| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20121223184516.GC8190@liondog.tnic>
Date: Sun, 23 Dec 2012 19:45:16 +0100
From: Borislav Petkov <bp@...en8.de>
To: Yinghai Lu <yinghai@...nel.org>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...e.hu>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v7 00/27] x86, boot, 64bit: Add support for loading
ramdisk and bzImage above 4G
On Sun, Dec 23, 2012 at 10:00:26AM -0800, Yinghai Lu wrote:
> On Sun, Dec 23, 2012 at 6:33 AM, H. Peter Anvin <hpa@...or.com> wrote:
> > Explanation please?
>
> you have following change in the patch
>
> /* Finally jump to run C code and to be on real kernel address
> * Since we are running on identity-mapped space we have to jump
> * to the full 64bit address, this is only possible as indirect
> * jump. In addition we need to ensure %cs is set so we make this
> - * a far return.
> + * a far jump.
> */
> - movq initial_code(%rip),%rax
> pushq $0 # fake return address to stop unwinder
> - pushq $__KERNEL_CS # set correct cs
> - pushq %rax # target address in negative space
> - lretq
> + /* gas 2.22 is buggy and mis-assembles ljmpq */
> + rex64 ljmp *initial_code(%rip)
>
> #ifdef CONFIG_HOTPLUG_CPU
> /*
>
> remove that change, AMD systems works again.
Right, the original code did a RET FAR by popping CS and rIP from the
stack. And we did prepare the stack properly before that so it worked.
Now, the ljmp translates to a JMP FAR:
ffffffff8100016e: 48 ff 2d ab a5 7f 00 rex.W ljmpq *0x7fa5ab(%rip) # ffffffff817fa720 <initial_code>
ffffffff81000175: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
ffffffff8100017c: 00 00 00 00
and in 64-bit mode it has for an operand a 16-bit selector followed by a
32-bit offset.
Now, Intel SDM says also this:
REX.W + FF /5 JMP m16:64 A Valid N.E. Jump far, absolute indirect,
address given in m16:64.
And I don't think AMD supports a 64-bit offset. At least I don't see it
in the APM where it has only:
JMP FAR mem16:16 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.
JMP FAR mem16:32 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.
This is at least what I can see at a quick scan. I could ask around if
AMD actually supports that FF /5 with a REX.W prefix and it is not only
a documentation omission.
HTH.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists