From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: pbonzini@redhat.com, ebiggers@kernel.org, x86@kernel.org,
linux-kernel@vger.kernel.org, qemu-devel@nongnu.org,
ardb@kernel.org, kraxel@redhat.com, hpa@zytor.com, bp@alien8.de
Subject: Re: [PATCH qemu] x86: don't let decompressed kernel image clobber setup_data
Date: Wed, 28 Dec 2022 17:30:30 +0100 [thread overview]
Message-ID: <Y6xvJheSYC83voCZ@zx2c4.com> (raw)
In-Reply-To: <6cab26b5-06ae-468d-ac79-ecdecb86ef07@linaro.org>
On Wed, Dec 28, 2022 at 05:02:22PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Jason,
>
> On 28/12/22 15:38, Jason A. Donenfeld wrote:
> > The setup_data links are appended to the compressed kernel image. Since
> > the kernel image is typically loaded at 0x100000, setup_data lives at
> > `0x100000 + compressed_size`, which does not get relocated during the
> > kernel's boot process.
> >
> > The kernel typically decompresses the image starting at address
> > 0x1000000 (note: there's one more zero there than the decompressed image
*compressed image
> > + uint32_t target_address = ldl_p(setup + 0x258);
>
> Nitpicking, can the Linux kernel add these magic values in
> arch/x86/include/uapi/asm/bootparam.h? Or can we use
> offsetof(setup_header) to get them?
I suspect the reason that x86.c has always had those hardcoded offsets
is because this is how it's documented in Documentation/x86/boot.rst?
> > + if ((start_setup_data >= start_target && start_setup_data < end_target) ||
> > + (end_setup_data >= start_target && end_setup_data < end_target)) {
> > + uint32_t padded_size = target_address + decompressed_length - prot_addr;
> > +
> > + /* The early stage can't address past around 64 MB from the original
> > + * mapping, so just give up in that case. */
> > + if (padded_size < 62 * 1024 * 1024)
>
> You mention 64 but check for 62, is that expected? You can use the MiB
> definitions to ease code review: 64 * MiB.
62 is intentional. But I'm still not really sure what's up. 63 doesn't
work. I haven't totally worked out why this is, or why the 64 MiB limit
exists in the first place. Maybe because this is a very early mapping
set up by real mode? Or because another mapping is placed over it that's
executable? There's that 2MiB*4096 gdt entry, but that'd cover all 4
gigs. So I really don't know yet. I'll continue to poke at it, but on
the off chance somebody here understands what's up, that'd save me a
bunch of head scratching.
> Fix looks good, glad you figured out the problem.
I mean, kind of. The solution here sucks, especially given that in the
worst case, setup_data just gets dropped. I'm half inclined to consider
this a kernel bug instead, and add some code to relocate setup_data
prior to decompression, and then fix up all the links. It seems like
this would be a lot more robust.
I just wish the people who wrote this stuff would chime in. I've had
x86@kernel.org CC'd but so far, no input from them.
Jason
next prev parent reply other threads:[~2022-12-28 16:33 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-28 14:38 [PATCH qemu] x86: don't let decompressed kernel image clobber setup_data Jason A. Donenfeld
2022-12-28 16:02 ` Philippe Mathieu-Daudé
2022-12-28 16:30 ` Jason A. Donenfeld [this message]
2022-12-28 16:57 ` Jason A. Donenfeld
2022-12-28 23:58 ` H. Peter Anvin
2022-12-29 2:13 ` H. Peter Anvin
2022-12-29 2:31 ` Jason A. Donenfeld
2022-12-29 7:28 ` Philippe Mathieu-Daudé
2022-12-29 7:30 ` H. Peter Anvin
2022-12-29 7:31 ` H. Peter Anvin
2022-12-29 12:47 ` Borislav Petkov
2022-12-30 15:54 ` Jason A. Donenfeld
2022-12-30 17:01 ` Borislav Petkov
2022-12-30 17:07 ` Jason A. Donenfeld
2022-12-30 19:54 ` Borislav Petkov
2022-12-30 21:58 ` H. Peter Anvin
2022-12-30 22:10 ` Jason A. Donenfeld
2022-12-31 1:06 ` H. Peter Anvin
2022-12-31 1:14 ` H. Peter Anvin
2022-12-31 12:55 ` Jason A. Donenfeld
2022-12-31 13:40 ` Borislav Petkov
2022-12-31 13:44 ` Jason A. Donenfeld
2022-12-31 13:48 ` Borislav Petkov
2022-12-31 13:51 ` Jason A. Donenfeld
2022-12-31 14:24 ` Borislav Petkov
2022-12-31 18:22 ` Jason A. Donenfeld
2022-12-31 19:00 ` Borislav Petkov
2023-01-01 3:21 ` H. Peter Anvin
2023-01-01 3:31 ` H. Peter Anvin
2023-01-02 6:01 ` Borislav Petkov
2023-01-02 6:17 ` Borislav Petkov
2023-01-02 9:32 ` Ard Biesheuvel
2023-01-02 13:36 ` Borislav Petkov
2023-01-02 15:03 ` Ard Biesheuvel
2023-01-02 5:50 ` Borislav Petkov
2023-01-01 4:33 ` H. Peter Anvin
2023-01-01 4:55 ` Mika Penttilä
2023-01-01 5:13 ` H. Peter Anvin
2022-12-30 15:59 ` Jason A. Donenfeld
2022-12-30 16:21 ` Jason A. Donenfeld
2022-12-30 19:13 ` H. Peter Anvin
2022-12-31 9:48 ` Borislav Petkov
2022-12-31 12:54 ` Jason A. Donenfeld
2022-12-31 13:35 ` Borislav Petkov
2022-12-31 13:42 ` Jason A. Donenfeld
2022-12-30 18:30 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y6xvJheSYC83voCZ@zx2c4.com \
--to=jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=ebiggers@kernel.org \
--cc=hpa@zytor.com \
--cc=kraxel@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.