From 6bc904578f8579ad2209b347bf755fd861f20df5 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 6 Apr 2015 17:31:57 +0000 Subject: [PATCH] [x86] microcode/intel: Guard against stack overflow in the loader (CVE-2015-2666) svn path=/dists/sid/linux/; revision=22474 --- debian/changelog | 2 ++ ...tel-guard-against-stack-overflow-in-.patch | 32 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 35 insertions(+) create mode 100644 debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch diff --git a/debian/changelog b/debian/changelog index 55731ec23..84c3a451b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -184,6 +184,8 @@ linux (3.16.7-ckt9-1) UNRELEASED; urgency=medium * ext4: fix ZERO_RANGE bug hidden by flag aliasing * ext4: fix accidental flag aliasing in ext4_map_blocks flags * ext4: allocate entire range in zero range (CVE-2015-0275) + * [x86] microcode/intel: Guard against stack overflow in the loader + (CVE-2015-2666) -- Ian Campbell Wed, 18 Mar 2015 21:07:15 +0000 diff --git a/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch b/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch new file mode 100644 index 000000000..fb53206cd --- /dev/null +++ b/debian/patches/bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch @@ -0,0 +1,32 @@ +From: Quentin Casasnovas +Date: Tue, 3 Feb 2015 13:00:22 +0100 +Subject: x86/microcode/intel: Guard against stack overflow in the loader +Origin: https://git.kernel.org/linus/f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 + +mc_saved_tmp is a static array allocated on the stack, we need to make +sure mc_saved_count stays within its bounds, otherwise we're overflowing +the stack in _save_mc(). A specially crafted microcode header could lead +to a kernel crash or potentially kernel execution. + +Signed-off-by: Quentin Casasnovas +Cc: "H. Peter Anvin" +Cc: Fenghua Yu +Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/microcode/intel_early.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c +index ec9df6f..5e109a3 100644 +--- a/arch/x86/kernel/cpu/microcode/intel_early.c ++++ b/arch/x86/kernel/cpu/microcode/intel_early.c +@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start, + unsigned int mc_saved_count = mc_saved_data->mc_saved_count; + int i; + +- while (leftover) { ++ while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) { + mc_header = (struct microcode_header_intel *)ucode_ptr; + + mc_size = get_totalsize(mc_header); diff --git a/debian/patches/series b/debian/patches/series index 08fc9920b..d9f0f5ad5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -560,3 +560,4 @@ bugfix/all/btrfs-make-xattr-replace-operations-atomic.patch bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch bugfix/all/ext4-allocate-entire-range-in-zero-range.patch +bugfix/x86/x86-microcode-intel-guard-against-stack-overflow-in-.patch