lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 Aug 2014 21:30:11 +0100
From:	Matt Fleming <matt@...sole-pimps.org>
To:	Michael Brown <mbrown@...systems.co.uk>
Cc:	Mantas Mikulėnas <grawity@...il.com>,
	Yinghai Lu <yinghai@...nel.org>,
	Matt Fleming <matt.fleming@...el.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	linux-efi@...r.kernel.org, edk2-devel@...ts.sourceforge.net
Subject: Re: Loading initrd above 4G causes freeze on boot

[ Pulling in EDK2 folks for help ]

On Wed, 20 Aug, at 08:53:45PM, Michael Brown wrote:
> On 20/08/14 20:05, Mantas Mikulėnas wrote:
> >
> >I experimented with some things (like setting chunk size to a few kB
> >to see if it hangs earlier or only at the very end; etc.), and finally
> >found out that it stops freezing if I pad the initrd file to a
> >multiple of 512 bytes :/ That is, 5684268 bytes will freeze, 5684736
> >bytes will not.
> >
> >...In other words, seems like it cannot read chunks that aren't
> >multiples of 512 into a location above 4 GB. Or something like that...
> 
> I haven't been following this thread closely, but that immediately
> sounds like a problem within the EFI_DISK_IO_PROTOCOL implementation
> (which is responsible for handling smaller-than-block-sized reads).
> Looking at the EDK2 implementation in
> MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIo.c, the memory
> management does appear to be somewhat inventive.  In particular,
> there's a frequent pattern in DiskIoCreateSubtaskList() equivalent
> to:
> 
>   if ( blocking_io ) {
>      buffer = some_static_buffer;
>   } else {
>      buffer = malloc ( len );
>      if ( ! buffer )
>         goto single_shared_error_label;
>   }
>   ... do not record whether or not buffer was dynamically allocated ...
>   ... use buffer as part of an asynchronous I/O operation ...
>   ... eventually choose whether or not to free buffer, and hope the
> choice is correct ...
> 
> It's not at all obvious that memory is freed correctly, especially
> under some of the error paths within that code.
> 
> I can't immediately see anything that should fail with a pointer
> above 4G, but I wouldn't be surprised to find a path that causes a
> double free or similar error.

Guys, the original thread starts here,

  http://article.gmane.org/gmane.linux.kernel.efi/4424

Basically, reading into a buffer above 0xffffffff using
EFI_FILE_PROTOCOL causes Mantas' machine to crash, irrespective of the
size of the read.

Is this a known issue? Perhaps here be dragons?

Halp?

-- 
Matt Fleming, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ