lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 Aug 2014 20:53:45 +0100
From:	Michael Brown <mbrown@...systems.co.uk>
To:	Mantas Mikulėnas <grawity@...il.com>,
	Matt Fleming <matt@...sole-pimps.org>
CC:	Yinghai Lu <yinghai@...nel.org>,
	Matt Fleming <matt.fleming@...el.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	linux-efi@...r.kernel.org
Subject: Re: Loading initrd above 4G causes freeze on boot

On 20/08/14 20:05, Mantas Mikulėnas wrote:
> On Wed, Aug 20, 2014 at 8:05 PM, Matt Fleming <matt@...sole-pimps.org> wrote:
>> On Wed, 13 Aug, at 07:44:49PM, Matt Fleming wrote:
>>>
>>> At this point, I think modifying the max address is the best way to
>>> debug this further, and figure out what address causes the hang.
>>
>> Mantas, did you manage to get to the bottom of this issue?
>
> I experimented with some things (like setting chunk size to a few kB
> to see if it hangs earlier or only at the very end; etc.), and finally
> found out that it stops freezing if I pad the initrd file to a
> multiple of 512 bytes :/ That is, 5684268 bytes will freeze, 5684736
> bytes will not.
>
> ...In other words, seems like it cannot read chunks that aren't
> multiples of 512 into a location above 4 GB. Or something like that...

I haven't been following this thread closely, but that immediately 
sounds like a problem within the EFI_DISK_IO_PROTOCOL implementation 
(which is responsible for handling smaller-than-block-sized reads). 
Looking at the EDK2 implementation in 
MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIo.c, the memory management 
does appear to be somewhat inventive.  In particular, there's a frequent 
pattern in DiskIoCreateSubtaskList() equivalent to:

   if ( blocking_io ) {
      buffer = some_static_buffer;
   } else {
      buffer = malloc ( len );
      if ( ! buffer )
         goto single_shared_error_label;
   }
   ... do not record whether or not buffer was dynamically allocated ...
   ... use buffer as part of an asynchronous I/O operation ...
   ... eventually choose whether or not to free buffer, and hope the 
choice is correct ...

It's not at all obvious that memory is freed correctly, especially under 
some of the error paths within that code.

I can't immediately see anything that should fail with a pointer above 
4G, but I wouldn't be surprised to find a path that causes a double free 
or similar error.

Apologies if I've missed something critical earlier in the thread, 
making my ramblings are totally irrelevant.

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ