| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKGkrSWUA8BTYniZ@wunner.de>
Date: Sun, 17 Aug 2025 11:45:17 +0200
From: Lukas Wunner <lukas@...ner.de>
To: Tomita Moeko <tomitamoeko@...il.com>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>, linux-pci@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND] x86/pci: Check signature before assigning shadow
ROM
On Sat, Aug 16, 2025 at 12:20:41AM +0800, Tomita Moeko wrote:
> Modern platforms without VBIOS or UEFI CSM support do not contain
> VGA ROM at 0xC0000, this is observed on Intel Ice Lake and later
> systems. Check whether the VGA ROM region is a valid PCI option ROM
> with 0xAA55 signature before assigning the shadow ROM to device.
Which spec is the 0xAA55 magic number coming from?
Could you add a spec reference for it in a code comment and the
commit message?
I note that arch/x86/kernel/probe_roms.c contains ...
#define ROMSIGNATURE 0xaa55
... and a function romsignature() to check the signature.
I'm wondering why that existing check isn't sufficient?
Why is it necessary to check again elsewhere?
> +++ b/arch/x86/pci/fixup.c
> @@ -317,6 +317,7 @@ static void pci_fixup_video(struct pci_dev *pdev)
> struct pci_bus *bus;
> u16 config;
> struct resource *res;
> + void __iomem *rom;
>
> /* Is VGA routed to us? */
> bus = pdev->bus;
> @@ -338,9 +339,12 @@ static void pci_fixup_video(struct pci_dev *pdev)
> }
> bus = bus->parent;
> }
> - if (!vga_default_device() || pdev == vga_default_device()) {
> +
> + rom = ioremap(0xC0000, 0x20000);
There's a code comment preceding pci_fixup_video() which says that
"BIOS [is] copied to 0xC0000 in system RAM". So this isn't MMIO,
it's system memory and you can use memremap() instead if ioremap().
Since you're only interested in the first two bytes, you don't need
to map the whole 0x20000 bytes.
Instead of amending the if-condition ...
> + if (rom && (!vga_default_device() || pdev == vga_default_device())) {
> pci_read_config_word(pdev, PCI_COMMAND, &config);
> - if (config & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
> + if ((config & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) &&
> + (readw(rom) == 0xAA55)) {
> res = &pdev->resource[PCI_ROM_RESOURCE];
... you could just return on failure to find a valid signature, i.e.:
+ rom = memremap(0xC0000, sizeof(sig), MEMREMAP_WB);
+ if (!rom)
+ return;
+
+ memcpy(&sig, rom, sizeof(sig));
+ memunmap(rom);
+ if (sig != 0xAA55)
+ return;
May want to emit an error on failure to memremap().
Amending the if-condition makes it messier to find an offending commit
with "git blame" (more iterations needed). And returning early reduces
indentation levels per section 1 of Documentation/process/coding-style.rst.
Thanks,
Lukas
Powered by blists - more mailing lists