From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1aUSsk-0004W3-Tv for mharc-grub-devel@gnu.org; Sat, 13 Feb 2016 00:36:34 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56590) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aUSsi-0004VO-Sv for grub-devel@gnu.org; Sat, 13 Feb 2016 00:36:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aUSsf-0003y3-NP for grub-devel@gnu.org; Sat, 13 Feb 2016 00:36:32 -0500 Received: from mail-lb0-x233.google.com ([2a00:1450:4010:c04::233]:35464) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aUSsf-0003xt-9Y for grub-devel@gnu.org; Sat, 13 Feb 2016 00:36:29 -0500 Received: by mail-lb0-x233.google.com with SMTP id bc4so55505635lbc.2 for ; Fri, 12 Feb 2016 21:36:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=0pIoyvBfMLDQQjDWEVPq9Xgzdcymp5imgJCxbSYn1k0=; b=mKl4Y9IL7rFnEJF9rflmw9cuzyEKrvVFEQX4Hbgklhi2KBR3/2Wd3VP69Gd+t0QzVg k35ybuxwJwcaOnpf0M7kD3w3eQ+ojmUxGg13qcusV+FCH6Jg0ngBidwwSj8OEWe+4cxP q5SPLshs2Sf6V4VfoMGoaR27NGlezu3Ze8dv1H/m2zy4dz4AgsaFiTODBVWwEPrJ9D/+ Ld0GbiH6Evs3Ts6FFOVnSaviWb3UeUGz659aKdZJhpQLeG3tapVYr99skl7OpLm1Q5Y1 z+CS1fXq3+YXwH7jydDcNa+bpU/KQ6O8JbaWg2foPFgchTZ8InJbknwmuvBoT5oLTSaS y2kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=0pIoyvBfMLDQQjDWEVPq9Xgzdcymp5imgJCxbSYn1k0=; b=QR+MgrJ9TbdUsZwvM8AxeZ4BKa0hkFJRsLYL9aEYajqopzim+LzHUtZAP43Rjz3PZV rFi5afeBBpzmMBuA4Gp62mGxYBu1ug1FCYfXbb8w/rEBqMLiORW2vezc3vDKqyHZ2mxc DHmcHl+khocUUxqgXyxDnwUyyHeLeJw1K5DPQhuva1WiKwMt1tHBxMpuPFISlzyQH2m1 n5E7SsIE/XgVGQIpXzdh82yyFPYYG9Awz/CXN0xJddRHnXZb0cySkkQVpTO5A/3XBuLw 8agLXrxL8z2cC5F99bsI7mFhiWJtHDiWJa8If/T9x7LnH2naQF8a4ifh3/Mpgg5kRAgw uGiQ== X-Gm-Message-State: AG10YOSzC2i4ld90ZNQiekz8NBbXfmOYdqSl8jucTqSEih5Kpkpyrr19wF4/qst7JSk/aw== X-Received: by 10.112.162.231 with SMTP id yd7mr2302803lbb.40.1455341788358; Fri, 12 Feb 2016 21:36:28 -0800 (PST) Received: from [192.168.1.41] (ppp109-252-76-159.pppoe.spdop.ru. [109.252.76.159]) by smtp.gmail.com with ESMTPSA id jx8sm2250754lbc.29.2016.02.12.21.36.27 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 12 Feb 2016 21:36:27 -0800 (PST) Subject: Re: [PATCH] ieee1275: prevent buffer over-read To: The development of GNU GRUB References: <1455324637-45091-1-git-send-email-eric.snowberg@oracle.com> From: Andrei Borzenkov Message-ID: <56BEC0DA.5050202@gmail.com> Date: Sat, 13 Feb 2016 08:36:26 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <1455324637-45091-1-git-send-email-eric.snowberg@oracle.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:4010:c04::233 Cc: Eric Snowberg X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2016 05:36:33 -0000 13.02.2016 03:50, Eric Snowberg пишет: > Prevent buffer over-read in grub_machine_mmap_iterate. This was > causing phys_base from being calculated properly. This then > caused the wrong value to be placed in ramdisk_image within > struct linux_hdrs. Which prevented the ramdisk from loading on > boot. > > Newer SPARC systems contain more than 8 available memory entries. > > For example on a T5-8 with 2TB of memory, the memory layout could > look like this: > > T5-8 Memory > reg 00000000 30000000 0000003f b0000000 > 00000800 00000000 00000040 00000000 > 00001000 00000000 00000040 00000000 > 00001800 00000000 00000040 00000000 > 00002000 00000000 00000040 00000000 > 00002800 00000000 00000040 00000000 > 00003000 00000000 00000040 00000000 > 00003800 00000000 00000040 00000000 > available 00003800 00000000 0000003f ffcae000 > 00003000 00000000 00000040 00000000 > 00002800 00000000 00000040 00000000 > 00002000 00000000 00000040 00000000 > 00001800 00000000 00000040 00000000 > 00001000 00000000 00000040 00000000 > 00000800 00000000 00000040 00000000 > 00000000 70000000 0000003f 70000000 > 00000000 6eef8000 00000000 00002000 > 00000000 30400000 00000000 3eaf6000 > name memory > > Signed-off-by: Eric Snowberg > --- > grub-core/kern/ieee1275/mmap.c | 5 ++++- > 1 files changed, 4 insertions(+), 1 deletions(-) > > diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c > index 911bb00..8df4e9b 100644 > --- a/grub-core/kern/ieee1275/mmap.c > +++ b/grub-core/kern/ieee1275/mmap.c > @@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data) > { > grub_ieee1275_phandle_t root; > grub_ieee1275_phandle_t memory; > - grub_uint32_t available[32]; > + grub_uint32_t available[64]; Can we make it allocate dynamically according to available_size or is memory allocator not yet initialized at this point? > grub_ssize_t available_size; > grub_uint32_t address_cells = 1; > grub_uint32_t size_cells = 1; > @@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data) > sizeof available, &available_size)) > return grub_error (GRUB_ERR_UNKNOWN_DEVICE, > "couldn't examine /memory/available property"); > + if (available_size > sizeof available) > + return grub_error (GRUB_ERR_UNKNOWN_DEVICE, > + "/memory response buffer exceeded"); > > if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS)) > { >