[PATCH v3 2/4] x86/microcode: Fix __user annotations around generic_load_microcode()

From: Jann Horn
Date: Fri Mar 29 2019 - 17:47:12 EST


generic_load_microcode() deals with a pointer that can be either a kernel
pointer or a user pointer. Pass it around as a __user pointer so that it
can't be dereferenced accidentally while its address space is unknown.
Use explicit casts to convert between __user and __kernel to inform the
checker that these address space conversions are intentional.

Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
---
arch/x86/kernel/cpu/microcode/intel.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 16936a24795c..e8ef65c275c7 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -861,11 +861,13 @@ static enum ucode_state apply_microcode_intel(int cpu)
return ret;
}

-static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
- int (*get_ucode_data)(void *, const void *, size_t))
+static enum ucode_state generic_load_microcode(int cpu,
+ const void __user *data, size_t size,
+ int (*get_ucode_data)(void *, const void __user *, size_t))
{
struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
- u8 *ucode_ptr = data, *new_mc = NULL, *mc = NULL;
+ const u8 __user *ucode_ptr = data;
+ u8 *new_mc = NULL, *mc = NULL;
int new_rev = uci->cpu_sig.rev;
unsigned int leftover = size;
unsigned int curr_mc_size = 0, new_mc_size = 0;
@@ -945,9 +947,10 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
return ret;
}

-static int get_ucode_fw(void *to, const void *from, size_t n)
+static int get_ucode_fw(void *to, const void __user *from, size_t n)
{
- memcpy(to, from, n);
+ /* cast paired with request_microcode_fw() */
+ memcpy(to, (const void __force *)from, n);
return 0;
}

@@ -993,7 +996,8 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
return UCODE_NFOUND;
}

- ret = generic_load_microcode(cpu, (void *)firmware->data,
+ /* cast paired with get_ucode_fw() */
+ ret = generic_load_microcode(cpu, (void __force __user *)firmware->data,
firmware->size, &get_ucode_fw);

release_firmware(firmware);
@@ -1001,7 +1005,7 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
return ret;
}

-static int get_ucode_user(void *to, const void *from, size_t n)
+static int get_ucode_user(void *to, const void __user *from, size_t n)
{
return copy_from_user(to, from, n);
}
@@ -1012,7 +1016,7 @@ request_microcode_user(int cpu, const void __user *buf, size_t size)
if (is_blacklisted(cpu))
return UCODE_NFOUND;

- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
+ return generic_load_microcode(cpu, buf, size, &get_ucode_user);
}

static struct microcode_ops microcode_intel_ops = {
--
2.21.0.392.gf8f6787159e-goog