| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Aug 2023 10:18:38 +0200
From: Thomas Gleixner <tglx@...utronix.de>
To: Borislav Petkov <bp@...en8.de>
Cc: X86 ML <x86@...nel.org>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] lib/earlycpio: Mark find_cpio_data() __no_stack_protector
On Wed, Aug 16 2023 at 12:02, Borislav Petkov wrote:
> From: "Borislav Petkov (AMD)" <bp@...en8.de>
>
> find_cpio_data() is called by the 32-bit x86 microcode loader while
> paging is not yet enabled and the CPU is running off physical addresses.
> However, when stack protector is enabled, the compiler adds the stack
> protection check for this function:
There are a lot more functions which have the same problem.
It's completely unclear to me how this is supposed to work at that point
where paging is disabled.
The stackprotector does:
321: 64 8b 35 00 00 00 00 mov %fs:0xc2686834,%esi
328: 89 75 f0 mov %esi,-0x10(%ebp)
....
531: 8b 75 f0 mov -0x10(%ebp),%esi
534: 64 2b 35 00 00 00 00 sub %fs:c2686834,%esi
53b: 0f 85 42 01 00 00 jne 683
c2686834 is the compile time address of __stack_chk_guard, which is a
per CPU variable.
%fs is __DS_BOOT at that point which uses the boot GDT. __DS_BOOT is 4GB
data rw segment.
So this reads from some random place in memory or if there is not big
enough memory it either reads from an alias address or just whatever the
hardware decides to read from the void.
IOW, this just works by chance, but certainly not by any form of design.
Not sure what to do about that.
Thanks,
tglx
Powered by blists - more mailing lists