Hi Andrei,
your patch looks good generally, but the check is off by one. It's obvious, we want to have sane checking there. Reading from a random address can cause trouble and 0xffffffff is not the only offending address.
On x86, the cbfs is mapped right below the 4GiB line. Current machines don't have more than 16MiB space for cbfs, FWIW. So maybe it's best to check if the ptr points somewhere between 0xff000000 and (0x100000000 - sizeof(*head)).
Nico
On 01.11.2015 15:53, Andrei Borzenkov wrote:
I was debugging problem reported by user on Dell Dimension 8300 - it rebooted when doing "ls -l". It turned out, the problem was triggered by loading cbfs which probed for header. System has 2GB memory, and attempt to read from address 0xffffffff caused instant reboot. 0xffffffff was returned by read from non-existing address 0xfffffffc.
The proof of concept patch below avoids it, but I wonder what the proper fix is.
diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c index a34eb88..a5a2fde 100644 --- a/grub-core/fs/cbfs.c +++ b/grub-core/fs/cbfs.c @@ -344,8 +344,9 @@ init_cbfsdisk (void)
ptr = *(grub_uint32_t *) 0xfffffffc; head = (struct cbfs_header *) (grub_addr_t) ptr;
- grub_dprintf ("cbfs", "head=%p\n", head);
- if (!validate_head (head))
if (0xffffffff - ptr < sizeof (*head) || !validate_head (head)) return;
cbfsdisk_size = ALIGN_UP (grub_be_to_cpu32 (head->romsize),