From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x226Nghjx95/i982s6Inrpg+LiEp2AltUSzSZXs8XaZmCF3x2BYxDXVJFuwZx0Km7DPnMteQ1 ARC-Seal: i=1; a=rsa-sha256; t=1517256271; cv=none; d=google.com; s=arc-20160816; b=xMENAkXWJWRY0v6CPSAHGFRWtAsJy7Kipp+/82KiYVxM3WGYaPCnuYdlTd9rjTk6Fb gWuqXmBVvLCxMmzoq82TC486zLynkcYrVSctCBDvA0fyILEwwr6KqgRcpzNqt7n/1VJD eyn7pow4KwcsXWx+XQSePunL9awWzgbcnPUBBpYeOZ7FBz92hYb6N5fN891D70pegXdA GMmpVHUsurYzHkZl+gGtXbc/8FY3Q4a78m8b+yNA+2L5tMDk/rCVHJlMHpEM1q7Q4cdR 9qLGm8I6K259lxHIjOsCqzS95IwHAk2X2kc4lJ6KVVgTm7lOveSQh8Yb7reUj5BT9qmF pIcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=ebDufz0cyoNBi9qoZM/O8Y6jfEV+UHZJJjOem0Ktc0U=; b=veIGJHtyu5gtM7immvbIMLD9xuA+MKYGniNh7K1usN7NlE+KpKIFBb1C8cThW0OOoq HoORMcVSgIXj1qXtBESyJltcI7kD5ra0oR/3prXYKFNT+e6jKRnzVeM3XFFue0FsN3Lt /EMk1fFx8Ve6FGoYjbtpUstnQ7Uyd4j6cxuXiVHu5nrjmMfP10F7BpwuuiXZjUO7HwMH ZNh7nc71YocBDbVPD5M8R4w8aT2lEvjMh0eDjOyqbREoZ/l/2563OG9+iwtETHApnAO5 tA+SwM7H1DGqMVIzGv6J8e1g7ZVxuHIcsTzzhmd3AJWvWFwM8AQ9jyEp3baytYyuy0ZL MW9A== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, higuita@gmx.net, Borislav Petkov , Thomas Gleixner Subject: [PATCH 4.14 62/71] x86/microcode: Fix again accessing initrd after having been freed Date: Mon, 29 Jan 2018 13:57:30 +0100 Message-Id: <20180129123831.759347763@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123827.271171825@linuxfoundation.org> References: <20180129123827.271171825@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958511770649984?= X-GMAIL-MSGID: =?utf-8?q?1590958511770649984?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Borislav Petkov commit 1d080f096fe33f031d26e19b3ef0146f66b8b0f1 upstream. Commit 24c2503255d3 ("x86/microcode: Do not access the initrd after it has been freed") fixed attempts to access initrd from the microcode loader after it has been freed. However, a similar KASAN warning was reported (stack trace edited): smpboot: Booting Node 0 Processor 1 APIC 0x11 ================================================================== BUG: KASAN: use-after-free in find_cpio_data+0x9b5/0xa50 Read of size 1 at addr ffff880035ffd000 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.14.8-slack #7 Hardware name: System manufacturer System Product Name/A88X-PLUS, BIOS 3003 03/10/2016 Call Trace: dump_stack print_address_description kasan_report ? find_cpio_data __asan_report_load1_noabort find_cpio_data find_microcode_in_initrd __load_ucode_amd load_ucode_amd_ap load_ucode_ap After some investigation, it turned out that a merge was done using the wrong side to resolve, leading to picking up the previous state, before the 24c2503255d3 fix. Therefore the Fixes tag below contains a merge commit. Revert the mismerge by catching the save_microcode_in_initrd_amd() retval and thus letting the function exit with the last return statement so that initrd_gone can be set to true. Fixes: f26483eaedec ("Merge branch 'x86/urgent' into x86/microcode, to resolve conflicts") Reported-by: Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Link: https://bugzilla.kernel.org/show_bug.cgi?id=198295 Link: https://lkml.kernel.org/r/20180123104133.918-2-bp@alien8.de Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/microcode/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -239,7 +239,7 @@ static int __init save_microcode_in_init break; case X86_VENDOR_AMD: if (c->x86 >= 0x10) - return save_microcode_in_initrd_amd(cpuid_eax(1)); + ret = save_microcode_in_initrd_amd(cpuid_eax(1)); break; default: break;