| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251022220755.1026144-3-usamaarif642@gmail.com>
Date: Wed, 22 Oct 2025 23:06:26 +0100
From: Usama Arif <usamaarif642@...il.com>
To: dwmw@...zon.co.uk,
tglx@...utronix.de,
mingo@...hat.com,
bp@...en8.de,
dave.hansen@...ux.intel.com,
ardb@...nel.org,
hpa@...or.com
Cc: x86@...nel.org,
apopple@...dia.com,
thuth@...hat.com,
nik.borisov@...e.com,
kas@...nel.org,
linux-kernel@...r.kernel.org,
linux-efi@...r.kernel.org,
kernel-team@...a.com,
Usama Arif <usamaarif642@...il.com>,
Michael van der Westhuizen <rmikey@...a.com>,
Tobias Fleig <tfleig@...a.com>
Subject: [PATCH 2/3] efi/libstub: Fix page table access in 5-level to 4-level paging transition
When transitioning from 5-level to 4-level paging, the existing code
incorrectly accesses page table entries by directly dereferencing CR3
and applying PAGE_MASK. This approach has several issues:
- __native_read_cr3() returns the raw CR3 register value, which on
x86_64 includes not just the physical address but also flags Bits
above the physical address width of the system (i.e. above
__PHYSICAL_MASK_SHIFT) are also not masked.
- The pgd value is masked by PAGE_SIZE which doesn't take into account
the higher bits such as _PAGE_BIT_NOPTISHADOW.
Replace this with proper accessor functions:
- read_cr3_pa(): Uses CR3_ADDR_MASK properly clearing SME encryption bit
and extracting only the physical address portion.
- mask pgd value with PTE_PFN_MASK instead of PAGE_MASK, accounting for
flags above physical address (_PAGE_BIT_NOPTISHADOW in particular).
Fixes: cb1c9e02b0c1 ("x86/efistub: Perform 4/5 level paging switch from the stub")
Co-developed-by: Kiryl Shutsemau <kas@...nel.org>
Signed-off-by: Kiryl Shutsemau <kas@...nel.org>
Signed-off-by: Usama Arif <usamaarif642@...il.com>
Reported-by: Michael van der Westhuizen <rmikey@...a.com>
Reported-by: Tobias Fleig <tfleig@...a.com>
---
drivers/firmware/efi/libstub/x86-5lvl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/libstub/x86-5lvl.c b/drivers/firmware/efi/libstub/x86-5lvl.c
index f1c5fb45d5f7c..34b72da457487 100644
--- a/drivers/firmware/efi/libstub/x86-5lvl.c
+++ b/drivers/firmware/efi/libstub/x86-5lvl.c
@@ -81,8 +81,11 @@ void efi_5level_switch(void)
new_cr3 = memset(pgt, 0, PAGE_SIZE);
new_cr3[0] = (u64)cr3 | _PAGE_TABLE_NOENC;
} else {
+ pgd_t *pgdp;
+
+ pgdp = (pgd_t *)read_cr3_pa();
/* take the new root table pointer from the current entry #0 */
- new_cr3 = (u64 *)(cr3[0] & PAGE_MASK);
+ new_cr3 = (u64 *)(pgd_val(pgdp[0]) & PTE_PFN_MASK);
/* copy the new root table if it is not 32-bit addressable */
if ((u64)new_cr3 > U32_MAX)
--
2.47.3
Powered by blists - more mailing lists