[pve-kernel.git] / patches / kernel / 0072-x86-cpuid-Prevent-out-of-bound-access-in-do_clear_cp.patch

From a827c0ac43c2dc1e5e0528ebd4b2ca2d74534e18 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 18 Oct 2017 19:39:35 +0200
Subject: [PATCH 072/241] x86/cpuid: Prevent out of bound access in
 do_clear_cpu_cap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

do_clear_cpu_cap() allocates a bitmap to keep track of disabled feature
dependencies. That bitmap is sized NCAPINTS * BITS_PER_INIT. The possible
'features' which can be handed in are larger than this, because after the
capabilities the bug 'feature' bits occupy another 32bit. Not really
obvious...

So clearing any of the misfeature bits, as 32bit does for the F00F bug,
accesses that bitmap out of bounds thereby corrupting the stack.

Size the bitmap proper and add a sanity check to catch accidental out of
bound access.

Fixes: 0b00de857a64 ("x86/cpuid: Add generic table for CPUID dependencies")
Reported-by: kernel test robot <xiaolong.ye@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Link: https://lkml.kernel.org/r/20171018022023.GA12058@yexl-desktop
(cherry picked from commit 57b8b1a1856adaa849d02d547411a553a531022b)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 4b3a90bd20b35a97fd9ca6f6a71131f4417782e4)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kernel/cpu/cpuid-deps.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c
index e48eb7313120..c1d49842a411 100644
--- a/arch/x86/kernel/cpu/cpuid-deps.c
+++ b/arch/x86/kernel/cpu/cpuid-deps.c
@@ -75,11 +75,17 @@ static inline void clear_feature(struct cpuinfo_x86 *c, unsigned int feature)
 		__clear_cpu_cap(c, feature);
 }
 
+/* Take the capabilities and the BUG bits into account */
+#define MAX_FEATURE_BITS ((NCAPINTS + NBUGINTS) * sizeof(u32) * 8)
+
 static void do_clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int feature)
 {
-	bool changed;
-	DECLARE_BITMAP(disable, NCAPINTS * sizeof(u32) * 8);
+	DECLARE_BITMAP(disable, MAX_FEATURE_BITS);
 	const struct cpuid_dep *d;
+	bool changed;
+
+	if (WARN_ON(feature >= MAX_FEATURE_BITS))
+		return;
 
 	clear_feature(c, feature);
 
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From a827c0ac43c2dc1e5e0528ebd4b2ca2d74534e18 Mon Sep 17 00:00:00 2001
	2	From: Thomas Gleixner <tglx@linutronix.de>
	3	Date: Wed, 18 Oct 2017 19:39:35 +0200
e4cdf2a5	4	Subject: [PATCH 072/241] x86/cpuid: Prevent out of bound access in
321d628a FG	5	do_clear_cpu_cap()
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	CVE-2017-5754
	11
	12	do_clear_cpu_cap() allocates a bitmap to keep track of disabled feature
	13	dependencies. That bitmap is sized NCAPINTS * BITS_PER_INIT. The possible
	14	'features' which can be handed in are larger than this, because after the
	15	capabilities the bug 'feature' bits occupy another 32bit. Not really
	16	obvious...
	17
	18	So clearing any of the misfeature bits, as 32bit does for the F00F bug,
	19	accesses that bitmap out of bounds thereby corrupting the stack.
	20
	21	Size the bitmap proper and add a sanity check to catch accidental out of
	22	bound access.
	23
	24	Fixes: 0b00de857a64 ("x86/cpuid: Add generic table for CPUID dependencies")
	25	Reported-by: kernel test robot <xiaolong.ye@intel.com>
	26	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	27	Cc: Andi Kleen <ak@linux.intel.com>
	28	Cc: Borislav Petkov <bp@alien8.de>
	29	Link: https://lkml.kernel.org/r/20171018022023.GA12058@yexl-desktop
	30	(cherry picked from commit 57b8b1a1856adaa849d02d547411a553a531022b)
	31	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	32	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	33	(cherry picked from commit 4b3a90bd20b35a97fd9ca6f6a71131f4417782e4)
	34	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	35	---
	36	arch/x86/kernel/cpu/cpuid-deps.c \| 10 ++++++++--
	37	1 file changed, 8 insertions(+), 2 deletions(-)
	38
	39	diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c
	40	index e48eb7313120..c1d49842a411 100644
	41	--- a/arch/x86/kernel/cpu/cpuid-deps.c
	42	+++ b/arch/x86/kernel/cpu/cpuid-deps.c
	43	@@ -75,11 +75,17 @@ static inline void clear_feature(struct cpuinfo_x86 *c, unsigned int feature)
	44	__clear_cpu_cap(c, feature);
	45	}
	46
	47	+/* Take the capabilities and the BUG bits into account */
	48	+#define MAX_FEATURE_BITS ((NCAPINTS + NBUGINTS) * sizeof(u32) * 8)
	49	+
	50	static void do_clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int feature)
	51	{
	52	- bool changed;
	53	- DECLARE_BITMAP(disable, NCAPINTS * sizeof(u32) * 8);
	54	+ DECLARE_BITMAP(disable, MAX_FEATURE_BITS);
	55	const struct cpuid_dep *d;
	56	+ bool changed;
	57	+
	58	+ if (WARN_ON(feature >= MAX_FEATURE_BITS))
	59	+ return;
	60
	61	clear_feature(c, feature);
	62
	63	--
	64	2.14.2
	65