaj+LaUFQ8dvZUyjqoXCjacgJn6qtWLg7H0B+ymejzMxl9bZY150FRBl
X-Received: by 2002:a05:6402:f18:b0:460:cf08:2b41 with SMTP id
 i24-20020a0564020f1800b00460cf082b41mr20305036eda.400.1666621123529;
        Mon, 24 Oct 2022 07:18:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666621123; cv=none;
        d=google.com; s=arc-20160816;
        b=x87Ixobt3W9u5NvYJpiKQSatvsmXeprWXSRJ0nx8vkGTD16wYJZbNmp5mHKyr+Mu7x
         Pdh+sxfDCogOFETi2C3paisn0UHUdUcp94Vvaca/4ij49q4msgOHph9KKLnRptdeSsA/
         KLWeY0Mbar8eMvpVRT2t/h0QtG+NIee2dtXgP3ASkfzZ0hJlZYCP3SbKbsNzwhb8KR1V
         ZPOHW9tUhAhbqXph6yfCAJJLbh225WTptFC4gYWRzLf8h/d8c3sM50g0vG6YrQNMCBAd
         2qiO5HvBFwql2cifggi1BMZ7knw7z9I8PAcgLJgqwkAX7sfjIY2TWGZzhuEGOOY0NAun
         zrsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=t64xwQs3bOkNIxIkPYZhpE1evF1jBBXF01SviqW+G7g=;
        b=kRF7brHTNrN+aKdgs7Snl+TIoO4XD7Y1Pqo6JDn6lcChyQB9suxFolTOHXppL+Z6BC
         E7UkkBKGZx5K6MiUGWIktBOsnQ6JShFW66Djc6OVfKuo/BqSICWv3VEmwLTuobaYAJbT
         /RBitZC2jDhHQeW6j5IA62Vvo993kfMCHdjTIGm0yNmtrLjmDm7Z0jrPHNoFZ+ZK+vo0
         VY5fmCe+XqLThi9GFAZVqZ+AbwjItcTgDX4knEAVGUTBUvFQobQcDn0EJj0QMA7p9kb6
         DWI5CRrfxQ+34hNDKovrsFDtIrUtlsJlL3vTBA/1KV428ulONoJHywAKzFRGwqu9wC0v
         2RIA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=nTyDgeTO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 sc11-20020a1709078a0b00b0078de51e1c3dsi28186945ejc.840.2022.10.24.07.18.12;
        Mon, 24 Oct 2022 07:18:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=nTyDgeTO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235783AbiJXOEC (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Mon, 24 Oct 2022 10:04:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41808 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232974AbiJXOCb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 10:02:31 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E2477FF89;
        Mon, 24 Oct 2022 05:48:14 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id B5AA161350;
        Mon, 24 Oct 2022 12:41:04 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9D58C4FF11;
        Mon, 24 Oct 2022 12:41:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666615264;
        bh=qW/y+SpQOzhXIh0/KfoZtJFDvfzj91U1xVxwuMJXj78=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=nTyDgeTO3HlSV29rufFdKdp3ozHbDCMOMpToaWzJH3qDj9T/wb7jnRN1X6BmZ2C51
         2HZhRBSRdX8x00ezxDcl/lGOqF9ceDmIwR9xZLz7wAW6my8gzFP0e3ziAVoBcHyFQ4
         m53Xmg2WbuvMcqaz9FHM2EmrPebDMCGezEn9CgLg=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Micay <danielmicay@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Borislav Petkov <bp@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 184/530] x86/microcode/AMD: Track patch allocation size
 explicitly
Date: Mon, 24 Oct 2022 13:28:48 +0200
Message-Id: <20221024113053.361326503@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113044.976326639@linuxfoundation.org>
References: <20221024113044.976326639@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747578911235883920?=
X-GMAIL-MSGID: =?utf-8?q?1747578911235883920?=

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ]

In preparation for reducing the use of ksize(), record the actual
allocation size for later memcpy(). This avoids copying extra
(uninitialized!) bytes into the patch buffer when the requested
allocation size isn't exactly the size of a kmalloc bucket.
Additionally, fix potential future issues where runtime bounds checking
will notice that the buffer was allocated to a smaller value than
returned by ksize().

Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD")
Suggested-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/microcode.h    | 1 +
 arch/x86/kernel/cpu/microcode/amd.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
index fcbfe94903bb..d130d21f4862 100644
--- a/arch/x86/include/asm/microcode.h
+++ b/arch/x86/include/asm/microcode.h
@@ -9,6 +9,7 @@
 struct ucode_patch {
 	struct list_head plist;
 	void *data;		/* Intel uses only this one */
+	unsigned int size;
 	u32 patch_id;
 	u16 equiv_cpu;
 };
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 3d4a48336084..5a16844b99d3 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -782,6 +782,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover,
 		kfree(patch);
 		return -EINVAL;
 	}
+	patch->size = *patch_size;
 
 	mc_hdr      = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE);
 	proc_id     = mc_hdr->processor_rev_id;
@@ -863,7 +864,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
 		return ret;
 
 	memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
-	memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE));
+	memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE));
 
 	return ret;
 }