x86/microcode/intel: Handle truncated microcode images more robustly (35a9ff4e) · Commits · e / devices / android_kernel_teracube_mt6765

We do not check the input data bounds containing the microcode before copying a struct microcode_intel_header from it. A specially crafted microcode could cause the kernel to read invalid memory and lead to a denial-of-service. Signed-off-by:

Quentin Casasnovas <quentin.casasnovas@oracle.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Fenghua Yu <fenghua.yu@intel.com> Link: http://lkml.kernel.org/r/1422964824-22056-3-git-send-email-quentin.casasnovas@oracle.com [ Made error message differ from the next one and flipped comparison. ] Signed-off-by:

Borislav Petkov <bp@suse.de>

arch/x86/kernel/cpu/microcode/intel.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -196,6 +196,11 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
		struct microcode_header_intel mc_header;
		unsigned int mc_size;

		if (leftover < sizeof(mc_header)) {
		pr_err("error! Truncated header in microcode data file\n");
		break;
		}

		if (get_ucode_data(&mc_header, ucode_ptr, sizeof(mc_header)))
		break;

arch/x86/kernel/cpu/microcode/intel_early.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -322,6 +322,10 @@ get_matching_model_microcode(int cpu, unsigned long start,
		int i;

		while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {

		if (leftover < sizeof(mc_header))
		break;

		mc_header = (struct microcode_header_intel *)ucode_ptr;

		mc_size = get_totalsize(mc_header);