[kernel/f20] CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)

Mon Mar 23 13:23:28 UTC 2015

commit 3b4fe4858245984adfa950bf2483bb6675f929c6
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Mar 23 09:16:48 2015 -0400

    CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)

 kernel.spec                                        |  9 ++++++
 ...de-intel-Guard-against-stack-overflow-in-.patch | 36 ++++++++++++++++++++++
 2 files changed, 45 insertions(+)
---

diff --git a/kernel.spec b/kernel.spec
index 303d823..30732e7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -795,6 +795,9 @@ Patch26168: HID-multitouch-add-support-of-clickpads.patch
 Patch26170: acpi-video-Allow-forcing-native-backlight-on-non-win.patch
 Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 
+#CVE-2015-2666 rhbz 1204724 1204722
+Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1553,6 +1556,9 @@ ApplyPatch HID-multitouch-add-support-of-clickpads.patch
 ApplyPatch acpi-video-Allow-forcing-native-backlight-on-non-win.patch
 ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 
+#CVE-2015-2666 rhbz 1204724 1204722
+ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2371,6 +2377,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Mar 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2666 execution in the early microcode loader (rhbz 1204724 1204722)
+
 * Fri Mar 20 2015 Josh Boyer <jwboyer at fedoraproject.org>
 - Fix brightness on Lenovo Ideapad Z570 (rhbz 1187004)
 
diff --git a/x86-microcode-intel-Guard-against-stack-overflow-in-.patch b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
new file mode 100644
index 0000000..2123a46
--- /dev/null
+++ b/x86-microcode-intel-Guard-against-stack-overflow-in-.patch
@@ -0,0 +1,36 @@
+From 4423997d1e2f479f98b8f0c7ad733607f361ed76 Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Tue, 3 Feb 2015 13:00:22 +0100
+Subject: [PATCH] x86/microcode/intel: Guard against stack overflow in the
+ loader
+
+mc_saved_tmp is a static array allocated on the stack, we need to make
+sure mc_saved_count stays within its bounds, otherwise we're overflowing
+the stack in _save_mc(). A specially crafted microcode header could lead
+to a kernel crash or potentially kernel execution.
+
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Cc: "H. Peter Anvin" <hpa at zytor.com>
+Cc: Fenghua Yu <fenghua.yu at intel.com>
+Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
+Signed-off-by: Borislav Petkov <bp at suse.de>
+---
+ arch/x86/kernel/cpu/microcode/intel_early.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel_early.c b/arch/x86/kernel/cpu/microcode/intel_early.c
+index ec9df6f9cd47..5e109a31f62b 100644
+--- a/arch/x86/kernel/cpu/microcode/intel_early.c
++++ b/arch/x86/kernel/cpu/microcode/intel_early.c
+@@ -321,7 +321,7 @@ get_matching_model_microcode(int cpu, unsigned long start,
+ 	unsigned int mc_saved_count = mc_saved_data->mc_saved_count;
+ 	int i;
+ 
+-	while (leftover) {
++	while (leftover && mc_saved_count < ARRAY_SIZE(mc_saved_tmp)) {
+ 		mc_header = (struct microcode_header_intel *)ucode_ptr;
+ 
+ 		mc_size = get_totalsize(mc_header);
+-- 
+2.1.0
+
