xenbits.xensource.com Git - xen.git/commit

author	Daniel P. Smith <dpsmith@apertussolutions.com>
	Wed, 23 Oct 2024 01:02:42 +0000 (02:02 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Wed, 23 Oct 2024 17:14:24 +0000 (18:14 +0100)
commit	8ddf63a252a6eae6e619ba2df9ad6b6f82e660c1
tree	6d96c768d15f44bb22dc28e33cc14393e2743a26	tree
parent	89f855d5649f86868a9aab27616b1986dece9ac1	commit \| diff

x86/boot: Fix microcode module handling during PVH boot

As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
transition period"), the use of __va(mbi->mods_addr) constitutes a
use-after-free on the PVH boot path.

This pattern has been in use since before PVH support was added.  Inside a PVH
VM, it will go unnoticed as long as the microcode container parser doesn't
choke on the random data it finds.

The use within early_microcode_init() happens to be safe because it's prior to
move_xen().  microcode_init_cache() is after move_xen(), and therefore unsafe.

Plumb the boot_info pointer down, replacing module_map and mbi.  Importantly,
bi->mods[].mod is a safe way to access the module list during PVH boot.

Note: microcode_scan_module() is still bogusly stashing a bootstrap_map()'d
      pointer in ucode_blob.data, which constitutes a different
      use-after-free, and only works in general because of a second bug.  This
      is unrelated to PVH, and needs untangling differently.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>

xen/arch/x86/cpu/microcode/core.c		diff \| blob \| blame \| history
xen/arch/x86/include/asm/microcode.h		diff \| blob \| blame \| history
xen/arch/x86/setup.c		diff \| blob \| blame \| history