From nobody Wed May 27 21:12:53 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQj515xVsz6fh1t
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 27 May 2026 21:12:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gQj515Fy9z3SJ7
	for <dev-commits-src-main@FreeBSD.org>; Wed, 27 May 2026 21:12:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779916373;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=L+nqS+KqaHrmztOrxSqjqngmFIqME2czJ+Z9O/kMU0I=;
	b=AJztgp0wGD6QiNuDVciOSQH9lQ3DFVx5YuhKzbRssmzawP/kQP1oSdF/Ps/c7ImBord5EE
	EyJeA73OB16jeQMOKbfTYGnN8qok1a3oYeILo9/9kuEmWgGPBpX9eN++9a/CXIH/D3+cqB
	Ff63DeQKZLx5HSdUOHsg3lSTG5SArSLu+8FqDO/R5tAJ0eC03754Srzst4a0LPVdEMN502
	LP9ED/z0YM99/p6NiNeC65eo4Km0WW9y6OlzONMnpbAg1cFozuKA+6CjQU2PvKlQ2zifLp
	quCXcNAkp8PYhTXkL8XqbTxwS67laJrdj+AnYsKDFedtfoy6MoHQGPCcO9yEKQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779916373; a=rsa-sha256; cv=none;
	b=YzemT4wdJdzGnrlzdGVHuAH3jEF+N9lbwJ8YH8alQSo/qgLhfQgWvhajcg1j30yp6sv5KV
	K7UCg7rTORGLmgnf9yoj27YehCIEm/FYRVw/3aE3OMwdiDZm+eQ2LnbRw3JA7w3iXHaz4y
	k6J4pcfkeWykDSa0j02dpOB6hspvJ0claN6pxoUzzCaJ7HQPryIfz+vmM/yqhFA69FDguk
	lh5KE/J+qaiug9Kj23LYRV2vm8nJE2142Rpfu9hgl/XcY3qTyq5cA2Fmb7eafHLvyLLusc
	s+OQqqLOFoVBHmZEC/+Vjte8+NCBCwCeA1GmS9ISz48So7nkN6C021hRzmWb4w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779916373;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=L+nqS+KqaHrmztOrxSqjqngmFIqME2czJ+Z9O/kMU0I=;
	b=xlE/sG2GZoKDBcnRB+6dC/ib3j6K9Us4FEon5EoZCISfapUd02TpD9LnUVO8/yZkwL9ecn
	C7SKSNtKF86k1k3APDG7ZNFbX/A9vgh122k36ZLn2TuDPp4zlUr1i74XdjFl+pKNJWm8ku
	0JM2+hDMrR0idSUnp7Ah8LZJTBAVc3Ujq8hLyohxdDPisgt8tHh81hH8oqWjmKSK7lm2dX
	+pcrwuVaMPrp6da+WR4HONGFvzeO0omO13V/faClBxKhnTZzuza3l+o4k+reVNdwPulGXq
	yBcOHKZ7I11Kl1qRjf0d/MFsXdqKJw68v0724uJcbwSZh7Qeh9RXScObf3qApQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQj514mvQz1hD
	for <dev-commits-src-main@FreeBSD.org>; Wed, 27 May 2026 21:12:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 24294
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 27 May 2026 21:12:53 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 0beb17289849 - main - ucode: Fix validation on Intel platforms
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
List-Id: <dev-commits-src-main.FreeBSD.org>
List-Post: <mailto:dev-commits-src-main@FreeBSD.org>
List-Help: <mailto:dev-commits-src-main+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0beb172898499fff51eed4df3d9284cd1094afbb
Auto-Submitted: auto-generated
Date: Wed, 27 May 2026 21:12:53 +0000
Message-Id: <6a175e55.24294.94fa17d@gitrepo.freebsd.org>

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=0beb172898499fff51eed4df3d9284cd1094afbb

commit 0beb172898499fff51eed4df3d9284cd1094afbb
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-27 20:18:05 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-27 21:12:35 +0000

    ucode: Fix validation on Intel platforms
    
    The check for the extended signature table was backwards, so we always
    ignored it.
    
    We should verify that the extended signature table fits within the total
    image size.
    
    Reviewed by:    jrm, kib
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D57209
---
 sys/x86/x86/ucode.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/sys/x86/x86/ucode.c b/sys/x86/x86/ucode.c
index 72133de211f8..2e996331dd2e 100644
--- a/sys/x86/x86/ucode.c
+++ b/sys/x86/x86/ucode.c
@@ -204,7 +204,6 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 	uint64_t platformid;
 	size_t resid;
 	uint32_t data_size, flags, regs[4], sig, total_size;
-	int i;
 
 	do_cpuid(1, regs);
 	sig = regs[0];
@@ -226,19 +225,35 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 		if (total_size == 0)
 			total_size = UCODE_INTEL_DEFAULT_DATA_SIZE +
 			    sizeof(struct ucode_intel_header);
-		if (data_size > total_size + sizeof(struct ucode_intel_header))
+
+		if (total_size > data_size + sizeof(struct ucode_intel_header))
 			table = (const struct ucode_intel_extsig_table *)
 			    ((const uint8_t *)(hdr + 1) + data_size);
 		else
 			table = NULL;
 
-		if (hdr->processor_signature == sig) {
-			if ((hdr->processor_flags & flags) != 0) {
-				*len = data_size;
-				return (hdr + 1);
+		if (hdr->processor_signature == sig &&
+		    (hdr->processor_flags & flags) != 0) {
+			*len = data_size;
+			return (hdr + 1);
+		}
+		if (table != NULL) {
+			size_t extsize;
+
+			extsize = total_size -
+			    (data_size + sizeof(struct ucode_intel_header));
+			if (extsize < sizeof(struct ucode_intel_extsig_table)) {
+				ucode_error = VERIFICATION_FAILED;
+				break;
 			}
-		} else if (table != NULL) {
-			for (i = 0; i < table->signature_count; i++) {
+			extsize -= sizeof(struct ucode_intel_extsig_table);
+			for (uint32_t i = 0; i < table->signature_count; i++) {
+				if (extsize < sizeof(struct ucode_intel_extsig)) {
+					ucode_error = VERIFICATION_FAILED;
+					goto out;
+				}
+				extsize -= sizeof(struct ucode_intel_extsig);
+
 				entry = &table->entries[i];
 				if (entry->processor_signature == sig &&
 				    (entry->processor_flags & flags) != 0) {
@@ -248,6 +263,7 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 			}
 		}
 	}
+out:
 	return (NULL);
 }