[kernel] r22474 - in dists/sid/linux/debian: . patches patches/bugfix/x86

Ben Hutchings benh at moszumanska.debian.org
Mon Apr 6 17:31:57 UTC 2015 

Author: benh
Date: Mon Apr  6 17:31:57 2015
New Revision: 22474

Log:
[x86] microcode/intel: Guard against stack overflow in the loader (CVE-2015-2666)

Added:
   dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Mon Apr  6 17:28:52 2015	(r22473)
+++ dists/sid/linux/debian/changelog	Mon Apr  6 17:31:57 2015	(r22474)
@@ -184,6 +184,8 @@
   * ext4: fix ZERO_RANGE bug hidden by flag aliasing
   * ext4: fix accidental flag aliasing in ext4_map_blocks flags
   * ext4: allocate entire range in zero range (CVE-2015-0275)
+  * [x86] microcode/intel: Guard against stack overflow in the loader
+    (CVE-2015-2666)
 
  -- Ian Campbell <ijc at debian.org>  Wed, 18 Mar 2015 21:07:15 +0000
 

Added: dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch	Mon Apr  6 17:31:57 2015	(r22474)
@@ -0,0 +1,32 @@
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Tue, 3 Feb 2015 13:00:22 +0100
+Subject: x86/microcode/intel: Guard against stack overflow in the loader
+Origin: https://git.kernel.org/linus/f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4
+
+mc_saved_tmp is a static array allocated on the stack, we need to make
+sure mc_saved_count stays within its bounds, otherwise we're overflowing
+the stack in _save_mc(). A specially crafted microcode header could lead
+to a kernel crash or potentially kernel execution.
+
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Cc: "H. Peter Anvin" <hpa at zytor.com>
+Cc: Fenghua Yu <fenghua.yu at intel.com>
+Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
+Signed-off-by: Borislav Petkov <bp at suse.de>
+---
+ arch/x86/kernel/cpu/microcode/intel_early.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c
+index ec9df6f..5e109a3 100644
+--- a/arch/x86/kernel/cpu/microcode/intel_early.c
++++ b/arch/x86/kernel/cpu/microcode/intel_early.c
+@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
+ 	unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
+ 	int i;
+ 
+-	while (leftover) {
++	while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+ 		mc_header = (struct microcode_header_intel *)ucode_ptr;
+ 
+ 		mc_size = get_totalsize(mc_header);

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Mon Apr  6 17:28:52 2015	(r22473)
+++ dists/sid/linux/debian/patches/series	Mon Apr  6 17:31:57 2015	(r22474)
@@ -560,3 +560,4 @@
 bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
 bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
 bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
+bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch

More information about the Kernel-svn-changes mailing list