lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 09 Sep 2011 03:41:19 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Andres Salomon <dilinger@...ued.net>, 640964@...s.debian.org
Cc:	LKML <linux-kernel@...r.kernel.org>
Subject: Re: Bug#640964: linux-image-3.1.0-rc4-486: BUG() triggered on XO-1
 hardware

On Thu, 2011-09-08 at 17:46 -0700, Andres Salomon wrote:
> Package: linux-image-3.1.0-rc4-486
> Version: 3.1.0~rc4-1~experimental.1
> Severity: normal
> 
> During boot on an OLPC XO-1, I encounter the following problem.  I
> believe it's the statement BUG_ON(a->cpuid >= NCAPINTS*32), though I'm
> not staring at an exact copy of linux-2.6 source.
[...]

Agreed.

Variable a is in the EBX register, value 0xc143c668.  Looking at a dump
of this kernel image, the __alt_instructions array starts with:

 c143c638 7e51bcff 1c050000 1a000503 7d51bcff  ~Q..........}Q..
 c143c648 13050000 1a000503 6653bcff 0a050000  ........fS......
 c143c658 19000503 00000000 ce55bcff 00000000  .........U......
 c143c668 9a000200 cf55bcff f1040000 e4000303  .....U..........
 ...

Converting back to C structures:

/* instr_offset, repl_offset, cpuid, instrlen, replacementlen */
{ 0xffbc517e, 0x0000051c, 0x001a, 0x05, 0x03 },
{ 0xffbc517d, 0x00000513, 0x001a, 0x05, 0x03 },
{ 0xffbc5366, 0x0000050a, 0x0019, 0x05, 0x03 },
{ 0x00000000, 0xffbc55ce, 0x0000, 0x00, 0x00 },
{ 0x0002009a, 0xffbc55cf, 0x04f1, 0x00, 0x00 },
...

Oops, we have 4 bytes of zeroes between what should be elements 2 and 3.
That results in __alt_instructions[4].cpuid == 0x04f1 which trips the
BUG check.  This is nothing OLPC-specific; it's going to happen on any
machine trying to boot this image.

So the question is, where does that padding come from?

Ben.

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ