Re: [PATCH] lib/earlycpio: Mark find_cpio_data() __no_stack_protector

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@linutronix.de>
To: Borislav Petkov <bp@alien8.de>
Cc: X86 ML <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] lib/earlycpio: Mark find_cpio_data() __no_stack_protector
Date: Fri, 18 Aug 2023 10:18:38 +0200	[thread overview]
Message-ID: <87a5uohig1.ffs@tglx> (raw)
In-Reply-To: <20230816100221.12209-1-bp@alien8.de>

On Wed, Aug 16 2023 at 12:02, Borislav Petkov wrote:
> From: "Borislav Petkov (AMD)" <bp@alien8.de>
>
> find_cpio_data() is called by the 32-bit x86 microcode loader while
> paging is not yet enabled and the CPU is running off physical addresses.
> However, when stack protector is enabled, the compiler adds the stack
> protection check for this function:

There are a lot more functions which have the same problem.

It's completely unclear to me how this is supposed to work at that point
where paging is disabled.

The stackprotector does:

 321:	64 8b 35 00 00 00 00 	mov    %fs:0xc2686834,%esi
 328:	89 75 f0             	mov    %esi,-0x10(%ebp)

....

 531:	8b 75 f0             	mov    -0x10(%ebp),%esi
 534:	64 2b 35 00 00 00 00 	sub    %fs:c2686834,%esi
 53b:	0f 85 42 01 00 00    	jne    683

c2686834 is the compile time address of __stack_chk_guard, which is a
per CPU variable.

%fs is __DS_BOOT at that point which uses the boot GDT. __DS_BOOT is 4GB
 data rw segment.

So this reads from some random place in memory or if there is not big
enough memory it either reads from an alias address or just whatever the
hardware decides to read from the void.

IOW, this just works by chance, but certainly not by any form of design.

Not sure what to do about that.

Thanks,

        tglx

     prev parent reply	other threads:[~2023-08-18  8:19 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-16 10:02 [PATCH] lib/earlycpio: Mark find_cpio_data() __no_stack_protector Borislav Petkov
2023-08-18  8:18 ` Thomas Gleixner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87a5uohig1.ffs@tglx \
    --to=tglx@linutronix.de \
    --cc=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox