From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Date: Sat, 7 Jan 2017 17:12:04 -0200
Subject: CVE-2017-0357: iucode_tool: fix heap buffer overflow on -tr loader

When the last microcode region ends at exactly the end of a data file
*being loaded using the -tr loader*, intel_ucode_scan_for_microcode()
would read data past the end of the memory buffer.

It is likely possible for an attacker to use this bug to trigger heap
corruption using specially crafted data file(s), possibly also requiring
a specially crafted command line.

The heap corruption might be exploitable depending on libc details, and
could lead to code execution.

This issue was fixed in iucode_tool v2.1.1.
This issue is present in iucode_tool v1.4, up to an including v2.1.

---
 intel_microcode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/intel_microcode.c b/intel_microcode.c
index 7ce575b..c094c66 100644
--- a/intel_microcode.c
+++ b/intel_microcode.c
@@ -532,6 +532,10 @@ int intel_ucode_scan_for_microcode(const void **bs, const void **be,
 		bl += total_size;
 		al -= total_size;
 
+		/* xx_intel_ucode_check_uc() before v2.1.1 special-cases al == 0 */
+		if (!al)
+			break;
+
 		r = xx_intel_ucode_check_uc(p, al, 0);
 	} while (r == INTEL_UCODE_NOERROR);
 
-- 
2.1.4