From: Petr Vandrovec <vandrove@vc.cvut.cz>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Matt Domsch <Matt_Domsch@dell.com>,
Alon Bar-Lev <alon.barlev@gmail.com>, Andi Kleen <ak@suse.de>,
Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, johninsd@san.rr.com
Subject: Re: [PATCH] Fix the EDD code misparsing the command line
Date: Tue, 29 Aug 2006 03:24:27 +0200 [thread overview]
Message-ID: <44F3974B.6060501@vc.cvut.cz> (raw)
In-Reply-To: <44F386B8.8000209@zytor.com>
H. Peter Anvin wrote:
>
>
> ------------------------------------------------------------------------
>
> The EDD code would scan the command line as a fixed array, without
> taking account of either whitespace, null-termination, the old
> command-line protocol, late overrides early, or the fact that the
> command line may not be reachable from INITSEG.
>
> This should fix those problems, and enable us to use a longer command
> line.
>
> Signed-off-by: H. Peter Anvin <hpa@zytor.com>
>
>
> diff --git a/arch/i386/boot/edd.S b/arch/i386/boot/edd.S
> index 4b84ea2..03712a0 100644
> --- a/arch/i386/boot/edd.S
> +++ b/arch/i386/boot/edd.S
> + andl %esi, %esi
> + jz old_cl # Old boot protocol?
> +
> +# Convert to a real-mode pointer in fs:si
> + movl %esi, %eax
> + shrl $4, %eax
> + movw %ax, %fs
> + andw $0xf, %si
> + jmp have_cl_pointer
> +
> +# Old-style boot protocol?
> +old_cl:
> + push %ds # aka INITSEG
> + pop %fs
> +
> + cmpw $0xa33f, (0x20)
> + jne done_cl # No command line at all?
> + movw (0x22), %si # Pointer relative to INITSEG
Perhaps you should convert ds:si to flat pointer and then this flat pointer to
fs:si using method above, to avoid problems with dword access with si > 0xfffc
or word access with si > 0xfffe ?
> +
> +# fs:si has the pointer to the command line now
> +have_cl_pointer:
> +
> # loop through kernel command line one byte at a time
> -cl_loop:
> - cmpl $EDD_CL_EQUALS, (%si)
> +cl_atspace:
> + movl %fs:(%si), %eax
This looks fine for new boot protocol, but what if old boot protocol puts
command line so that its last byte is at INITSEG:0xffff ? You get #GP here,
then, although command line is correctly zero terminated and does not overflow
segment.
> + andb %al, %al # End of line?
> + jz done_cl
> + cmpl $EDD_CL_EQUALS, %eax
> jz found_edd_equals
> - incl %esi
> - loop cl_loop
> - jmp done_cl
> + cmpb $0x20, %al # <= space consider whitespace
> + ja cl_skipword
> + incw %si
> + jnz cl_atspace
You already died with #GP when si was 0xfffd or bigger above, so this ZF test is
probably not quite needed.
> + jmp done_cl # Wraparound...
> +
> +cl_skipword:
> + movb %fs:(%si), %al # End of string?
> + andb %al, %al
> + jz done_cl
> + cmpb $0x20, %al
> + jbe cl_atspace
> + incw %si
> + jnz cl_skipword
> + jmp done_cl # Wraparound...
> +
> found_edd_equals:
> # only looking at first two characters after equals
> - addl $4, %esi
> - cmpw $EDD_CL_OFF, (%si) # edd=of
> - jz do_edd_off
> - cmpw $EDD_CL_SKIP, (%si) # edd=sk
> - jz do_edd_skipmbr
> - jmp done_cl
> +# late overrides early on the command line, so keep going after finding something
> + movw %fs:4(%si), %ax
If si is 0xfffb here, bad things happen. I know, things I've pointed out should
not be problem in real world, and new code is definitely better than old one,
but if you already have code to avoid endless loop if command line points to
64KB array of 0xFF let's do that right, no?
Thanks,
Petr Vandrovec
next prev parent reply other threads:[~2006-08-29 1:25 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-05 13:37 [PATCH][TAKE 4] THE LINUX/I386 BOOT PROTOCOL - Breaking the 256 limit Alon Bar-Lev
2006-05-05 14:09 ` H. Peter Anvin
2006-05-05 14:28 ` Alon Bar-Lev
2006-05-05 14:35 ` H. Peter Anvin
2006-05-05 18:10 ` John Coffman
2006-05-05 18:17 ` H. Peter Anvin
2006-05-05 21:48 ` John Coffman
2006-05-05 21:57 ` H. Peter Anvin
2006-05-06 3:57 ` John Coffman
2006-05-06 5:11 ` H. Peter Anvin
2006-05-06 10:31 ` Alon Bar-Lev
[not found] ` <44AD583B.5040007@gmail.com>
[not found] ` <44AD5BB4.9090005@zytor.com>
[not found] ` <44AD5D47.8010307@gmail.com>
[not found] ` <44AD5FD8.6010307@zytor.com>
[not found] ` <9e0cf0bf0608031436x19262ab0rb2271b52ce75639d@mail.gmail.com>
[not found] ` <44D278D6.2070106@zytor.com>
[not found] ` <9e0cf0bf0608031542q2da20037h828f4b8f0d01c4d5@mail.gmail.com>
[not found] ` <44D27F22.4080205@zytor.com>
2006-08-25 23:57 ` [PATCH] THE LINUX/I386 BOOT PROTOCOL - Breaking the 256 limit (ping) Alon Bar-Lev
2006-08-27 18:28 ` Andi Kleen
2006-08-27 18:50 ` H. Peter Anvin
2006-08-27 19:16 ` Andi Kleen
2006-08-27 19:32 ` H. Peter Anvin
2006-08-27 20:54 ` Andi Kleen
2006-08-27 21:39 ` H. Peter Anvin
2006-08-28 3:28 ` John Coffman
2006-08-28 6:02 ` Alon Bar-Lev
2006-08-28 6:41 ` Alon Bar-Lev
2006-08-28 7:31 ` H. Peter Anvin
2006-08-28 12:19 ` Alon Bar-Lev
2006-08-28 18:28 ` H. Peter Anvin
2006-08-28 18:46 ` Matt Domsch
2006-08-28 19:00 ` H. Peter Anvin
2006-08-28 20:12 ` Matt Domsch
2006-08-28 20:29 ` Alon Bar-Lev
2006-08-28 20:33 ` H. Peter Anvin
2006-08-28 20:43 ` H. Peter Anvin
2006-08-30 16:49 ` Alon Bar-Lev
2006-08-30 16:56 ` Andi Kleen
2006-08-30 17:06 ` Alon Bar-Lev
2006-08-30 17:31 ` Andi Kleen
2006-08-30 17:51 ` Alon Bar-Lev
2006-08-30 18:59 ` H. Peter Anvin
2006-08-30 19:06 ` Andi Kleen
2006-08-30 19:07 ` H. Peter Anvin
2006-08-30 19:23 ` Alon Bar-Lev
2006-08-30 19:33 ` H. Peter Anvin
2006-08-30 18:58 ` H. Peter Anvin
2006-08-28 19:24 ` Alon Bar-Lev
2006-08-28 20:32 ` H. Peter Anvin
2006-08-29 0:13 ` [PATCH] Fix the EDD code misparsing the command line H. Peter Anvin
2006-08-29 1:24 ` Petr Vandrovec [this message]
2006-08-29 1:36 ` H. Peter Anvin
2006-08-29 1:51 ` [PATCH] Fix the EDD code misparsing the command line (rev 2) H. Peter Anvin
2006-08-27 19:59 ` [PATCH] THE LINUX/I386 BOOT PROTOCOL - Breaking the 256 limit (ping) Alon Bar-Lev
2006-05-05 22:02 ` [PATCH][TAKE 4] THE LINUX/I386 BOOT PROTOCOL - Breaking the 256 limit Alon Bar-Lev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44F3974B.6060501@vc.cvut.cz \
--to=vandrove@vc.cvut.cz \
--cc=Matt_Domsch@dell.com \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=alon.barlev@gmail.com \
--cc=hpa@zytor.com \
--cc=johninsd@san.rr.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox