Thanks Dr. Greg Wettstein, the patch was reviewed and merged into tboot source code tree.
-ning -----Original Message----- From: Dr. Greg Wettstein [mailto:g...@wind.enjellic.com] Sent: Wednesday, December 14, 2016 12:00 PM To: Sun, Ning <ning....@intel.com>; Brian E Luckau <bluc...@sgi.com> Cc: tboot-devel@lists.sourceforge.net Subject: RE: [tboot-devel] null pointer dereference bug in tboot Linux loader On Dec 14, 5:18pm, "Sun, Ning" wrote: } Subject: RE: [tboot-devel] null pointer dereference bug in tboot Linux loa Good afternoon, I hope the day is going well for everyone. > Is this patch completely from Dr. Wettstein or you made changes as > well? We need to have someone sign off the patch so that we can > validate and merge it to tboot tree. It is all from our development group, here is a patch against virgin 1.9.4 and a signoff. I was going to send it earlier this week but we have been swamped. --------------------------------------------------------------------------- There is a pointer dereference regression in the tboot native Linux loader which manifests itself as a system reset after the following is displayed on systems which are not using an initial ramdisk or initramfs image. TBOOT: transferring control to kernel @0x100000 The native linux loader does not check the multiboot module count when initializing the initrd/initramfs image size and pointer value. This causes the loader setup code to pass an invalid pointer along with an arbitrary size count to the loader which then attempts to copy the contents of whatever memory the pointer is referencing into the kernel image that is being built. The fix is straight forward. If the remaining multiboot module count is zero the initrd image pointer and size value are explicitly set to zero. This condition is interpreted properly by the loader as an indication that an initrd image is not to be loaded. Signed-off-by: Dr. Greg Wettstein <g...@enjellic.com> diff -urNp v1.9.4/tboot-1.9.4/tboot/common/loader.c tboot-1.9.4/tboot/common/loader.c --- v1.9.4/tboot-1.9.4/tboot/common/loader.c Wed May 18 12:20:26 2016 +++ tboot-1.9.4/tboot/common/loader.c Sat Sep 3 08:45:55 2016 @@ -1272,10 +1272,19 @@ bool launch_kernel(bool is_measured_laun MB_MAGIC : MB2_LOADER_MAGIC); } else if ( kernel_type == LINUX ) { - m = get_module(g_ldr_ctx,0); - void *initrd_image = (void *)m->mod_start; - size_t initrd_size = m->mod_end - m->mod_start; + void *initrd_image; + size_t initrd_size; + if ( get_module_count(g_ldr_ctx) == 0 ) { + initrd_size = 0; + initrd_image = 0; + } + else { + m = get_module(g_ldr_ctx,0); + initrd_image = (void *)m->mod_start; + initrd_size = m->mod_end - m->mod_start; + } + expand_linux_image(kernel_image, kernel_size, initrd_image, initrd_size, &kernel_entry_point, is_measured_launch); --------------------------------------------------------------------------- > Thanks, > -ning Have a good remainder of the day. Greg }-- End of excerpt from "Sun, Ning" As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "I created a hack to make the division come out right ... I was relieved because I thought I was coding wrong. Did you? It took a guy (Thomas Nicely) with a Ph.D. doing heavy research in computational number theory to find it, yet you found it while working on a game in QuickBasic?" -- Slashdot -- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
