| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <24908710-09f6-da2a-d821-58a81c572f6c@zytor.com>
Date: Sat, 31 Dec 2022 20:33:59 -0800
From: "H. Peter Anvin" <hpa@...or.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>,
Borislav Petkov <bp@...en8.de>
Cc: pbonzini@...hat.com, ebiggers@...nel.org, x86@...nel.org,
linux-kernel@...r.kernel.org, qemu-devel@...gnu.org,
ardb@...nel.org, kraxel@...hat.com, philmd@...aro.org
Subject: Re: [PATCH qemu] x86: don't let decompressed kernel image clobber
setup_data
On 12/31/22 10:22, Jason A. Donenfeld wrote:
> On Sat, Dec 31, 2022 at 03:24:32PM +0100, Borislav Petkov wrote:
>> On Sat, Dec 31, 2022 at 02:51:28PM +0100, Jason A. Donenfeld wrote:
>>> That failure is unrelated to the ident mapping issue Peter and
>>> I discussed. The original failure is described in the commit message:
>>> decompression clobbers the data, so sd->next points to garbage.
>>
>> Right
>
> So with that understanding confirmed, I'm confused at your surprise that
> hpa's unrelated fix to the different issue didn't fix this issue.
>
If decompression does clobber the data, then we *also* need to figure
out why that is. There are basically three possibilities:
1. If physical KASLR is NOT used:
a. The boot loader doesn't honor the kernel safe area properly;
b. Somewhere in the process a bug in the calculation of the
kernel safe area has crept in.
2. If physical KASLR IS used:
The decompressor doesn't correctly keep track of nor relocate
all the keep-out zones before picking a target address.
One is a bootloader bug, two is a kernel bug. My guess is (2) is the
culprit, but (1b) should be checked, too.
-hpa
Powered by blists - more mailing lists