[tip:x86/microcode] x86/microcode/AMD: Concentrate patch verification
Commit-ID: 2b8d34b1ece506a9bbd47b56d266ee020a0c65ac
Gitweb: https://git.kernel.org/tip/2b8d34b1ece506a9bbd47b56d266ee020a0c65ac
Author: Borislav Petkov
AuthorDate: Thu, 19 Jul 2018 15:32:42 +0200
Committer: Borislav Petkov
CommitDate: Mon, 19 Nov 2018 10:51:05 +0100
x86/microcode/AMD: Concentrate patch verification
Add a verify_patch() function which tries to sanity-check many aspects
of a microcode patch supplied by an outside container before attempting
a load.
Prepend all sub-functions' names which verify an aspect of a microcode
patch with "__".
Call it in verify_and_add_patch() *before* looking at the microcode
header.
Signed-off-by: Borislav Petkov
Cc: x...@kernel.org
Link: https://lkml.kernel.org/r/20181107170218.7596-7...@alien8.de
---
arch/x86/kernel/cpu/microcode/amd.c | 79 +
1 file changed, 54 insertions(+), 25 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c
b/arch/x86/kernel/cpu/microcode/amd.c
index a94a15aacfe7..8f012a7f88c4 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -139,11 +139,15 @@ static bool verify_equivalence_table(const u8 *buf,
size_t buf_size, bool early)
* Check whether there is a valid, non-truncated microcode patch section at the
* beginning of @buf of size @buf_size. Set @early to use this function in the
* early path.
+ *
+ * On success, @sh_psize returns the patch size according to the section
header,
+ * to the caller.
*/
-static bool verify_patch_section(const u8 *buf, size_t buf_size, bool early)
+static bool
+__verify_patch_section(const u8 *buf, size_t buf_size, u32 *sh_psize, bool
early)
{
+ u32 p_type, p_size;
const u32 *hdr;
- u32 patch_type, patch_size;
if (buf_size < SECTION_HDR_SIZE) {
if (!early)
@@ -153,24 +157,26 @@ static bool verify_patch_section(const u8 *buf, size_t
buf_size, bool early)
}
hdr = (const u32 *)buf;
- patch_type = hdr[0];
- patch_size = hdr[1];
+ p_type = hdr[0];
+ p_size = hdr[1];
- if (patch_type != UCODE_UCODE_TYPE) {
+ if (p_type != UCODE_UCODE_TYPE) {
if (!early)
pr_debug("Invalid type field (0x%x) in container file
section header.\n",
- patch_type);
+ p_type);
return false;
}
- if (patch_size < sizeof(struct microcode_header_amd)) {
+ if (p_size < sizeof(struct microcode_header_amd)) {
if (!early)
- pr_debug("Patch of size %u too short.\n", patch_size);
+ pr_debug("Patch of size %u too short.\n", p_size);
return false;
}
+ *sh_psize = p_size;
+
return true;
}
@@ -181,7 +187,7 @@ static bool verify_patch_section(const u8 *buf, size_t
buf_size, bool early)
* header.
*/
static unsigned int
-verify_patch_size(u8 family, u32 sh_psize, unsigned int buf_size)
+__verify_patch_size(u8 family, u32 sh_psize, unsigned int buf_size)
{
u32 max_size;
@@ -212,6 +218,34 @@ verify_patch_size(u8 family, u32 sh_psize, unsigned int
buf_size)
return sh_psize;
}
+static unsigned int
+verify_patch(u8 family, const u8 *buf, unsigned int buf_size, bool early)
+{
+ u32 sh_psize;
+
+ if (!__verify_patch_section(buf, buf_size, _psize, early))
+ return 0;
+ /*
+* The section header length is not included in this indicated size
+* but is present in the leftover file length so we need to subtract
+* it before passing this value to the function below.
+*/
+ buf_size -= SECTION_HDR_SIZE;
+
+ /*
+* Check if the remaining buffer is big enough to contain a patch of
+* size sh_psize, as the section claims.
+*/
+ if (buf_size < sh_psize) {
+ if (!early)
+ pr_debug("Patch of size %u truncated.\n", sh_psize);
+
+ return 0;
+ }
+
+ return __verify_patch_size(family, sh_psize, buf_size);
+}
+
/*
* This scans the ucode blob for the proper container as we can have multiple
* containers glued together. Returns the equivalence ID from the equivalence
@@ -687,7 +721,7 @@ static void cleanup(void)
}
/*
- * We return the current size even if some of the checks failed so that
+ * Return a non-negative value even if some of the checks failed so that
* we can skip over the next patch. If we return a negative value, we
* signal a grave error like a memory allocation has failed and the
* driver cannot continue functioning normally. In such cases, we tear
@@ -695,14 +729,20 @@ static void cleanup(void)
*/
static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover)
{
- unsigned int sh_psize, crnt_size, ret;
struct microcode_header_amd *mc_hdr;
+ unsigned int patch_size,
[tip:x86/microcode] x86/microcode/AMD: Concentrate patch verification
Commit-ID: 2b8d34b1ece506a9bbd47b56d266ee020a0c65ac
Gitweb: https://git.kernel.org/tip/2b8d34b1ece506a9bbd47b56d266ee020a0c65ac
Author: Borislav Petkov
AuthorDate: Thu, 19 Jul 2018 15:32:42 +0200
Committer: Borislav Petkov
CommitDate: Mon, 19 Nov 2018 10:51:05 +0100
x86/microcode/AMD: Concentrate patch verification
Add a verify_patch() function which tries to sanity-check many aspects
of a microcode patch supplied by an outside container before attempting
a load.
Prepend all sub-functions' names which verify an aspect of a microcode
patch with "__".
Call it in verify_and_add_patch() *before* looking at the microcode
header.
Signed-off-by: Borislav Petkov
Cc: x...@kernel.org
Link: https://lkml.kernel.org/r/20181107170218.7596-7...@alien8.de
---
arch/x86/kernel/cpu/microcode/amd.c | 79 +
1 file changed, 54 insertions(+), 25 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c
b/arch/x86/kernel/cpu/microcode/amd.c
index a94a15aacfe7..8f012a7f88c4 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -139,11 +139,15 @@ static bool verify_equivalence_table(const u8 *buf,
size_t buf_size, bool early)
* Check whether there is a valid, non-truncated microcode patch section at the
* beginning of @buf of size @buf_size. Set @early to use this function in the
* early path.
+ *
+ * On success, @sh_psize returns the patch size according to the section
header,
+ * to the caller.
*/
-static bool verify_patch_section(const u8 *buf, size_t buf_size, bool early)
+static bool
+__verify_patch_section(const u8 *buf, size_t buf_size, u32 *sh_psize, bool
early)
{
+ u32 p_type, p_size;
const u32 *hdr;
- u32 patch_type, patch_size;
if (buf_size < SECTION_HDR_SIZE) {
if (!early)
@@ -153,24 +157,26 @@ static bool verify_patch_section(const u8 *buf, size_t
buf_size, bool early)
}
hdr = (const u32 *)buf;
- patch_type = hdr[0];
- patch_size = hdr[1];
+ p_type = hdr[0];
+ p_size = hdr[1];
- if (patch_type != UCODE_UCODE_TYPE) {
+ if (p_type != UCODE_UCODE_TYPE) {
if (!early)
pr_debug("Invalid type field (0x%x) in container file
section header.\n",
- patch_type);
+ p_type);
return false;
}
- if (patch_size < sizeof(struct microcode_header_amd)) {
+ if (p_size < sizeof(struct microcode_header_amd)) {
if (!early)
- pr_debug("Patch of size %u too short.\n", patch_size);
+ pr_debug("Patch of size %u too short.\n", p_size);
return false;
}
+ *sh_psize = p_size;
+
return true;
}
@@ -181,7 +187,7 @@ static bool verify_patch_section(const u8 *buf, size_t
buf_size, bool early)
* header.
*/
static unsigned int
-verify_patch_size(u8 family, u32 sh_psize, unsigned int buf_size)
+__verify_patch_size(u8 family, u32 sh_psize, unsigned int buf_size)
{
u32 max_size;
@@ -212,6 +218,34 @@ verify_patch_size(u8 family, u32 sh_psize, unsigned int
buf_size)
return sh_psize;
}
+static unsigned int
+verify_patch(u8 family, const u8 *buf, unsigned int buf_size, bool early)
+{
+ u32 sh_psize;
+
+ if (!__verify_patch_section(buf, buf_size, _psize, early))
+ return 0;
+ /*
+* The section header length is not included in this indicated size
+* but is present in the leftover file length so we need to subtract
+* it before passing this value to the function below.
+*/
+ buf_size -= SECTION_HDR_SIZE;
+
+ /*
+* Check if the remaining buffer is big enough to contain a patch of
+* size sh_psize, as the section claims.
+*/
+ if (buf_size < sh_psize) {
+ if (!early)
+ pr_debug("Patch of size %u truncated.\n", sh_psize);
+
+ return 0;
+ }
+
+ return __verify_patch_size(family, sh_psize, buf_size);
+}
+
/*
* This scans the ucode blob for the proper container as we can have multiple
* containers glued together. Returns the equivalence ID from the equivalence
@@ -687,7 +721,7 @@ static void cleanup(void)
}
/*
- * We return the current size even if some of the checks failed so that
+ * Return a non-negative value even if some of the checks failed so that
* we can skip over the next patch. If we return a negative value, we
* signal a grave error like a memory allocation has failed and the
* driver cannot continue functioning normally. In such cases, we tear
@@ -695,14 +729,20 @@ static void cleanup(void)
*/
static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover)
{
- unsigned int sh_psize, crnt_size, ret;
struct microcode_header_amd *mc_hdr;
+ unsigned int patch_size,
