[kernel] r22474 - in dists/sid/linux/debian: . patches patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Mon Apr 6 17:31:57 UTC 2015
Author: benh
Date: Mon Apr 6 17:31:57 2015
New Revision: 22474
Log:
[x86] microcode/intel: Guard against stack overflow in the loader (CVE-2015-2666)
Added:
dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Mon Apr 6 17:28:52 2015 (r22473)
+++ dists/sid/linux/debian/changelog Mon Apr 6 17:31:57 2015 (r22474)
@@ -184,6 +184,8 @@
* ext4: fix ZERO_RANGE bug hidden by flag aliasing
* ext4: fix accidental flag aliasing in ext4_map_blocks flags
* ext4: allocate entire range in zero range (CVE-2015-0275)
+ * [x86] microcode/intel: Guard against stack overflow in the loader
+ (CVE-2015-2666)
-- Ian Campbell <ijc at debian.org> Wed, 18 Mar 2015 21:07:15 +0000
Added: dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch Mon Apr 6 17:31:57 2015 (r22474)
@@ -0,0 +1,32 @@
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Tue, 3 Feb 2015 13:00:22 +0100
+Subject: x86/microcode/intel: Guard against stack overflow in the loader
+Origin: https://git.kernel.org/linus/f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4
+
+mc_saved_tmp is a static array allocated on the stack, we need to make
+sure mc_saved_count stays within its bounds, otherwise we're overflowing
+the stack in _save_mc(). A specially crafted microcode header could lead
+to a kernel crash or potentially kernel execution.
+
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Cc: "H. Peter Anvin" <hpa at zytor.com>
+Cc: Fenghua Yu <fenghua.yu at intel.com>
+Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
+Signed-off-by: Borislav Petkov <bp at suse.de>
+---
+ arch/x86/kernel/cpu/microcode/intel_early.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c
+index ec9df6f..5e109a3 100644
+--- a/arch/x86/kernel/cpu/microcode/intel_early.c
++++ b/arch/x86/kernel/cpu/microcode/intel_early.c
+@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
+ unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
+ int i;
+
+- while (leftover) {
++ while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+ mc_header = (struct microcode_header_intel *)ucode_ptr;
+
+ mc_size = get_totalsize(mc_header);
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Mon Apr 6 17:28:52 2015 (r22473)
+++ dists/sid/linux/debian/patches/series Mon Apr 6 17:31:57 2015 (r22474)
@@ -560,3 +560,4 @@
bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
+bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch
More information about the Kernel-svn-changes
mailing list