lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220715225123.GA2177570@roeck-us.net>
Date:   Fri, 15 Jul 2022 15:51:23 -0700
From:   Guenter Roeck <linux@...ck-us.net>
To:     Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Cc:     linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
        x86@...nel.org, ardb@...nel.org, tglx@...utronix.de,
        gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
        Peter Zijlstra <peterz@...radead.org>,
        Borislav Petkov <bp@...e.de>,
        Josh Poimboeuf <jpoimboe@...nel.org>, stable@...r.kernel.org
Subject: Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper

On Fri, Jul 15, 2022 at 04:45:50PM -0300, Thadeu Lima de Souza Cascardo wrote:
> When running with return thunks enabled under 32-bit EFI, the system
> crashes with:
> 
> [    0.137688] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [    0.138136] BUG: unable to handle page fault for address: 000000005bc02900
> [    0.138136] #PF: supervisor instruction fetch in kernel mode
> [    0.138136] #PF: error_code(0x0011) - permissions violation
> [    0.138136] PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063
> [    0.138136] Oops: 0011 [#1] PREEMPT SMP PTI
> [    0.138136] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166
> [    0.138136] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> [    0.138136] RIP: 0010:0x5bc02900
> [    0.138136] Code: Unable to access opcode bytes at RIP 0x5bc028d6.
> [    0.138136] RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046
> [    0.138136] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048
> [    0.138136] RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b
> [    0.138136] RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28
> [    0.138136] R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710
> [    0.138136] R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001
> [    0.138136] FS:  0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000
> [    0.138136] CS:  0010 DS: 0018 ES: 0018 CR0: 0000000080050033
> [    0.138136] CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0
> [    0.138136] Call Trace:
> [    0.138136]  <TASK>
> [    0.138136]  ? efi_set_virtual_address_map+0x9c/0x175
> [    0.138136]  efi_enter_virtual_mode+0x4a6/0x53e
> [    0.138136]  start_kernel+0x67c/0x71e
> [    0.138136]  x86_64_start_reservations+0x24/0x2a
> [    0.138136]  x86_64_start_kernel+0xe9/0xf4
> [    0.138136]  secondary_startup_64_no_verify+0xe5/0xeb
> [    0.138136]  </TASK>
> 
> That's because it cannot jump to the return thunk from the 32-bit code.
> Using a naked RET and marking it as safe allows the system to proceed
> booting.
> 
> Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
> Reported-by: Guenter Roeck <linux@...ck-us.net>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
> Cc: Peter Zijlstra (Intel) <peterz@...radead.org>
> Cc: Borislav Petkov <bp@...e.de>
> Cc: Josh Poimboeuf <jpoimboe@...nel.org>
> Cc: <stable@...r.kernel.org>

No more crashes with this patch applies on top of the mainline kernel
(sha e5d523f1ae8f).

Tested-by: Guenter Roeck <linux@...ck-us.net>

Guenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ