lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4643A128.30302@zytor.com>
Date:	Thu, 10 May 2007 15:48:08 -0700
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Alexander van Heukelum <heukelum@...lshack.com>
CC:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	"Antonino A. Daplas" <adaplas@...il.com>, Andi Kleen <ak@...e.de>,
	Andrew Morton <akpm@...l.org>,
	Matt Domsch <Matt_Domsch@...l.com>,
	Vivek Goyal <vgoyal@...ibm.com>,
	James Bottomley <James.Bottomley@...senPar>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: x86 setup rewrite tree ready for flamage^W review

Alexander van Heukelum wrote:
> On Thu, May 10, 2007 at 11:08:10AM -0700, H. Peter Anvin wrote:
>> As far as I could tell, "scan" simply caused the nonstandard video
>> driver scan modules (unsafe probes) to be invoked.  Since those modules
>> are no longer present, there appeared to be no need for them.  The VGA
>> and VESA probes are safe.
> 
> It doesn't probe the hardware in dangerous ways. (Search for mode_scan
> in video.S) It works by trying to set a mode via the normal
> AH=0/AL=mode/int 0x10 method for all possible values of mode. It then
> checks if the bios reports the new mode as being set and reads a few
> standard vga registers to determine if it is a text mode. It's
> completely independent of the CONFIG_VIDEO_SVGA stuff.

It's dangerous, all right (which is why it doesn't do it by default),
since you have no guarantee that the BIOS doesn't totally vomit on these
calls -- or, like my laptop, take about a minute before giving up
finding nothing.

Anyway, I re-implemented scanning and pushed it out to the git tree;
please try it out as it does absolutely nothing on any of my machines.

> That makes me wonder: (from arch/i386/boot/pmjump.S)
> 
> 37         movw    $__BOOT_DS, %cx
> 38 
> 39         movl    %cr0, %edx
> 40         orb     $1, %dl                 # Protected mode (PE) bit
> 41         movl    %edx, %cr0
> 42
> 43         movw    %cx, %ds
> 44         movw    %cx, %es
> 45         movw    %cx, %fs
> 46         movw    %cx, %gs
> 47         movw    %cx, %ss
> 48
> 49         # Jump to the 32-bit entrypoint
> 50         .byte   0x66, 0xea              # ljmpl opcode
> 51 2:      .long   0                       # offset
> 52         .word   __BOOT_CS               # segment
> 
> I thought the 32-bit jump was required to come before the segment loads.
> Does this code load values from the gdt, or are they just loaded as real
> mode segments? As long as it does not crash it does not matter, because
> head.S reloads them again.

Once CR0.PE is set, segments are loaded from the GDT.

	-hpa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ