]>
Commit | Line | Data |
---|---|---|
321d628a FG |
1 | From a827c0ac43c2dc1e5e0528ebd4b2ca2d74534e18 Mon Sep 17 00:00:00 2001 |
2 | From: Thomas Gleixner <tglx@linutronix.de> | |
3 | Date: Wed, 18 Oct 2017 19:39:35 +0200 | |
e4cdf2a5 | 4 | Subject: [PATCH 072/241] x86/cpuid: Prevent out of bound access in |
321d628a FG |
5 | do_clear_cpu_cap() |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5754 | |
11 | ||
12 | do_clear_cpu_cap() allocates a bitmap to keep track of disabled feature | |
13 | dependencies. That bitmap is sized NCAPINTS * BITS_PER_INIT. The possible | |
14 | 'features' which can be handed in are larger than this, because after the | |
15 | capabilities the bug 'feature' bits occupy another 32bit. Not really | |
16 | obvious... | |
17 | ||
18 | So clearing any of the misfeature bits, as 32bit does for the F00F bug, | |
19 | accesses that bitmap out of bounds thereby corrupting the stack. | |
20 | ||
21 | Size the bitmap proper and add a sanity check to catch accidental out of | |
22 | bound access. | |
23 | ||
24 | Fixes: 0b00de857a64 ("x86/cpuid: Add generic table for CPUID dependencies") | |
25 | Reported-by: kernel test robot <xiaolong.ye@intel.com> | |
26 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
27 | Cc: Andi Kleen <ak@linux.intel.com> | |
28 | Cc: Borislav Petkov <bp@alien8.de> | |
29 | Link: https://lkml.kernel.org/r/20171018022023.GA12058@yexl-desktop | |
30 | (cherry picked from commit 57b8b1a1856adaa849d02d547411a553a531022b) | |
31 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
32 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
33 | (cherry picked from commit 4b3a90bd20b35a97fd9ca6f6a71131f4417782e4) | |
34 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
35 | --- | |
36 | arch/x86/kernel/cpu/cpuid-deps.c | 10 ++++++++-- | |
37 | 1 file changed, 8 insertions(+), 2 deletions(-) | |
38 | ||
39 | diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c | |
40 | index e48eb7313120..c1d49842a411 100644 | |
41 | --- a/arch/x86/kernel/cpu/cpuid-deps.c | |
42 | +++ b/arch/x86/kernel/cpu/cpuid-deps.c | |
43 | @@ -75,11 +75,17 @@ static inline void clear_feature(struct cpuinfo_x86 *c, unsigned int feature) | |
44 | __clear_cpu_cap(c, feature); | |
45 | } | |
46 | ||
47 | +/* Take the capabilities and the BUG bits into account */ | |
48 | +#define MAX_FEATURE_BITS ((NCAPINTS + NBUGINTS) * sizeof(u32) * 8) | |
49 | + | |
50 | static void do_clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int feature) | |
51 | { | |
52 | - bool changed; | |
53 | - DECLARE_BITMAP(disable, NCAPINTS * sizeof(u32) * 8); | |
54 | + DECLARE_BITMAP(disable, MAX_FEATURE_BITS); | |
55 | const struct cpuid_dep *d; | |
56 | + bool changed; | |
57 | + | |
58 | + if (WARN_ON(feature >= MAX_FEATURE_BITS)) | |
59 | + return; | |
60 | ||
61 | clear_feature(c, feature); | |
62 | ||
63 | -- | |
64 | 2.14.2 | |
65 |