[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 4/4] x86/microcode_amd: Fail attempts to load a 0-length microcode blob.
>>> On 24.09.13 at 14:10, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > Coverity ID: 1055319 > > Coverity identified that when passed a microcode header with a length field of > 0, get_ucode_from_buffer_amd() would end up calling memcpy(NULL, data, 0) > which is undefined behaviour. I think that's at least questionable: memcpy(..., 0) can hardly be anything but a no-op, no matter whether either of the two pointers in fact is a NULL one. That's not to say that I disagree that strict reading of the C standard may indeed yield this undefined, but I don't think we are to hunt down all such undefined-nesses. The tool should really stay away from hair-splitting, and concentrate on pointing out real issues. Jan > While Xen's implementation of memcpy will do the correct thing in this case, > any user trying to load a 0 length microcode blob deserves an -EINVAL. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: Keir Fraser <keir@xxxxxxx> > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx> > CC: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> > --- > xen/arch/x86/microcode_amd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/xen/arch/x86/microcode_amd.c b/xen/arch/x86/microcode_amd.c > index a3ceef8..2c767a9 100644 > --- a/xen/arch/x86/microcode_amd.c > +++ b/xen/arch/x86/microcode_amd.c > @@ -202,7 +202,7 @@ static int get_ucode_from_buffer_amd( > return -EINVAL; > } > > - if ( (off + mpbuf->len) > bufsize ) > + if ( mpbuf->len == 0 || ((off + mpbuf->len) > bufsize) ) > { > printk(KERN_ERR "microcode: Bad data in microcode data file\n"); > return -EINVAL; > -- > 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |