The early loader parse_container() function should check whether the microcode container file is actually large enough to contain the patch of an indicated size, just like the late loader does.
Also, the request_microcode_amd() function should check whether the container file is actually large enough to contain the header magic value. Signed-off-by: Maciej S. Szmigiero <m...@maciej.szmigiero.name> --- arch/x86/kernel/cpu/microcode/amd.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c index 3ad23e72c2b0..63bd1a63f98a 100644 --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c @@ -137,6 +137,9 @@ static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc) struct microcode_amd *mc; u32 patch_size; + if (size < SECTION_HDR_SIZE) + break; + hdr = (u32 *)buf; if (hdr[0] != UCODE_UCODE_TYPE) @@ -151,6 +154,10 @@ static size_t parse_container(u8 *ucode, size_t size, struct cont_desc *desc) buf += SECTION_HDR_SIZE; size -= SECTION_HDR_SIZE; + if (size < sizeof(*mc) || + size < patch_size) + break; + mc = (struct microcode_amd *)buf; if (eq_id == mc->hdr.processor_rev_id) { desc->psize = patch_size; @@ -786,6 +793,10 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device, } ret = UCODE_ERROR; + if (fw->size < sizeof(u32)) { + pr_err("microcode container far too short\n"); + goto fw_release; + } if (*(u32 *)fw->data != UCODE_MAGIC) { pr_err("invalid magic value (0x%08x)\n", *(u32 *)fw->data); goto fw_release;