| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Aug 2018 14:12:12 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: Dave Hansen <dave.hansen@...el.com>
Cc: linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
Michal Hocko <mhocko@...e.com>,
Andi Kleen <ak@...ux.intel.com>,
Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
Joerg Roedel <jroedel@...e.de>, Pavel Machek <pavel@....cz>
Subject: Re: efi boot failures due to PTI with 32 bit builds and Intel CPUs
On Wed, Aug 29, 2018 at 01:28:16PM -0700, Dave Hansen wrote:
> On 08/29/2018 01:16 PM, Guenter Roeck wrote:
> >
> > I see boot failures on mainline when trying to boot x86 images with an efi
> > bios on Intel CPUs in qemu. Behavior is quite unusual: qemu dies silently
> > after the kernel displays "Run /sbin/init as init process". With debugging
> > enabled, qemu reports a CR3 update followed by a triple fault.
>
> My first thought would be that the EFI pgd is broken somehow.
>
> Is 0e39b000 in your kernel binary, or was it dynamically allocated?
>
No idea. In the log below (taken after I recompiled with the latest upstream
kernel) the CR3 value is completely different. Where is the value expected
to come from ?
> What was CR2 when things went bad? Could you just share a full register
> dump?
Here you are. I have a complete log file, but its size is about 1.7GB
(21MB compressed). Let me know if you need it, and I'll publish it
somewhere.
Thanks,
Guenter
---
0xce1f1cd9: 66 90 nop
0xce1f1cdb: 8b 44 24 38 movl 0x38(%esp), %eax
0xce1f1cdf: 8a 64 24 40 movb 0x40(%esp), %ah
0xce1f1ce3: 8a 44 24 34 movb 0x34(%esp), %al
0xce1f1ce7: 25 03 04 02 00 andl $0x20403, %eax
0xce1f1cec: 3d 03 04 00 00 cmpl $0x403, %eax
0xce1f1cf1: 75 27 jne 0xce1f1d1a
EAX=f60b8000 EBX=ff8020bc ECX=00000000 EDX=00000000
ESI=f60c1ff8 EDI=ff802100 EBP=00000000 ESP=f60c1fb4
EIP=ce1f1cd7 EFL=00200006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
CS =0060 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0068 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
FS =00d8 2819b000 ffffffff 008f9300 DPL=0 DS16 [-WA]
GS =00e0 f67f29c0 00000018 00409100 DPL=0 DS [--A]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 ff803000 0000206b 00008900 DPL=0 TSS32-avl
GDT= f67e2000 000000ff
IDT= ff800000 000007ff
CR0=80050033 CR2=b7f30854 CR3=35402000 CR4=000006d0
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
CCS=00000022 CCD=00000011 CCO=SARL
EFER=0000000000000000
----------------
IN:
0xce1f1d1a: 66 90 nop
0xce1f1d1c: 0f 20 d8 movl %cr3, %eax
0xce1f1d1f: 0d 00 10 00 00 orl $0x1000, %eax
0xce1f1d24: 0f 22 d8 movl %eax, %cr3
EAX=00000003 EBX=ff8020bc ECX=00000000 EDX=00000000
ESI=f60c1ff8 EDI=ff802100 EBP=00000000 ESP=ff8020bc
EIP=ce1f1d1a EFL=00200087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
CS =0060 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0068 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
FS =00d8 2819b000 ffffffff 008f9300 DPL=0 DS16 [-WA]
GS =00e0 f67f29c0 00000018 00409100 DPL=0 DS [--A]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 ff803000 0000206b 00008900 DPL=0 TSS32-avl
GDT= f67e2000 000000ff
IDT= ff800000 000007ff
CR0=80050033 CR2=b7f30854 CR3=35402000 CR4=000006d0
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
CCS=00000403 CCD=fffffc00 CCO=SUBL
EFER=0000000000000000
CR3 update: CR3=35403000
----------------
IN:
0xce1f1d27: 5b popl %ebx
0xce1f1d28: 59 popl %ecx
0xce1f1d29: 5a popl %edx
0xce1f1d2a: 5e popl %esi
0xce1f1d2b: 5f popl %edi
0xce1f1d2c: 5d popl %ebp
0xce1f1d2d: 58 popl %eax
0xce1f1d2e: 1f popl %ds
EAX=35403000 EBX=ff8020bc ECX=00000000 EDX=00000000
ESI=f60c1ff8 EDI=ff802100 EBP=00000000 ESP=ff8020bc
EIP=ce1f1d27 EFL=00200006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
CS =0060 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0068 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
FS =00d8 2819b000 ffffffff 008f9300 DPL=0 DS16 [-WA]
GS =00e0 f67f29c0 00000018 00409100 DPL=0 DS [--A]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 ff803000 0000206b 00008900 DPL=0 TSS32-avl
GDT= f67e2000 000000ff
IDT= ff800000 000007ff
CR0=80050033 CR2=b7f30854 CR3=35403000 CR4=000006d0
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
CCS=00000403 CCD=35403000 CCO=LOGICL
EFER=0000000000000000
EAX=35403000 EBX=ff8020bc ECX=00000000 EDX=00000000
ESI=f60c1ff8 EDI=ff802100 EBP=00000000 ESP=ff8020bc
EIP=ce1f1d27 EFL=00200006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
CS =0060 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0068 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
DS =007b 00000000 ffffffff 00cff300 DPL=3 DS [-WA]
FS =00d8 2819b000 ffffffff 008f9300 DPL=0 DS16 [-WA]
GS =00e0 f67f29c0 00000018 00409100 DPL=0 DS [--A]
LDT=0000 00000000 00000000 00008200 DPL=0 LDT
TR =0080 ff803000 0000206b 00008900 DPL=0 TSS32-avl
GDT= f67e2000 000000ff
IDT= ff800000 000007ff
CR0=80050033 CR2=b7f30854 CR3=35403000 CR4=000006d0
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
CCS=00000004 CCD=35403000 CCO=EFLAGS
EFER=0000000000000000
Triple fault
Powered by blists - more mailing lists