ucode: Fix validation on Intel platforms
AcceptedPublic
Actions

Authored by markj on Sat, May 23, 5:13 PM.

Details

Reviewers

kib
jrm

Summary

The check for the extended signature table was backwards, so we always
ignored it.

We should verify that the extended signature table fits within the total
image size.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 73391
Build 70274: arc lint + arc unit

Event Timeline

markj created this revision.Sat, May 23, 5:13 PM

Herald added a subscriber: imp. · View Herald TranscriptSat, May 23, 5:13 PM

markj requested review of this revision.Sat, May 23, 5:13 PM

Harbormaster completed remote builds in B73391: Diff 178485.Sat, May 23, 5:13 PM

kib added inline comments.Sat, May 23, 5:29 PM

sys/x86/x86/ucode.c
246	Why this check is needed? Wouldn't the next check first addend give the same verification? BTW, how much do we want to check the blobs? eg are overflows believed to never occur?

markj added inline comments.Sat, May 23, 5:37 PM

sys/x86/x86/ucode.c
246	I wanted to first check that it's "safe" to access table->signature_count. Overflow of the multiplication you mean? I believe it can't happen on 64-bit systems, but yes it could be written more carefully. In general I think we should at least make sure we're accessing fields within the bounds of the loaded microcode file.

kib accepted this revision.Sat, May 23, 5:54 PM

kib added inline comments.

sys/x86/x86/ucode.c
246	I wanted to first check that it's "safe" to access table->signature_count. Please add one-line comment there. Overflow of the multiplication you mean? I believe it can't happen on 64-bit systems, but yes it could be written more carefully. In general I think we should at least make sure we're accessing fields within the bounds of the loaded microcode file. I wonder if some kind of 'blob access API' which internally checks the bounds is due. It could be utilized in more places. But this is out of scope of this change, of course.

This revision is now accepted and ready to land.Sat, May 23, 5:54 PM

Thanks both. Nice catch to fix the inverted condition. If I understand correctly, before this fix, we would never have detected an extended signature, and thus never applied microcode for processors only listed in the extended signature.

In D57209#1310974, @jrm wrote:

Thanks both. Nice catch to fix the inverted condition. If I understand correctly, before this fix, we would never have detected an extended signature, and thus never applied microcode for processors only listed in the extended signature.

That's right. I'm not sure how often that arises in practice. Certainly it's a severe bug. :(

sys/x86/x86/ucode.c
246	I wonder if some kind of 'blob access API' which internally checks the bounds is due. It could be utilized in more places. But this is out of scope of this change, of course. That would be useful. Something which lets you take a variety of "memory descriptors" (e.g., plain buffer, SG list of vaddrs or paddrs, mbufs, etc.) and maintains a current seek offset, then lets you copy in or copy out (more expensive, safer) or obtain a raw pointer to a sub-range of a specific size (cheaper, unsafe). The opencrypto code has something like this, see crypto_cursor_*, and I'm sure there are others.

Rework validition to avoid multiplication.
Fall back to the extended signature table if the processor flags don't match.

This revision now requires review to proceed.Mon, May 25, 2:28 PM

Harbormaster completed remote builds in B73419: Diff 178548.Mon, May 25, 2:28 PM

kib accepted this revision.Mon, May 25, 2:57 PM

This revision is now accepted and ready to land.Mon, May 25, 2:57 PM

Accepting because everything looks correct to me, with the caveat that I don't often look at this code, and I haven't tested (because I don't have an Intel processor whose signature appears in an extended table).

Revision Contents
Changeset List

Path

Size

sys/

x86/

ucode.c

14 lines

Diff 178485

View Options

ucode: Fix validation on Intel platformsAcceptedPublicActions