Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3418899ybl; Sun, 8 Dec 2019 14:51:00 -0800 (PST) X-Google-Smtp-Source: APXvYqzNqlN/fjd6gm6ul+FEQv0Sz3O/sG7VNdk9jl5GPeJspj6Z1DbWRszUegy4NoPKVAz3GHe0 X-Received: by 2002:a05:6830:1e7c:: with SMTP id m28mr19851235otr.131.1575845460888; Sun, 08 Dec 2019 14:51:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575845460; cv=none; d=google.com; s=arc-20160816; b=zL88PiohshnZW1n5r/1OB42mLJ7nZMpTmqjq8J51PykmDEjaBPWBu3kZG7W4FgrV8U 15A9212oStMSUxswVhMz2u5NZdlOlj2dmqYB+Ffuu+vLKnCMmoMWJ3UuKIZprkymUNGz nWEXbhK5BPMbm1qdJykVPVl2Dl6jCIGHcKYO5V2xrwntkifKUt/YIhg5lfhlnrFHzpXS LW/MvAsA8hZ8yMpk1ShUZEw0Xl9jaMosEio/NDJGikZl2/yV3L85n1bZ8WKKPmLDLbqk 93/Pl1U4NgW37Kv/M/10Kcyqz8VFiiSFAwTNTcfBKcDEhZPa1VIl169A3rawU/fhueG2 RO3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:from:cc:to:subject :content-transfer-encoding:mime-version:references:in-reply-to :user-agent:date:dkim-signature:dkim-filter; bh=0j4XwvkeiVxl2ckN6DsMNci+NMWig7UFR8cpbVjYAcs=; b=zppqkBjj0q6H8jnMe9gAZ04nmRfjKRVbW2bj5ZDAx84qPG6Eh4K408WofcBsPx61zi l+4s8WKln81iecCmcsu/1hMHzkgWZSHTcQqFaRqpT/ZLX95vlcDt47TQ3VCWKDaa1zC3 xBAI38Al8fhau2L63t5+08ItbygLHUWFDhb58299IWy9i7uJSxRy4nL8m02DmoviEm4K siDJy3nCQwX3dXjsM5UZc9AWbrmPmjeMsDm2tMEbz0MY2eFaGyr80ZARO1WJ+cpq+bWB xrQD0X8LKFErrL+NYcJDDc4my9X9Ir67b0BGqpFyWCuS5rvNXt2TQeRmpMV4y2zqlySy Vh4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@zytor.com header.s=2019111901 header.b=0gfvgn+D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x193si10927362oia.131.2019.12.08.14.50.49; Sun, 08 Dec 2019 14:51:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@zytor.com header.s=2019111901 header.b=0gfvgn+D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726839AbfLHWsP (ORCPT + 99 others); Sun, 8 Dec 2019 17:48:15 -0500 Received: from terminus.zytor.com ([198.137.202.136]:41749 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726806AbfLHWsP (ORCPT ); Sun, 8 Dec 2019 17:48:15 -0500 Received: from [10.4.50.147] (50-193-22-81-static.hfc.comcastbusiness.net [50.193.22.81]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id xB8MlQjN3526742 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 8 Dec 2019 14:47:26 -0800 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.zytor.com xB8MlQjN3526742 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2019111901; t=1575845247; bh=0j4XwvkeiVxl2ckN6DsMNci+NMWig7UFR8cpbVjYAcs=; h=Date:In-Reply-To:References:Subject:To:CC:From:From; b=0gfvgn+DKpe+7VF55vAyC943bk53Jo6fIXUPgSCJ9CQRoxaI1WhKBpOjleUfqhAQA vaAGgKtJDMEudcEBer4wzpWAmZ5KNMQXaU+qimT87eYfU77imaGXDpn33/kzXrA9VP iktTKbf7qvziytH1UL4crOBPiMT7X/Nq0SlTj0iCjdk90Lj05d7VZi14deRugaAsf9 DwY9LMLEr5O02efWa/sv1aw6dA4RE5zk5qAh3XTp9KsBoviT2CHlW3TyGS/gn6f4Rs DykYZPz/sPKSovl0auZDWDUD7iOzZ9POtVA+bTtBs3tPyKODxYJk0yUZzkUOTTDbHn Z88f+t4EwBdxw== Date: Sun, 08 Dec 2019 14:47:22 -0800 User-Agent: K-9 Mail for Android In-Reply-To: <20191208224357.ex5uxseu45og7s37@tomti.i.net-space.pl> References: <20191202172939.29271-1-daniel.kiper@oracle.com> <20191208224357.ex5uxseu45og7s37@tomti.i.net-space.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [GRUB PATCH 1/1] loader/i386/linux: Fix an underflow in the setup_header length calculation To: Daniel Kiper , grub-devel@gnu.org, linux-kernel@vger.kernel.org, x86@kernel.org CC: bp@alien8.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, mingo@redhat.com, phcoder@gmail.com, rdunlap@infradead.org, ross.philipson@oracle.com, krystian.hebel@3mdeb.com, maciej.pijanowski@3mdeb.com, michal.zygowski@3mdeb.com, piotr.krol@3mdeb.com From: hpa@zytor.com Message-ID: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On December 8, 2019 2:43:57 PM PST, Daniel Kiper wrote: >Hmmm=2E=2E=2E Nobody cares? Strange=2E=2E=2E > >Adding 3mdeb folks=2E=2E=2E > >Daniel > >On Mon, Dec 02, 2019 at 06:29:39PM +0100, Daniel Kiper wrote: >> Recent work around x86 Linux kernel loader revealed an underflow in >the >> setup_header length calculation and another related issue=2E Both lead >to >> the memory overwrite and later machine crash=2E >> >> Currently when the GRUB copies the setup_header into the linux_params >> (struct boot_params, traditionally known as "zero page") it assumes >the >> setup_header size as sizeof(linux_i386_kernel_header/lh)=2E This is >> incorrect=2E It should use the value calculated accordingly to the >Linux >> kernel boot protocol=2E Otherwise in case of pretty old kernel, to be >> exact Linux kernel boot protocol, the GRUB may write more into >> linux_params than it was expected to=2E Fortunately this is not very >big >> issue=2E Though it has to be fixed=2E However, there is also an underfl= ow >> which is grave=2E It happens when >> >> sizeof(linux_i386_kernel_header/lh) > "real size of the >setup_header"=2E >> >> Then len value wraps around and grub_file_read() reads whole kernel >into >> the linux_params overwriting memory past it=2E This leads to the GRUB >> memory allocator breakage and finally to its crash during boot=2E >> >> The patch fixes both issues=2E Additionally, it moves the code not >related to >> >grub_memset(linux_params)/grub_memcpy(linux_params)/grub_file_read(linux_= params) >> section outside of it to not confuse the reader=2E >> >> Signed-off-by: Daniel Kiper >> --- >> grub-core/loader/i386/linux=2Ec | 15 ++++++++------- >> 1 file changed, 8 insertions(+), 7 deletions(-) >> >> diff --git a/grub-core/loader/i386/linux=2Ec >b/grub-core/loader/i386/linux=2Ec >> index d0501e229=2E=2Eee95cd374 100644 >> --- a/grub-core/loader/i386/linux=2Ec >> +++ b/grub-core/loader/i386/linux=2Ec >> @@ -761,17 +761,12 @@ grub_cmd_linux (grub_command_t cmd >__attribute__ ((unused)), >> goto fail; >> >> grub_memset (&linux_params, 0, sizeof (linux_params)); >> - grub_memcpy (&linux_params=2Esetup_sects, &lh=2Esetup_sects, sizeof >(lh) - 0x1F1); >> - >> - linux_params=2Ecode32_start =3D prot_mode_target + lh=2Ecode32_start= - >GRUB_LINUX_BZIMAGE_ADDR; >> - linux_params=2Ekernel_alignment =3D (1 << align); >> - linux_params=2Eps_mouse =3D linux_params=2Epadding10 =3D 0; >> >> /* >> * The Linux 32-bit boot protocol defines the setup header end >> * to be at 0x202 + the byte value at 0x201=2E >> */ >> - len =3D 0x202 + *((char *) &linux_params=2Ejump + 1); >> + len =3D 0x202 + *((char *) &lh=2Ejump + 1); >> >> /* Verify the struct is big enough so we do not write past the >end=2E */ >> if (len > (char *) &linux_params=2Eedd_mbr_sig_buffer - (char *) >&linux_params) { >> @@ -779,10 +774,13 @@ grub_cmd_linux (grub_command_t cmd >__attribute__ ((unused)), >> goto fail; >> } >> >> + grub_memcpy (&linux_params=2Esetup_sects, &lh=2Esetup_sects, len - >0x1F1); >> + >> /* We've already read lh so there is no need to read it second >time=2E */ >> len -=3D sizeof(lh); >> >> - if (grub_file_read (file, (char *) &linux_params + sizeof (lh), >len) !=3D len) >> + if ((len > 0) && >> + (grub_file_read (file, (char *) &linux_params + sizeof (lh), >len) !=3D len)) >> { >> if (!grub_errno) >> grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), >> @@ -790,6 +788,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ >((unused)), >> goto fail; >> } >> >> + linux_params=2Ecode32_start =3D prot_mode_target + lh=2Ecode32_start= - >GRUB_LINUX_BZIMAGE_ADDR; >> + linux_params=2Ekernel_alignment =3D (1 << align); >> + linux_params=2Eps_mouse =3D linux_params=2Epadding10 =3D 0; >> linux_params=2Etype_of_loader =3D GRUB_LINUX_BOOT_LOADER_TYPE; >> >> /* These two are used (instead of cmd_line_ptr) by older versions >of Linux, >> -- >> 2=2E11=2E0 Please fix these problems=2E It is a huge headache for us in the kennel co= mmunity=2E --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E