x86/cpuid: Prevent out of bound access in do_clear_cpu_cap() - kernel/linux.git

diff options

author	Thomas Gleixner <tglx@linutronix.de>	2017-10-18 20:39:35 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-12-25 16:26:15 +0300
commit	36295155d8d4c3f9fb425faac9120559c051b861 (patch)
tree	09174d6c6924d9588eb66886d164c82b158bdfb7 /mm/page_alloc.c
parent	61d1ad3631150386f3c142daff97913c1770e0fa (diff)
download	linux-36295155d8d4c3f9fb425faac9120559c051b861.tar.xz

x86/cpuid: Prevent out of bound access in do_clear_cpu_cap()

commit 57b8b1a1856adaa849d02d547411a553a531022b upstream. do_clear_cpu_cap() allocates a bitmap to keep track of disabled feature dependencies. That bitmap is sized NCAPINTS * BITS_PER_INIT. The possible 'features' which can be handed in are larger than this, because after the capabilities the bug 'feature' bits occupy another 32bit. Not really obvious... So clearing any of the misfeature bits, as 32bit does for the F00F bug, accesses that bitmap out of bounds thereby corrupting the stack. Size the bitmap proper and add a sanity check to catch accidental out of bound access. Fixes: 0b00de857a64 ("x86/cpuid: Add generic table for CPUID dependencies") Reported-by: kernel test robot <xiaolong.ye@intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Andi Kleen <ak@linux.intel.com> Cc: Borislav Petkov <bp@alien8.de> Link: https://lkml.kernel.org/r/20171018022023.GA12058@yexl-desktop Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'mm/page_alloc.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: