From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1ZtfAS-0003nb-VU for mharc-grub-devel@gnu.org; Tue, 03 Nov 2015 12:14:45 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40127) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZtfAP-0003mo-QY for grub-devel@gnu.org; Tue, 03 Nov 2015 12:14:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZtfAJ-0004HM-K4 for grub-devel@gnu.org; Tue, 03 Nov 2015 12:14:41 -0500 Received: from mail-lf0-x232.google.com ([2a00:1450:4010:c07::232]:35293) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZtfAJ-0004HE-CK for grub-devel@gnu.org; Tue, 03 Nov 2015 12:14:35 -0500 Received: by lfbn126 with SMTP id n126so25897983lfb.2 for ; Tue, 03 Nov 2015 09:14:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=XkVRlNjMfnXo9bUwfMUCoQo28qpaWN94A9YB4U/TqHE=; b=Spv4zfd1mDcFCq8YLTfO32B79aJoF1Uj3hGrYhSo/KmO5SqYA1zqvdP40tRpkczeXz k+cuQjShK4WDUQB9DJEwYzyE8YqoU1b4HfaH8xVHSGuPazFVoNgs9VKzAaafaVUy/fWk vdwp4bvRytFnQrdgFJZFodwHOrWml1dVz3woGlufMKsSQFMGh4B9uDvYqDQ/MJZt/VVu +6xgP4b3wWwlhbQBgoKTOExUtrlL3GjTtxhInijpALDO3Q03vSWODfv+HhCADd6LAq3L wz4/ixKqN96z26b+n2FgEBctXRVkUwmTokM+w+slljpjBipp4L7SomSLg32W4d+TwVUP UzVQ== X-Received: by 10.112.198.106 with SMTP id jb10mr13300562lbc.111.1446570874423; Tue, 03 Nov 2015 09:14:34 -0800 (PST) Received: from [192.168.1.41] (ppp91-76-25-247.pppoe.mtu-net.ru. [91.76.25.247]) by smtp.gmail.com with ESMTPSA id vz2sm4933895lbb.35.2015.11.03.09.14.33 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Nov 2015 09:14:33 -0800 (PST) Subject: Re: Dell Dimension 8300 reboots when grub2 cbfs module is loaded To: The development of GNU GRUB References: <56362757.3070801@gmail.com> <5638E9F5.3030403@gmail.com> From: Andrei Borzenkov Message-ID: <5638EB78.6010501@gmail.com> Date: Tue, 3 Nov 2015 20:14:32 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c07::232 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 17:14:43 -0000 03.11.2015 20:10, Vladimir 'phcoder' Serbinenko пишет: > Which platform is it? i386-pc, i386-efi or x86_64-efi? The behavior is > actually will defined, just different between cpu modes i386-pc > Le 3 nov. 2015 6:08 PM, "Andrei Borzenkov" a écrit : > >> 03.11.2015 19:28, Vladimir 'phcoder' Serbinenko пишет: >> >>> The code itself looks good but I'd like more details. Reading 0xffffffff >>> shouldn't cause reboot. Why does it? >>> >> >> That I do not know nor do I have access to system in question myself. I >> sent user patch that modified validate_header to do each comparison as >> individual statement and did line by line debug print (fortunately it was >> possible to connect serial port and capture output) and the last line >> printed was immediately before the very first >> >> head->magic == grub_cpu_to_be32_compile_time (CBFS_HEADER_MAGIC >> >> I suppose reading *one* byte from 0xffffffff should not cause issues but >> here we are reading 4 bytes which are beyond 0xffffffff. Who knows what >> memory controller in this system does in this case. >> >> Le 1 nov. 2015 3:53 PM, "Andrei Borzenkov" a écrit : >>> >>> I was debugging problem reported by user on Dell Dimension 8300 - it >>>> rebooted when doing "ls -l". It turned out, the problem was triggered by >>>> loading cbfs which probed for header. System has 2GB memory, and attempt >>>> to >>>> read from address 0xffffffff caused instant reboot. 0xffffffff was >>>> returned >>>> by read from non-existing address 0xfffffffc. >>>> >>>> The proof of concept patch below avoids it, but I wonder what the proper >>>> fix is. >>>> >>>> diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c >>>> index a34eb88..a5a2fde 100644 >>>> --- a/grub-core/fs/cbfs.c >>>> +++ b/grub-core/fs/cbfs.c >>>> @@ -344,8 +344,9 @@ init_cbfsdisk (void) >>>> >>>> ptr = *(grub_uint32_t *) 0xfffffffc; >>>> head = (struct cbfs_header *) (grub_addr_t) ptr; >>>> + grub_dprintf ("cbfs", "head=%p\n", head); >>>> >>>> - if (!validate_head (head)) >>>> + if (0xffffffff - ptr < sizeof (*head) || !validate_head (head)) >>>> return; >>>> >>>> cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize), >>>> >>>> >>>> _______________________________________________ >>>> Grub-devel mailing list >>>> Grub-devel@gnu.org >>>> https://lists.gnu.org/mailman/listinfo/grub-devel >>>> >>>> >>> >>> >>> _______________________________________________ >>> Grub-devel mailing list >>> Grub-devel@gnu.org >>> https://lists.gnu.org/mailman/listinfo/grub-devel >>> >>> >> >> _______________________________________________ >> Grub-devel mailing list >> Grub-devel@gnu.org >> https://lists.gnu.org/mailman/listinfo/grub-devel >> > > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >