From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752019AbdAYRXd (ORCPT ); Wed, 25 Jan 2017 12:23:33 -0500 Received: from mail.skyhub.de ([78.46.96.112]:48086 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751941AbdAYRXc (ORCPT ); Wed, 25 Jan 2017 12:23:32 -0500 Date: Wed, 25 Jan 2017 18:23:21 +0100 From: Borislav Petkov To: Andrey Ryabinin Cc: Thomas Gleixner , LKML , "H. Peter Anvin" , Ingo Molnar Subject: Re: x86/microcode: use-after-free after cpu offline/online Message-ID: <20170125172321.fpy6cswq3ibqvfgo@pd.tnic> References: <3e4b6f03-384d-411e-5243-9d3b0595d5cb@virtuozzo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <3e4b6f03-384d-411e-5243-9d3b0595d5cb@virtuozzo.com> User-Agent: NeoMutt/20161014 (1.7.1) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 25, 2017 at 07:58:39PM +0300, Andrey Ryabinin wrote: > On 4.10-rc5 > # echo 0 > /sys/devices/system/cpu/cpu1/online > # echo 1 > /sys/devices/system/cpu/cpu1/online > > triggers use-after-free (probably caused by 06b8534cb72 "x86/microcode: Rework microcode loading"). > > __load_ucode_intel() accesses initrd which is obviously gone at this point: Does that help? --- diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c index 2af69d27da62..fdbf8d29ffcf 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -248,8 +248,12 @@ struct cpio_data find_microcode_in_initrd(const char *path, bool use_pa) * possibly relocates the ramdisk. In either case, initrd_start contains * the updated address so use that instead. */ - if (!use_pa && initrd_start) - start = initrd_start; + if (!use_pa) { + if (initrd_start) + start = initrd_start; + else + return (struct cpio_data){ NULL, 0, "" }; + } return find_cpio_data(path, (void *)start, size, NULL); #else /* !CONFIG_BLK_DEV_INITRD */ -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply.