2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-23 12:43:55 +08:00
linux-next/arch/x86
Borislav Petkov 24c2503255 x86/microcode: Do not access the initrd after it has been freed
When we look for microcode blobs, we first try builtin and if that
doesn't succeed, we fallback to the initrd supplied to the kernel.

However, at some point doing boot, that initrd gets jettisoned and we
shouldn't access it anymore. But we do, as the below KASAN report shows.
That's because find_microcode_in_initrd() doesn't check whether the
initrd is still valid or not.

So do that.

  ==================================================================
  BUG: KASAN: use-after-free in find_cpio_data
  Read of size 1 by task swapper/1/0
  page:ffffea0000db9d40 count:0 mapcount:0 mapping:          (null) index:0x1
  flags: 0x100000000000000()
  raw: 0100000000000000 0000000000000000 0000000000000001 00000000ffffffff
  raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.10.0-rc5-debug-00075-g2dbde22 #3
  Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 1.2.3 12/01/2016
  Call Trace:
   dump_stack
   ? _atomic_dec_and_lock
   ? __dump_page
   kasan_report_error
   ? pointer
   ? find_cpio_data
   __asan_report_load1_noabort
   ? find_cpio_data
   find_cpio_data
   ? vsprintf
   ? dump_stack
   ? get_ucode_user
   ? print_usage_bug
   find_microcode_in_initrd
   __load_ucode_intel
   ? collect_cpu_info_early
   ? debug_check_no_locks_freed
   load_ucode_intel_ap
   ? collect_cpu_info
   ? trace_hardirqs_on
   ? flat_send_IPI_mask_allbutself
   load_ucode_ap
   ? get_builtin_firmware
   ? flush_tlb_func
   ? do_raw_spin_trylock
   ? cpumask_weight
   cpu_init
   ? trace_hardirqs_off
   ? play_dead_common
   ? native_play_dead
   ? hlt_play_dead
   ? syscall_init
   ? arch_cpu_idle_dead
   ? do_idle
   start_secondary
   start_cpu
  Memory state around the buggy address:
   ffff880036e74f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
   ffff880036e74f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  >ffff880036e75000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                     ^
   ffff880036e75080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
   ffff880036e75100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ==================================================================

Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Tested-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170126165833.evjemhbqzaepirxo@pd.tnic
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-30 09:32:42 +01:00
..
boot x86/boot: Add missing declaration of string functions 2017-01-09 11:53:05 +01:00
configs IOMMU Updates for Linux v4.9 2016-10-11 12:52:41 -07:00
crypto crypto: aesni - Fix failure when built-in with modular pcbc 2016-12-30 18:20:45 +08:00
entry x86/entry: Fix the end of the stack for newly forked tasks 2017-01-12 09:28:29 +01:00
events Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-01-18 11:13:41 -08:00
ia32 Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
include x86/microcode: Do not access the initrd after it has been freed 2017-01-30 09:32:42 +01:00
kernel x86/microcode: Do not access the initrd after it has been freed 2017-01-30 09:32:42 +01:00
kvm KVM: x86: fix fixing of hypercalls 2017-01-17 15:06:05 +01:00
lguest clocksource: Use a plain u64 instead of cycle_t 2016-12-25 11:04:12 +01:00
lib Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
math-emu Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mm x86/mpx: Use compatible types in comparison to fix sparse error 2017-01-14 09:32:06 +01:00
net bpf: change back to orig prog on too many passes 2017-01-08 17:00:18 -05:00
oprofile x86/oprofile/nmi: Convert to hotplug state machine 2016-11-22 23:34:43 +01:00
pci x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F 2017-01-11 09:11:15 -06:00
platform Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-01-15 12:03:11 -08:00
power Merge branch 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-18 13:59:10 -08:00
purgatory x86/kexec: add -fno-PIE 2016-11-09 22:28:09 +01:00
ras x86/RAS: Add TSC timestamp to the injected MCE 2016-11-08 17:10:13 +01:00
realmode x86/build: Don't use $(LINUXINCLUDE) twice 2016-11-28 07:49:17 +01:00
tools x86/tools: Fix gcc-7 warning in relocs.c 2016-12-19 11:50:24 +01:00
um Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
video
xen Merge branch 'stable/for-linus-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb 2017-01-06 10:53:21 -08:00
.gitignore
Kbuild
Kconfig Merge branch 'x86-cache-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-22 09:25:45 -08:00
Kconfig.cpu
Kconfig.debug
Makefile lib/raid6: Add AVX512 optimized gen_syndrome functions 2016-09-21 09:09:44 -07:00
Makefile_32.cpu
Makefile.um