1. 28 Aug, 2017 1 commit
  2. 26 Aug, 2017 3 commits
  3. 22 May, 2017 2 commits
  4. 12 Apr, 2017 2 commits
  5. 11 Mar, 2017 3 commits
    • Henrique de Moraes Holschuh's avatar
      configure.ac: support libargp as an alternative to glibc argp · b14bed67
      Henrique de Moraes Holschuh authored
      iucode_tool uses the GNU Argp API, which is not part of POSIX, but which
      is included in glibc.  For other systems, a standalone implementation of
      GNU Argp is required, e.g. from libargp or from gnulib.
      
      Change configure to look for argp_parse() in libargp when it can't be
      found in the standard library set.  Header files must be in the default
      system path, though.
      
      This is useful for embedded systems that do not use glibc, such as those
      based on MUSL or uClibc.
      b14bed67
    • Henrique de Moraes Holschuh's avatar
      intel_microcode: do not request inlining for is_zero_checksum() · 069fd48c
      Henrique de Moraes Holschuh authored
      There is no benefit from inlining is_zero_checksum(), and gcc usually
      wouldn't do it anyway even when not vectorizing.
      
      When vectorizing, the function becomes too large to inline since it is
      called by two different points of the code.
      069fd48c
    • Henrique de Moraes Holschuh's avatar
      iucode_tool: use fprintf(stdout) instead of printf() · 0ff45221
      Henrique de Moraes Holschuh authored
      Be explicit about which standard stream we will output to.
      
      This triggers a cool optimization: gcc and clang will replace the
      fprintf(stdout) call with a fwrite() call with static parameters
      calculated at compile time.
      
      This is way better than the lame optimization these two compilers use
      for printf("something\n"): they would replace it with puts("something"),
      which has to scan over the string at runtime, etc.
      0ff45221
  6. 07 Mar, 2017 7 commits
    • Henrique de Moraes Holschuh's avatar
      intel_microcode: declare intel_ucode_errstr() as const · 8fc244d1
      Henrique de Moraes Holschuh authored
      Declare function intel_ucode_errstr() with attribute const in the
      intel_microcode.h header, as the compiler won't be able to notice it by
      itself unless doing LTO.
      
      Add a warning about it to the function body, to help future maintenance.
      8fc244d1
    • Henrique de Moraes Holschuh's avatar
      iucode_tool: ensure printf %x args are unsigned · dc252417
      Henrique de Moraes Holschuh authored
      Correctly cast (int)foo to (unsigned int)foo for printf "%x" arguments.
      This is not fixing any real bug on any sane compiler in the planet, but
      still...
      
      This squashes a number of -Wformat-signedness warnings.
      dc252417
    • Henrique de Moraes Holschuh's avatar
      README: add an example of microcode with multiple sigs · 642ba7e2
      Henrique de Moraes Holschuh authored
      Document iucode_tool's output for microcode with an extended signature
      table, using a real-world example.
      642ba7e2
    • Henrique de Moraes Holschuh's avatar
      configure.ac: add --enable-extend-flags to change default build flags · 1265e861
      Henrique de Moraes Holschuh authored
      Add a way to not completely override the C/CPP/LDFLAGS configure.ac
      would like to set.
      1265e861
    • Henrique de Moraes Holschuh's avatar
      configure: default build to hardened -O3 PIE with lots of warnings · 19d13848
      Henrique de Moraes Holschuh authored
      Override the autoconf default CFLAGS, CPPFLAGS and LDFLAGS for a more
      optimized, hardened build by default.  Also, print the value of these
      variables in configure output.
      
      The standard methods to override the default CFLAGS, CPPFLAGS and
      LDFLAGS in configure still work, and will bypass the new defaults.
      Linux distros that override these on every build should not see any
      changes.
      
      Should the compiler not be detected as gcc-compatible, no change to
      CFLAGS/CPPFLAGS/LDFLAGS will be made.  Note that clang is explicitly
      supported, and works just fine.
      
      The build will default to a baseline of "-O3 -g" and will attempt to
      selectively enable the following warning options:
      
        -Wall -Wextra -Wformat=2 -Werror=format-security -Wtrampolines
        -Wformat-signedness -Wformat-overflow=2 -Wformat-truncation=2
        -Wtrampolines -Wcast-align -Wsign-conversion -Wnull-dereference
        -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
        -Wredundant-decls -Wstrict-overflow -Winit-self -Wshadow
        -Wrestrict -Wpointer-arith -Wlogical-op -Wbad-function-cast
        -Wwrite-strings -Wduplicated-branches -Wduplicated-cond
        -Walloca -Wvla -Walloc-zero -Walloc-size-larger-than=1073741824
      
      and the following hardening options:
      
        -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wstack-protector
        -fPIE -Wl,-z,relro -Wl,-z,now -pie
      
      configure will attempt to detect the set of compiler and linker driver
      flags that would work from the above list.
      
      Caveats: autoconf 2.69 and automake 1.13 or later are now required.
      19d13848
    • Henrique de Moraes Holschuh's avatar
      configure: minor cosmetic fixes · e5a987a8
      Henrique de Moraes Holschuh authored
      Break some excessively long lines, no functional changes.
      e5a987a8
    • Henrique de Moraes Holschuh's avatar
      configure.ac: whitespace fixes · 762725a1
      Henrique de Moraes Holschuh authored
      Expand all tabs in configure.ac.  This is a whitespace-only change.
      762725a1
  7. 15 Feb, 2017 4 commits
  8. 29 Jan, 2017 2 commits
  9. 13 Jan, 2017 1 commit
  10. 11 Jan, 2017 10 commits
    • Henrique de Moraes Holschuh's avatar
      Ready for release: v2.1.1 · d23ea65e
      Henrique de Moraes Holschuh authored
      Update ChangeLog, README and configure.ac for the 2.1.1 release.
      d23ea65e
    • Henrique de Moraes Holschuh's avatar
    • Henrique de Moraes Holschuh's avatar
      b3669767
    • Henrique de Moraes Holschuh's avatar
      spelling fixes to comments, messages and docs · 6018b042
      Henrique de Moraes Holschuh authored
      Fix spelling errors in iucode_tool(8), README, ChangeLog, several source
      code comments, and the iucode_tool embedded help text.
      6018b042
    • Henrique de Moraes Holschuh's avatar
      intel_microcode, iucode_tool: enhance microcode scan API · eefae156
      Henrique de Moraes Holschuh authored
      Update the intel_ucode_scan_for_microcode() API so that it can return
      errors to the caller, and return an error if it detects internal
      inconsistencies.
      
      The updated API returns the count of discovered microcode updates on
      success.  This can be useful as debugging information, so add it to the
      very verbose mode output messages.
      
      This API change allows scan_and_pack_microcodes() to abort iucode_tool
      execution with an error message should intel_ucode_scan_for_microcode()
      detect an internal inconsistency.
      
      While at it, harden scan_and_pack_microcodes() to refuse to memmove data
      when the results from intel_ucode_scan_for_microcode() are clearly
      insane.  In that case, abort iucode_tool with an error message.
      eefae156
    • Henrique de Moraes Holschuh's avatar
      intel_microcode: harden intel_ucode_scan_for_microcode() · 5f17fb24
      Henrique de Moraes Holschuh authored
      Add code that should trigger if an unexpected counter under/overflow
      happens (most likely due to coding errors).
      
      While at it, remove the previous fix for a buffer overflow added by
      "intel_microcode: fix heap buffer overflow on -tr loader", as the new
      API for xx_intel_ucode_check_uc() will return errors for zero-sized
      objects.
      5f17fb24
    • Henrique de Moraes Holschuh's avatar
      intel_microcode, iucode_tool: no more magic 1024 constants · dabfcf8a
      Henrique de Moraes Holschuh authored
      Instead of using 1024 as a magic number everywhere for the minimum size
      of something that is supposed to be an Intel microcode update, define
      INTEL_UC_MINSIZE and use it.
      dabfcf8a
    • Henrique de Moraes Holschuh's avatar
      intel_microcode: forbid unknown buffer sizes in intel_ucode_check_microcode() · 4f041222
      Henrique de Moraes Holschuh authored
      Now that all callers of intel_ucode_check_microcode() and
      xx_intel_ucode_check_uc() know their buffer sizes, require it by not
      special-casing a zero buffer size.
      
      This is a much better API, and would have avoided the heap buffer
      overflow issue in the -tr (recovery) loader.
      4f041222
    • Henrique de Moraes Holschuh's avatar
      intel_microcode, iucode_tool: track buffer sizes when iterating · 08120b8f
      Henrique de Moraes Holschuh authored
      Change the intel_microcode intel_ucode_foreach_microcode() callback API
      to pass the remaining memory buffer size to the callback.
      
      Note that intel_ucode_foreach_microcode() already ensured the remaining
      buffer size would be large enough for the microcode being passed down to
      the callback.
      
      However, with this API change, iucode_tool's xx_process_ucode_entry_cb()
      callback can pass the (now known) buffer size down to
      intel_ucode_check_microcode().
      
      These changes remove the only code site that would call
      intel_ucode_check_microcode() on an unknown-sized buffer.
      08120b8f
    • Henrique de Moraes Holschuh's avatar
      intel_microcode: fix heap buffer overflow on -tr loader · e5e14bfd
      Henrique de Moraes Holschuh authored
      When the last microcode region ends at exactly the end of the data file,
      intel_ucode_scan_for_microcode() would read data past the end of the
      memory buffer.  This is usually harmless.
      
      Unfortunately, should there be a valid microcode exactly after the
      memory buffer, iucode_tool will misbehave *badly*.
      
      It is extremely unlikely that the harmful misbehavior could be triggered
      by accident -- at least when iucode_tool is linked to glibc -- due to
      glibc's memory allocator implementation details.  Also, it is not
      believed to be possible for this bug to trigger in a harmful manner when
      only one datafile is being processed.
      
      However, it might be possible for an attacker to trigger the issue using
      a number of specially crafted data files.  This might also require
      tricking the user into using a specially crafted command line.
      
      Should the worst happen, iucode_tool may be convinced to corrupt its
      heap, and possibly the libc's heap control data structures.  This could
      result in code execution, depending on the libc's internals.
      
      The harmless version of this bug is trivially triggered by using the -tr
      (recovery) loader on any file that ends with a valid microcode, such as
      any file that only contains valid microcode...
      
      This issue was detected by gcc's address sanitizer.
      e5e14bfd
  11. 11 Nov, 2016 3 commits
  12. 10 Nov, 2016 2 commits