| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250306155915.342465-2-ardb+git@google.com> Date: Thu, 6 Mar 2025 16:59:16 +0100 From: Ard Biesheuvel <ardb+git@...gle.com> To: linux-kernel@...r.kernel.org Cc: x86@...nel.org, Ard Biesheuvel <ardb@...nel.org>, stable@...r.kernel.org, "H. Peter Anvin" <hpa@...or.com>, "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>, Ulrich Gemkow <ulrich.gemkow@....uni-stuttgart.de> Subject: [PATCH] x86/boot: Sanitize boot params before parsing command line From: Ard Biesheuvel <ardb@...nel.org> The 5-level paging code parses the command line to look for the 'no5lvl' string, and does so very early, before sanitize_boot_params() has been called and has been given the opportunity to wipe bogus data from the fields in boot_params that are not covered by struct setup_header, and are therefore supposed to be initialized to zero by the bootloader. This triggers an early boot crash when using syslinux-efi to boot a recent kernel built with CONFIG_X86_5LEVEL=y and CONFIG_EFI_STUB=n, as the 0xff padding that now fills the unused PE/COFF header is copied into boot_params by the bootloader, and interpreted as the top half of the command line pointer. Fix this by sanitizing the boot_params before use. Note that there is no harm in calling this more than once; subsequent invocations are able to spot that the boot_params have already been cleaned up. Cc: <stable@...r.kernel.org> # v6.1+ Cc: "H. Peter Anvin" <hpa@...or.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: Ulrich Gemkow <ulrich.gemkow@....uni-stuttgart.de> Closes: https://lore.kernel.org/all/202503041549.35913.ulrich.gemkow@ikr.uni-stuttgart.de Signed-off-by: Ard Biesheuvel <ardb@...nel.org> --- arch/x86/boot/compressed/pgtable_64.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c index c882e1f67af0..d8c5de40669d 100644 --- a/arch/x86/boot/compressed/pgtable_64.c +++ b/arch/x86/boot/compressed/pgtable_64.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include "misc.h" #include <asm/bootparam.h> +#include <asm/bootparam_utils.h> #include <asm/e820/types.h> #include <asm/processor.h> #include "pgtable.h" @@ -107,6 +108,7 @@ asmlinkage void configure_5level_paging(struct boot_params *bp, void *pgtable) bool l5_required = false; /* Initialize boot_params. Required for cmdline_find_option_bool(). */ + sanitize_boot_params(bp); boot_params_ptr = bp; /* -- 2.48.1.711.g2feabab25a-goog
Powered by blists - more mailing lists