Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp538716ybt; Fri, 19 Jun 2020 07:46:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw97n8jEk+QnYFE5ePXSyeaV3qEsFPruw/uNArxy8qnyb+rfs67XB3W2jcrHA1a2K2wFTVh X-Received: by 2002:aa7:d9d6:: with SMTP id v22mr3870652eds.66.1592578001749; Fri, 19 Jun 2020 07:46:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592578001; cv=none; d=google.com; s=arc-20160816; b=TdmRKmhfMp866FRCHQNIndbQvlBz8sgx7UYVN8/kNIwK6sYoB0Vrx3hyMU6xg6lEqN slNOsUMgvMm86ncABqp7Um0gamJy9ex6if7UdqbhfQOk+PEVSTkBPWpIG0jwOQcXP6Pp 1FKNszqYQdExIsWefXXmf5yrOqnLXEOvEERjEjnDkVTSaik88BlC4Jui1hq6+7xU0eJg DeAsAjPeo4GFo3rY2jrmkcONLeFViq+uclEfsH1awvlESlNBywxPKpBAA/snZsi7712D aqNOHkN5iobKovoHwCMiZRhYToes9/wC+tR4DRyrNAvfE4KMX7i5eYCpckT5WBWUJLss QnMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6cT4vyDoSsdTMQuqBhupWqE7j0te05fN+8+4INbRZes=; b=iRB7Vt/hrTN/WrB5pXlFfp30kqf2thlhrxQt8pBacJ46s1BOs6WyVXQ/FCe/4RGIqX qyfhYAuMmfK3hFkul02T7wasi4GfSGN/SMgXtTCRXsaBAs5D4H7yi6XaNTgjVrs+60y5 3cMABnDNpVte7H8fXQeDOo7LvTMKURbg2jgnd/WjQdGzitz8O2AZKPy3WLGTU7WRei1Z YBnb8Sn3+VpAb1Ldnb+rzABO1EVKEuU0wLr5RtSZxSSH5nMuTggzGrP3vY9orCkcdPYd LL9WD2zEalH4S7ydg7bGgVpd68isjlvWKHJ9Y6Xq4LsaYNO/JOUKHjl2Eaj/mBpFJzqm MPxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q7OFPws6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i11si3392988ejf.396.2020.06.19.07.46.19; Fri, 19 Jun 2020 07:46:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q7OFPws6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388482AbgFSOnf (ORCPT + 99 others); Fri, 19 Jun 2020 10:43:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:33938 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388426AbgFSOnB (ORCPT ); Fri, 19 Jun 2020 10:43:01 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD26520A8B; Fri, 19 Jun 2020 14:43:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592577781; bh=1xAaCVxK8UayJNyozzHJ59syAeYGo1c7dgfEqh4ALZE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q7OFPws6+niE4MxtO2y615X043EJAamrxgHS8U9Mmb+gInF8i9ZrCBEqRn14yKG22 TYK8XKObNkFTIrKx19jIZT1PvolFfXc1imZwjWKf7B5zS9ZQs+xjaGcio2O+t4PPV0 CYUmu+lr12Lhwp1z87JTQv2vgFs7TXluy/qXxfcY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arvind Sankar , Borislav Petkov , Sasha Levin Subject: [PATCH 4.9 085/128] x86/boot: Correct relocation destination on old linkers Date: Fri, 19 Jun 2020 16:32:59 +0200 Message-Id: <20200619141624.641677744@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141620.148019466@linuxfoundation.org> References: <20200619141620.148019466@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Arvind Sankar [ Upstream commit 5214028dd89e49ba27007c3ee475279e584261f0 ] For the 32-bit kernel, as described in 6d92bc9d483a ("x86/build: Build compressed x86 kernels as PIE"), pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the startup code does not perform relocation, any reloc entry with R_386_32 will remain as 0 in the executing code. Commit 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the decompression buffer") added a new symbol _end but did not mark it hidden, which doesn't give the correct offset on older linkers. This causes the compressed kernel to be copied beyond the end of the decompression buffer, rather than flush against it. This region of memory may be reserved or already allocated for other purposes by the bootloader. Mark _end as hidden to fix. This changes the relocation from R_386_32 to R_386_RELATIVE even on the pre-2.26 binutils. For 64-bit, this is not strictly necessary, as the 64-bit kernel is only built as PIE if the linker supports -z noreloc-overflow, which implies binutils-2.27+, but for consistency, mark _end as hidden here too. The below illustrates the before/after impact of the patch using binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU. Disassembly before patch: 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax 4e: 2d 00 00 00 00 sub $0x0,%eax 4f: R_386_32 _end Disassembly after patch: 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax 4e: 2d 00 f0 76 00 sub $0x76f000,%eax 4f: R_386_RELATIVE *ABS* Dump from extract_kernel before patch: early console in extract_kernel input_data: 0x0207c098 <--- this is at output + init_size input_len: 0x0074fef1 output: 0x01000000 output_len: 0x00fa63d0 kernel_total_size: 0x0107c000 needed_size: 0x0107c000 Dump from extract_kernel after patch: early console in extract_kernel input_data: 0x0190d098 <--- this is at output + init_size - _end input_len: 0x0074fef1 output: 0x01000000 output_len: 0x00fa63d0 kernel_total_size: 0x0107c000 needed_size: 0x0107c000 Fixes: 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the decompression buffer") Signed-off-by: Arvind Sankar Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.edu Signed-off-by: Sasha Levin --- arch/x86/boot/compressed/head_32.S | 5 +++-- arch/x86/boot/compressed/head_64.S | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S index 7532f6f53677..93f41b4f05ce 100644 --- a/arch/x86/boot/compressed/head_32.S +++ b/arch/x86/boot/compressed/head_32.S @@ -48,16 +48,17 @@ * Position Independent Executable (PIE) so that linker won't optimize * R_386_GOT32X relocation to its fixed symbol address. Older * linkers generate R_386_32 relocations against locally defined symbols, - * _bss, _ebss, _got and _egot, in PIE. It isn't wrong, just less + * _bss, _ebss, _got, _egot and _end, in PIE. It isn't wrong, just less * optimal than R_386_RELATIVE. But the x86 kernel fails to properly handle * R_386_32 relocations when relocating the kernel. To generate - * R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as + * R_386_RELATIVE relocations, we mark _bss, _ebss, _got, _egot and _end as * hidden: */ .hidden _bss .hidden _ebss .hidden _got .hidden _egot + .hidden _end __HEAD ENTRY(startup_32) diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S index 3fac2d133e4e..d096bcfcb3f6 100644 --- a/arch/x86/boot/compressed/head_64.S +++ b/arch/x86/boot/compressed/head_64.S @@ -40,6 +40,7 @@ .hidden _ebss .hidden _got .hidden _egot + .hidden _end __HEAD .code32 -- 2.25.1