[CVE-2015-2666][Trusty] x86/microcode/intel: Guard against stack overflow in the loader

Luis Henriques luis.henriques at canonical.com
Wed Apr 8 14:52:00 UTC 2015


From: Quentin Casasnovas <quentin.casasnovas at oracle.com>

mc_saved_tmp is a static array allocated on the stack, we need to make
sure mc_saved_count stays within its bounds, otherwise we're overflowing
the stack in _save_mc(). A specially crafted microcode header could lead
to a kernel crash or potentially kernel execution.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
Cc: "H. Peter Anvin" <hpa at zytor.com>
Cc: Fenghua Yu <fenghua.yu at intel.com>
Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
Signed-off-by: Borislav Petkov <bp at suse.de>
(backported from commit f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4)
BugLink: http://bugs.launchpad.net/bugs/1438504
CVE-2015-2666
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/x86/kernel/microcode_intel_early.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/microcode_intel_early.c b/arch/x86/kernel/microcode_intel_early.c
index 1575deb2e636..c44f7db7ce44 100644
--- a/arch/x86/kernel/microcode_intel_early.c
+++ b/arch/x86/kernel/microcode_intel_early.c
@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
 	unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
 	int i;
 
-	while (leftover) {
+	while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
 		mc_header = (struct microcode_header_intel *)ucode_ptr;
 
 		mc_size = get_totalsize(mc_header);




More information about the kernel-team mailing list