Improper pointer arithmetics when calculating the address of the extended header could lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <[email protected]> --- arch/x86/kernel/cpu/microcode/intel_early.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git arch/x86/kernel/cpu/microcode/intel_early.c arch/x86/kernel/cpu/microcode/intel_early.c index 420eb93..3a6c613 100644 --- arch/x86/kernel/cpu/microcode/intel_early.c +++ arch/x86/kernel/cpu/microcode/intel_early.c @@ -180,8 +180,7 @@ matching_model_microcode(struct microcode_header_intel *mc_header, if (total_size <= data_size + MC_HEADER_SIZE) return UCODE_NFOUND; - ext_header = (struct extended_sigtable *) - mc_header + data_size + MC_HEADER_SIZE; + ext_header = (void *) mc_header + data_size + MC_HEADER_SIZE; ext_sigcount = ext_header->count; ext_sig = (void *)ext_header + EXT_HEADER_SIZE; @@ -457,8 +456,7 @@ static void __ref show_saved_mc(void) if (total_size <= data_size + MC_HEADER_SIZE) continue; - ext_header = (struct extended_sigtable *) - mc_saved_header + data_size + MC_HEADER_SIZE; + ext_header = (void *) mc_saved_header + data_size + MC_HEADER_SIZE; ext_sigcount = ext_header->count; ext_sig = (void *)ext_header + EXT_HEADER_SIZE; -- 2.0.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
