| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 May 2016 15:23:51 -0500 From: Alex Thorlton <athorlton@....com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Ingo Molnar <mingo@...nel.org>, Alex Thorlton <athorlton@....com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Matt Fleming <matt@...eblueprint.co.uk>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com>, Andrew Morton <akpm@...ux-foundation.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Borislav Petkov <bp@...en8.de> Subject: Re: [GIT PULL] EFI fix On Mon, May 16, 2016 at 01:05:45PM -0700, Linus Torvalds wrote: > On Mon, May 16, 2016 at 7:46 AM, Ingo Molnar <mingo@...nel.org> wrote: > > > > Please pull the latest efi-urgent-for-linus git tree from: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git efi-urgent-for-linus > > > > # HEAD: bea23c757f66d91dac8fdadd94da0cba6b0b66bc x86/efi: Fix 7th argument to efi_call() > > > > A leftover fix from the v4.6 cycle. > > I'm not pulling this. It seems to be completely broken unless I'm > mis-reading things. > > > diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S > > index 92723aeae0f9..62938ffbb9f9 100644 > > --- a/arch/x86/platform/efi/efi_stub_64.S > > +++ b/arch/x86/platform/efi/efi_stub_64.S > > @@ -43,7 +43,7 @@ ENTRY(efi_call) > > FRAME_BEGIN > > SAVE_XMM > > mov (%rsp), %rax > > - mov 8(%rax), %rax > > + mov 16(%rax), %rax > > subq $48, %rsp > > mov %r9, 32(%rsp) > > mov %rax, 40(%rsp) > > This code is an unmitigated disaster. It makes no sense, but the > reason I refuse to pull it is that it also seems to be buggy - with or > without that patch. > > In particular,. the SAME_XMM code saves the old stack pointer, but > that's just crazy. It saves the stack pointer *AFTER* we've done that > > FRAME_BEGIN > > which will have *changed* the stack pointer, depending on whether > stack frames are enabled or not. > > So when the code then does > > mov (%rsp), %rax > > we now move that old stack pointer into %rax, but the offset off that > stack pointer will depend on whether that FRAME_BEGIN saved off %rbp > or not. > > So that whole 8-vs-16 offset confusion depends on the frame pointer! > If frame pointers were enabled, it will be 16. If they weren't, it > will be 8. That patch that changes it from 8 to 16 will just move the > bug around. Before, it was correct when frame pointers were disabled > and buggy otherwise. Now, it's correct if frame pointers are enabled, > and buggy otherwise. This makes sense. I missed the implication of the conditionally defined FRAME_BEGIN being used at the beginning of this function. My fix works on our machines, because we always have frame pointers enabled, but I do see, now, how this effectively just moves the bug. > I may be missing something, but I think that commit is pure garbage. > > I think the right fix is to just get rid of that silly conditional > frame pointer thing, and always use frame pointers in this stub > function. And then we don't need that (odd) load to get the old stack > pointer into %rax - we can just use the frame pointer. After having read your explanation, I agree. If we leave in the conditional frame pointer chunk, we'll have to do some other trickery to make sure that we get the offset for the 7th arg correct, which sounds ugly. Your idea seems like a much cleaner fix. > Something like the attached completely untested patch. > > But maybe I was missing something. Maybe my patch is crap and the > patch above is right for some reason that completely evades me. > > Since this apparently only affects the SGI EFI stuff, can you please > test this, Alex? Everything discussed above makes sense to me, and the patch looks sane. I will apply and test it today and let you know how it works. Thanks for looking at this! - Alex
Powered by blists - more mailing lists