Re: [BUG] broken ebba638ae723d8a8fc2f7abce5ec18b688b791d7
From: Kees Cook
Date: Thu Jan 27 2011 - 18:00:29 EST
Hi matthieu,
On Thu, Jan 27, 2011 at 10:49:33PM +0100, matthieu castet wrote:
> ebba638ae723d8a8fc2f7abce5ec18b688b791d7 x86, cpu: Call verify_cpu during 32bit CPU startup look buggy.
>
> It add a call to verify_cpu, but we never set the stack before (I check with qemu + gdbserver that sp is random
> when doing cpu hotplug).
> This mean do randomly corrupt the memory.
Yikes, good catch.
arch/x86/kernel/trampoline_64.S uses:
movw $(trampoline_stack_end - r_base), %sp
arch/x86/boot/compressed/head_64.S uses:
movl $boot_stack_end, %eax
addl %ebp, %eax
movl %eax, %esp
what would be safe for arch/x86/kernel/head_32.S ? It uses "stack_start",
but later after paging set-up. Is the following sane to solve this?
diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
index fc293dc..8ddd0e4 100644
--- a/arch/x86/kernel/head_32.S
+++ b/arch/x86/kernel/head_32.S
@@ -284,6 +284,8 @@ ENTRY(startup_32_smp)
movl %eax,%gs
#endif /* CONFIG_SMP */
default_entry:
+ /* Set up the stack pointer */
+ lss stack_start,%esp
/*
* New page tables may be in 4Mbyte page mode and may
@@ -347,8 +349,6 @@ default_entry:
movl %eax,%cr0 /* ..and set paging (PG) bit */
ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
1:
- /* Set up the stack pointer */
- lss stack_start,%esp
/*
* Initialize eflags. Some BIOS's leave bits like NT set. This would
-Kees
--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/