lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080306102403.GC13391@elte.hu>
Date:	Thu, 6 Mar 2008 11:24:03 +0100
From:	Ingo Molnar <mingo@...e.hu>
To:	Peter Korsgaard <jacmet@...site.dk>
Cc:	hpa@...or.com, linux-kernel@...r.kernel.org,
	Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH] x86-boot: don't request VBE2 information


* Peter Korsgaard <jacmet@...site.dk> wrote:

> The new x86 setup code (4fd06960f120) broke booting on an old 
> P3/500MHz with an onboard Voodoo3 of mine. After debugging it, it 
> turned out to be caused by the fact that the vesa probing now asks for 
> VBE2 data.
> 
> Disassembing the video BIOS shows that it overflows the 
> vesa_general_info structure when VBE2 data is requested because the 
> source addresses for the information strings which get strcpy'ed to 
> the buffer lie outside the 32K BIOS code (and hence contain long 
> sequences of 0xff's).
> 
> E.G.:
> 
> get_vbe_controller_info:
> 00002A9C  60                pushaw
> 00002A9D  1E                push ds
> 00002A9E  0E                push cs
> 00002A9F  1F                pop ds
> 00002AA0  2BC9              sub cx,cx
> 00002AA2  6626813D56424532  cmp dword [es:di],0x32454256 ; "VBE2"
> 00002AAA  7501              jnz .1
> 00002AAC  41                inc cx
> .1:
> 00002AAD  51                push cx
> 00002AAE  B91400            mov cx,0x14
> 00002AB1  BED47F            mov si, controller_header
> 00002AB4  57                push di
> 00002AB5  F3A4              rep movsb ; copy vbe1.2 header
> 
> 00002AB7  B9EC00            mov cx,0xec
> 00002ABA  2AC0              sub al,al
> 00002ABC  F3AA              rep stosb ; zero pad remainder
> 
> 00002ABE  5F                pop di
> 00002ABF  E8EB0D            call word get_memory
> 00002AC2  C1E002            shl ax,0x2
> 00002AC5  26894512          mov [es:di+0x12],ax ; total memory
> 00002AC9  26C745040003      mov word [es:di+0x4],0x300 ; VBE version
> 00002ACF  268C4D08          mov [es:di+0x8],cs
> 00002AD3  268C4D10          mov [es:di+0x10],cs
> 00002AD7  59                pop cx
> 00002AD8  E361              jcxz .done ; VBE2 requested?
> 00002ADA  8D9D0001          lea bx,[di+0x100]
> 00002ADE  53                push bx
> 00002ADF  87DF              xchg bx,di ; di now points to 2nd half
> 00002AE1  26C747140001      mov word [es:bx+0x14],0x100 ; sw rev
> 
> 00002AE7  26897F06          mov [es:bx+0x6],di		; oem string
> 00002AEB  268C4708          mov [es:bx+0x8],es
> 00002AEF  BE5280            mov si,0x8052 ; oem string
> 00002AF2  E87A1B            call word strcpy
> 
> 00002AF5  26897F0E          mov [es:bx+0xe],di ; video mode list
> 00002AF9  268C4710          mov [es:bx+0x10],es
> 00002AFD  B91E00            mov cx,0x1e
> 00002B00  BEE87F            mov si,vidmodes
> 00002B03  F3A5              rep movsw
> 
> 00002B05  26897F16          mov [es:bx+0x16],di ; oem vendor
> 00002B09  268C4718          mov [es:bx+0x18],es
> 00002B0D  BE2480            mov si,0x8024 ; oem vendor
> 00002B10  E85C1B            call word strcpy
> 
> 00002B13  26897F1A          mov [es:bx+0x1a],di ; oem product
> 00002B17  268C471C          mov [es:bx+0x1c],es
> 00002B1B  BE3880            mov si,0x8038 ; oem product
> 00002B1E  E84E1B            call word strcpy
> 
> 00002B21  26897F1E          mov [es:bx+0x1e],di ; oem product rev
> 00002B25  268C4720          mov [es:bx+0x20],es
> 00002B29  BE4580            mov si,0x8045 ; oem product rev
> 00002B2C  E8401B            call word strcpy
> 
> 00002B2F  58                pop ax
> 00002B30  B90001            mov cx,0x100
> 00002B33  2BCF              sub cx,di
> 00002B35  03C8              add cx,ax
> 00002B37  2AC0              sub al,al
> 00002B39  F3AA              rep stosb ; zero pad
> .done:
> 00002B3B  1F                pop ds
> 00002B3C  61                popaw
> 00002B3D  B84F00            mov ax,0x4f
> 00002B40  C3                ret
> 
> (The full BIOS can be found at http://peter.korsgaard.com/vgabios.bin
> if interested).
> 
> The old setup code didn't ask for VBE2 info, and the new code doesn't 
> actually do anything with the extra information, so the fix is to 
> simply not request it. Other BIOS'es might have the same problem.

thanks Peter, very nice debugging! I've applied your fix.

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ