| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <174129681612.14745.2037949092408216187.tip-bot2@tip-bot2> Date: Thu, 06 Mar 2025 21:33:35 -0000 From: "tip-bot2 for Ard Biesheuvel" <tip-bot2@...utronix.de> To: linux-tip-commits@...r.kernel.org Cc: Ard Biesheuvel <ardb@...nel.org>, Ingo Molnar <mingo@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Linus Torvalds <torvalds@...ux-foundation.org>, <stable@...r.kernel.org>, x86@...nel.org, linux-kernel@...r.kernel.org Subject: [tip: x86/urgent] x86/boot: Sanitize boot params before parsing command line The following commit has been merged into the x86/urgent branch of tip: Commit-ID: c00b413a96261faef4ce22329153c6abd4acef25 Gitweb: https://git.kernel.org/tip/c00b413a96261faef4ce22329153c6abd4acef25 Author: Ard Biesheuvel <ardb@...nel.org> AuthorDate: Thu, 06 Mar 2025 16:59:16 +01:00 Committer: Ingo Molnar <mingo@...nel.org> CommitterDate: Thu, 06 Mar 2025 22:02:39 +01:00 x86/boot: Sanitize boot params before parsing command line The 5-level paging code parses the command line to look for the 'no5lvl' string, and does so very early, before sanitize_boot_params() has been called and has been given the opportunity to wipe bogus data from the fields in boot_params that are not covered by struct setup_header, and are therefore supposed to be initialized to zero by the bootloader. This triggers an early boot crash when using syslinux-efi to boot a recent kernel built with CONFIG_X86_5LEVEL=y and CONFIG_EFI_STUB=n, as the 0xff padding that now fills the unused PE/COFF header is copied into boot_params by the bootloader, and interpreted as the top half of the command line pointer. Fix this by sanitizing the boot_params before use. Note that there is no harm in calling this more than once; subsequent invocations are able to spot that the boot_params have already been cleaned up. Signed-off-by: Ard Biesheuvel <ardb@...nel.org> Signed-off-by: Ingo Molnar <mingo@...nel.org> Cc: "H. Peter Anvin" <hpa@...or.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org> Cc: <stable@...r.kernel.org> # v6.1+ Link: https://lore.kernel.org/r/20250306155915.342465-2-ardb+git@google.com Closes: https://lore.kernel.org/all/202503041549.35913.ulrich.gemkow@ikr.uni-stuttgart.de --- arch/x86/boot/compressed/pgtable_64.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c index c882e1f..d8c5de4 100644 --- a/arch/x86/boot/compressed/pgtable_64.c +++ b/arch/x86/boot/compressed/pgtable_64.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include "misc.h" #include <asm/bootparam.h> +#include <asm/bootparam_utils.h> #include <asm/e820/types.h> #include <asm/processor.h> #include "pgtable.h" @@ -107,6 +108,7 @@ asmlinkage void configure_5level_paging(struct boot_params *bp, void *pgtable) bool l5_required = false; /* Initialize boot_params. Required for cmdline_find_option_bool(). */ + sanitize_boot_params(bp); boot_params_ptr = bp; /*
Powered by blists - more mailing lists