forked from SLFO-pool/xen
53 lines
2.4 KiB
Diff
53 lines
2.4 KiB
Diff
# Commit a8bf14f6f331d4f428010b4277b67c33f561ed19
|
|
# Date 2024-09-13 15:23:30 +0100
|
|
# Author Demi Marie Obenour <demi@invisiblethingslab.com>
|
|
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
|
|
xen/ucode: Fix buffer under-run when parsing AMD containers
|
|
|
|
The AMD container format has no formal spec. It is, at best, precision
|
|
guesswork based on AMD's prior contributions to open source projects. The
|
|
Equivalence Table has both an explicit length, and an expectation of having a
|
|
NULL entry at the end.
|
|
|
|
Xen was sanity checking the NULL entry, but without confirming that an entry
|
|
was present, resulting in a read off the front of the buffer. With some
|
|
manual debugging/annotations this manifests as:
|
|
|
|
(XEN) *** Buf ffff83204c00b19c, eq ffff83204c00b194
|
|
(XEN) *** eq: 0c 00 00 00 44 4d 41 00 00 00 00 00 00 00 00 00 aa aa aa aa
|
|
^-Actual buffer-------------------^
|
|
(XEN) *** installed_cpu: 000c
|
|
(XEN) microcode: Bad equivalent cpu table
|
|
(XEN) Parsing microcode blob error -22
|
|
|
|
When loaded by hypercall, the 4 bytes interpreted as installed_cpu happen to
|
|
be the containing struct ucode_buf's len field, and luckily will be nonzero.
|
|
|
|
When loaded at boot, it's possible for the access to #PF if the module happens
|
|
to have been placed on a 2M boundary by the bootloader. Under Linux, it will
|
|
commonly be the end of the CPIO header.
|
|
|
|
Drop the probe of the NULL entry; Nothing else cares. A container without one
|
|
is well formed, insofar that we can still parse it correctly. With this
|
|
dropped, the same container results in:
|
|
|
|
(XEN) microcode: couldn't find any matching ucode in the provided blob!
|
|
|
|
Fixes: 4de936a38aa9 ("x86/ucode/amd: Rework parsing logic in cpu_request_microcode()")
|
|
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/cpu/microcode/amd.c
|
|
+++ b/xen/arch/x86/cpu/microcode/amd.c
|
|
@@ -336,8 +336,7 @@ static struct microcode_patch *cf_check
|
|
if ( size < sizeof(*et) ||
|
|
(et = buf)->type != UCODE_EQUIV_CPU_TABLE_TYPE ||
|
|
size - sizeof(*et) < et->len ||
|
|
- et->len % sizeof(et->eq[0]) ||
|
|
- et->eq[(et->len / sizeof(et->eq[0])) - 1].installed_cpu )
|
|
+ et->len % sizeof(et->eq[0]) )
|
|
{
|
|
printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n");
|
|
error = -EINVAL;
|