From nobody Mon Jun 15 18:01:43 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gfHxh33MWz6hh1F
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Mon, 15 Jun 2026 18:01:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gfHxh0JCZz4Dwx
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 15 Jun 2026 18:01:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781546504;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lxDb4oMQDn/q8f4BLvwiQNOQlcJq1vxzJI1QjPFcNfY=;
	b=etSR71IyfFV1g4VGoMfwjaFtZK+3RKy3X1RpPEMRBKzTiC9+UPfTHXEvUxugGP1t9WzKzy
	0fIIAO5mFnREtKift474hCinmZw62Uzi+FssgP2/NV4YSOkMYKCQ0uhnAGykghD5B1qTmo
	4A0J1MACPLbvCGdMRz4sE1tTtqV4/g45iwdjQsU9SCHhgKNejgY1E9j/GoRBA4gSdnBUsK
	hS9E3pw5Z5uKzx8cqgRGLO+nOnYBeDwNMobngbVos5+pe8dednh9JBUvLnKObA2xY8pTp7
	idzuZy2CvFgvtSnF6r6SoauzZLFsqA8Z45I0P2D485TGwp50tq9UUBllABctjw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781546504; a=rsa-sha256; cv=none;
	b=dZAzXnEVypYq7hbnL2zIBInwrsRsrYXw/zO+NCW9PeIIK6oZPeJofc+DLeAQIYZpST6AAz
	Tlp8tt90g0BHGX3DhKL8odUqNFarkYkszCC+xXwtesr49oK/wl23Ml9yFdqzdqIIROEZFk
	9AMAbDOKakGwmCfhQUgzfyL5Abxz1tKyXJEK3XYFx+XG9/5NOXaqFj7RLk/p9C/kW7fFev
	cVhraDSt7SGaUb/jSnb92U5i5Rwm1JefK8E2fhPS/dqXq3sZ2mDZAnJM2/K/SlUNu5fiiy
	VRlz1KbvZ1RQFzxyvhTMm6rCwgIfGSLR3GfZTyx4mlqulmihOrbl301zuGpkbQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781546504;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lxDb4oMQDn/q8f4BLvwiQNOQlcJq1vxzJI1QjPFcNfY=;
	b=G7E4ZnAMEzjmk97k2sroFRSM7eYHKTkTfviS90awUnCuDRc5nT92Z8Zc6VPmlAfijq0JIf
	MZ37BgpTXhtZSRu/VqhgLb6JLA5GcQuDCzoasLMeVBwRzNaQASOgrq9C/uCbcEShp50UlT
	G+zdyJ/kVLLw5QB+amfibj7SsZzWWDk7ixwYb91zw/uRJLv2+7oE+cdhvLJCtpzc/6pzHH
	GvOIUQz+nbEJlC++7OCaDzYM7LfV+eg2KZoEiC0R67bHzUSktdUNw6IJ8+UxrqzmWINyL4
	BNazEUfGTy3ahACas7Bi1fEZGSR2SVHpUbh+34Tp8t0qunetkv4IPNGw5owVkQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gfHxg688dz15lT
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 15 Jun 2026 18:01:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1ebca
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 15 Jun 2026 18:01:43 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 2a1eaaf331f7 - stable/15 - ucode: Fix validation on Intel platforms
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
List-Id: <dev-commits-src-branches.FreeBSD.org>
List-Post: <mailto:dev-commits-src-branches@FreeBSD.org>
List-Help: <mailto:dev-commits-src-branches+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 2a1eaaf331f7935b3febbb863e1c892670030b8e
Auto-Submitted: auto-generated
Date: Mon, 15 Jun 2026 18:01:43 +0000
Message-Id: <6a303e07.1ebca.3ac56206@gitrepo.freebsd.org>

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2a1eaaf331f7935b3febbb863e1c892670030b8e

commit 2a1eaaf331f7935b3febbb863e1c892670030b8e
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-27 20:18:05 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-15 16:00:04 +0000

    ucode: Fix validation on Intel platforms
    
    The check for the extended signature table was backwards, so we always
    ignored it.
    
    We should verify that the extended signature table fits within the total
    image size.
    
    Reviewed by:    jrm, kib
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D57209
    
    (cherry picked from commit 0beb172898499fff51eed4df3d9284cd1094afbb)
---
 sys/x86/x86/ucode.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/sys/x86/x86/ucode.c b/sys/x86/x86/ucode.c
index 613a7b03489f..37c38c08635a 100644
--- a/sys/x86/x86/ucode.c
+++ b/sys/x86/x86/ucode.c
@@ -204,7 +204,6 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 	uint64_t platformid;
 	size_t resid;
 	uint32_t data_size, flags, regs[4], sig, total_size;
-	int i;
 
 	do_cpuid(1, regs);
 	sig = regs[0];
@@ -226,19 +225,35 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 		if (total_size == 0)
 			total_size = UCODE_INTEL_DEFAULT_DATA_SIZE +
 			    sizeof(struct ucode_intel_header);
-		if (data_size > total_size + sizeof(struct ucode_intel_header))
+
+		if (total_size > data_size + sizeof(struct ucode_intel_header))
 			table = (const struct ucode_intel_extsig_table *)
 			    ((const uint8_t *)(hdr + 1) + data_size);
 		else
 			table = NULL;
 
-		if (hdr->processor_signature == sig) {
-			if ((hdr->processor_flags & flags) != 0) {
-				*len = data_size;
-				return (hdr + 1);
+		if (hdr->processor_signature == sig &&
+		    (hdr->processor_flags & flags) != 0) {
+			*len = data_size;
+			return (hdr + 1);
+		}
+		if (table != NULL) {
+			size_t extsize;
+
+			extsize = total_size -
+			    (data_size + sizeof(struct ucode_intel_header));
+			if (extsize < sizeof(struct ucode_intel_extsig_table)) {
+				ucode_error = VERIFICATION_FAILED;
+				break;
 			}
-		} else if (table != NULL) {
-			for (i = 0; i < table->signature_count; i++) {
+			extsize -= sizeof(struct ucode_intel_extsig_table);
+			for (uint32_t i = 0; i < table->signature_count; i++) {
+				if (extsize < sizeof(struct ucode_intel_extsig)) {
+					ucode_error = VERIFICATION_FAILED;
+					goto out;
+				}
+				extsize -= sizeof(struct ucode_intel_extsig);
+
 				entry = &table->entries[i];
 				if (entry->processor_signature == sig &&
 				    (entry->processor_flags & flags) != 0) {
@@ -248,6 +263,7 @@ ucode_intel_match(const uint8_t *data, size_t *len)
 			}
 		}
 	}
+out:
 	return (NULL);
 }