lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Sat, 10 Sep 2011 05:11:06 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Andres Salomon <dilinger@...ued.net>
Cc:	640964@...s.debian.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: Bug#640964: linux-image-3.1.0-rc4-486: BUG() triggered on XO-1
 hardware

On Fri, 2011-09-09 at 03:41 +0100, Ben Hutchings wrote:
> On Thu, 2011-09-08 at 17:46 -0700, Andres Salomon wrote:
> > Package: linux-image-3.1.0-rc4-486
> > Version: 3.1.0~rc4-1~experimental.1
> > Severity: normal
> > 
> > During boot on an OLPC XO-1, I encounter the following problem.  I
> > believe it's the statement BUG_ON(a->cpuid >= NCAPINTS*32), though I'm
> > not staring at an exact copy of linux-2.6 source.
> [...]
> 
> Agreed.
> 
> Variable a is in the EBX register, value 0xc143c668.  Looking at a dump
> of this kernel image, the __alt_instructions array starts with:
> 
>  c143c638 7e51bcff 1c050000 1a000503 7d51bcff  ~Q..........}Q..
>  c143c648 13050000 1a000503 6653bcff 0a050000  ........fS......
>  c143c658 19000503 00000000 ce55bcff 00000000  .........U......
>  c143c668 9a000200 cf55bcff f1040000 e4000303  .....U..........
>  ...
> 
> Converting back to C structures:
> 
> /* instr_offset, repl_offset, cpuid, instrlen, replacementlen */
> { 0xffbc517e, 0x0000051c, 0x001a, 0x05, 0x03 },
> { 0xffbc517d, 0x00000513, 0x001a, 0x05, 0x03 },
> { 0xffbc5366, 0x0000050a, 0x0019, 0x05, 0x03 },
> { 0x00000000, 0xffbc55ce, 0x0000, 0x00, 0x00 },
> { 0x0002009a, 0xffbc55cf, 0x04f1, 0x00, 0x00 },
> ...
> 
> Oops, we have 4 bytes of zeroes between what should be elements 2 and 3.
> That results in __alt_instructions[4].cpuid == 0x04f1 which trips the
> BUG check.  This is nothing OLPC-specific; it's going to happen on any
> machine trying to boot this image.
> 
> So the question is, where does that padding come from?

Element 2 is for the wmb() in async_hcall() in arch/x86/lguest/boot.c.
Element 3 is for the use_xsave() in __unlazy_fpu().

There is no padding between any of the other elements in
__alt_instructions in this image.

But there's nothing very special or obviously wrong about those two uses
of alternatives.

Ben.

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists