From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1ZtfF5-0004vl-8u for mharc-grub-devel@gnu.org; Tue, 03 Nov 2015 12:19:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41431) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZtfF2-0004v9-Fn for grub-devel@gnu.org; Tue, 03 Nov 2015 12:19:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZtfEz-0005Lw-6D for grub-devel@gnu.org; Tue, 03 Nov 2015 12:19:28 -0500 Received: from mail-lf0-x234.google.com ([2a00:1450:4010:c07::234]:35114) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZtfEy-0005Ll-VP for grub-devel@gnu.org; Tue, 03 Nov 2015 12:19:25 -0500 Received: by lfbn126 with SMTP id n126so26062280lfb.2 for ; Tue, 03 Nov 2015 09:19:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=eAbwMNCUd9/oEQvjcjphssPaeMn51dYA+bQawkT+1jk=; b=NcAZ145zY2Qw3qzISd/Ax4ElN6UttRbLtmIdhiVnmNcgcAWzzSLUFOVOfJoewNhc7a g6dKxI/m4yIgCfi7PSg/j1aCUgjehu8y06zptDeX3uAYoMk9p/TLW3hQsZCnOT9gGGuJ WVPk1hepNXn+Awfwfwttu0BFZz5rAmuzm4hGFJnilspCsYvKga0Lq5NZCorlyRBaDM0J 03JDEas7fit+TASsTFmFxS0Wtw7s8iK+l/HotHw+yd5bAp+zQYEELrQcIlOeZLFFrcZT 9OJDEfxntLvGr4lniW+ApzBkiEN6v3sVTawKzFe+DnGqJ4iXymmcE6os1hY0YvWGishx NumQ== X-Received: by 10.112.188.168 with SMTP id gb8mr13524386lbc.6.1446571164086; Tue, 03 Nov 2015 09:19:24 -0800 (PST) Received: from [192.168.1.41] (ppp91-76-25-247.pppoe.mtu-net.ru. [91.76.25.247]) by smtp.gmail.com with ESMTPSA id a13sm5009922lfa.32.2015.11.03.09.19.22 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Nov 2015 09:19:23 -0800 (PST) Subject: Re: Dell Dimension 8300 reboots when grub2 cbfs module is loaded To: The development of GNU GRUB References: <56362757.3070801@gmail.com> <5638E9F5.3030403@gmail.com> <5638EB78.6010501@gmail.com> From: Andrei Borzenkov Message-ID: <5638EC9A.1060702@gmail.com> Date: Tue, 3 Nov 2015 20:19:22 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5638EB78.6010501@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c07::234 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 17:19:29 -0000 03.11.2015 20:14, Andrei Borzenkov пишет: > 03.11.2015 20:10, Vladimir 'phcoder' Serbinenko пишет: >> Which platform is it? i386-pc, i386-efi or x86_64-efi? The behavior is >> actually will defined, just different between cpu modes > > i386-pc > BTW here are specs from Dell site Intel® Pentium® 4 microprocessor (2.4, 2.6, 2.8, 3.0, 3.2, and 3.4 for 800 FSB, and 2.4, 2.66, 2.8, and 3.06 for 533 FSB) 4GB max memory Intel 875P chipset >> Le 3 nov. 2015 6:08 PM, "Andrei Borzenkov" a >> écrit : >> >>> 03.11.2015 19:28, Vladimir 'phcoder' Serbinenko пишет: >>> >>>> The code itself looks good but I'd like more details. Reading >>>> 0xffffffff >>>> shouldn't cause reboot. Why does it? >>>> >>> >>> That I do not know nor do I have access to system in question myself. I >>> sent user patch that modified validate_header to do each comparison as >>> individual statement and did line by line debug print (fortunately it >>> was >>> possible to connect serial port and capture output) and the last line >>> printed was immediately before the very first >>> >>> head->magic == grub_cpu_to_be32_compile_time (CBFS_HEADER_MAGIC >>> >>> I suppose reading *one* byte from 0xffffffff should not cause issues but >>> here we are reading 4 bytes which are beyond 0xffffffff. Who knows what >>> memory controller in this system does in this case. >>> >>> Le 1 nov. 2015 3:53 PM, "Andrei Borzenkov" a >>> écrit : >>>> >>>> I was debugging problem reported by user on Dell Dimension 8300 - it >>>>> rebooted when doing "ls -l". It turned out, the problem was >>>>> triggered by >>>>> loading cbfs which probed for header. System has 2GB memory, and >>>>> attempt >>>>> to >>>>> read from address 0xffffffff caused instant reboot. 0xffffffff was >>>>> returned >>>>> by read from non-existing address 0xfffffffc. >>>>> >>>>> The proof of concept patch below avoids it, but I wonder what the >>>>> proper >>>>> fix is. >>>>> >>>>> diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c >>>>> index a34eb88..a5a2fde 100644 >>>>> --- a/grub-core/fs/cbfs.c >>>>> +++ b/grub-core/fs/cbfs.c >>>>> @@ -344,8 +344,9 @@ init_cbfsdisk (void) >>>>> >>>>> ptr = *(grub_uint32_t *) 0xfffffffc; >>>>> head = (struct cbfs_header *) (grub_addr_t) ptr; >>>>> + grub_dprintf ("cbfs", "head=%p\n", head); >>>>> >>>>> - if (!validate_head (head)) >>>>> + if (0xffffffff - ptr < sizeof (*head) || !validate_head (head)) >>>>> return; >>>>> >>>>> cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize), >>>>> >>>>> >>>>> _______________________________________________ >>>>> Grub-devel mailing list >>>>> Grub-devel@gnu.org >>>>> https://lists.gnu.org/mailman/listinfo/grub-devel >>>>> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Grub-devel mailing list >>>> Grub-devel@gnu.org >>>> https://lists.gnu.org/mailman/listinfo/grub-devel >>>> >>>> >>> >>> _______________________________________________ >>> Grub-devel mailing list >>> Grub-devel@gnu.org >>> https://lists.gnu.org/mailman/listinfo/grub-devel >>> >> >> >> >> _______________________________________________ >> Grub-devel mailing list >> Grub-devel@gnu.org >> https://lists.gnu.org/mailman/listinfo/grub-devel >> >