lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMj1kXFjWBpOij5V3=-9etqTW9p8guqPDCGU3DK0Yxq6zrBiBQ@mail.gmail.com>
Date: Tue, 23 Jul 2024 00:14:29 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: "Shao, Marshall" <Marshall.Shao@...l.com>
Cc: "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "hpa@...or.com" <hpa@...or.com>, 
	"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "bp@...en8.de" <bp@...en8.de>, 
	"mingo@...hat.com" <mingo@...hat.com>, "tglx@...utronix.de" <tglx@...utronix.de>, 
	"Mishra, Ashish" <Ashish.Mishra4@...l.com>, "Chia, Jia Yuan" <JiaYuan.Chia@...l.com>, 
	"Dion, Christopher" <Christopher.Dion@...l.com>, "Caisse, Joe" <Joe.Caisse@...l.com>, 
	"Mukundan, Govind" <Govind.Mukundan@...l.com>
Subject: Re: [Patch] Do not clear BSS region in x86 stub

On Mon, 22 Jul 2024 at 13:48, Shao, Marshall <Marshall.Shao@...l.com> wrote:
>
> Hi Ard,
>
> > Given that GRUB now supports the native EFI entrypoint properly,
> > the handover protocol is essentially deprecated.
>
> In my case, the systemd-boot jumped into the EFI stub code via
> handover protocol, this may not be an orthodox way to boot the kernel
> but it performs well on the others, I have tested on at least
> 6 firmware.
>

systemd-boot does not implement the EFI handover protocol.
systemd-stub does implement it (for UKIs) but only for kernel versions
v5.8 or older.

The EFI handover protocol is known to be problematic as the loaders
often fail to allocate memory for the entire image, and only allocate
enough pages to load the bzImage itself.

This means that clearing BSS will wipe unrelated memory if the region
after the image happens to be used already. It also means that not
clearing BSS is just a crutch, and the correct fix is to ensure that
systemd-stub allocates the correct number of pages, and clears the
ones that are not covered by the bzImage payload.

> I understand that the handover protocol is going to be deprecated.
> However, as of now, I can't guarantee which EFI loader will be
> used to load my bzImage. Although it’s not very common, booting
> from the handover protocol with uncleaned BSS memory is possible.
>

systemd-boot does not use the EFI handover protocol. Please try to
determine where this confusion comes from: are you using a UKI image
perhaps?

> >> memset(_bss+0x10000, 0, _ebss - _bss - 0x10000)
>
> > So now you are applying the memset only to part of BSS, right? How
> > does this help?
>
> This part doesn't work without increasing the BOOT_STACK_SIZE.
>

... because the 0x10000 value would be incorrect otherwise?

I am trying to understand *why* this particular change works around
the issue. Please elaborate.

My preliminary conclusion here is that your implementation of the EFI
handover protocol (which I fail to understand where it comes from) is
not allocating enough memory. This should be fixed on the bootloader
side, as not clearing the BSS does not prevent this memory from being
corrupted.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ