qemu/hw
Jason A. Donenfeld eac7a7791b x86: don't let decompressed kernel image clobber setup_data
The setup_data links are appended to the compressed kernel image. Since
the kernel image is typically loaded at 0x100000, setup_data lives at
`0x100000 + compressed_size`, which does not get relocated during the
kernel's boot process.

The kernel typically decompresses the image starting at address
0x1000000 (note: there's one more zero there than the compressed image
above). This usually is fine for most kernels.

However, if the compressed image is actually quite large, then
setup_data will live at a `0x100000 + compressed_size` that extends into
the decompressed zone at 0x1000000. In other words, if compressed_size
is larger than `0x1000000 - 0x100000`, then the decompression step will
clobber setup_data, resulting in crashes.

Visually, what happens now is that QEMU appends setup_data to the kernel
image:

          kernel image            setup_data
   |--------------------------||----------------|
0x100000                  0x100000+l1     0x100000+l1+l2

The problem is that this decompresses to 0x1000000 (one more zero). So
if l1 is > (0x1000000-0x100000), then this winds up looking like:

          kernel image            setup_data
   |--------------------------||----------------|
0x100000                  0x100000+l1     0x100000+l1+l2

                                 d e c o m p r e s s e d   k e r n e l
                     |-------------------------------------------------------------|
                0x1000000                                                     0x1000000+l3

The decompressed kernel seemingly overwriting the compressed kernel
image isn't a problem, because that gets relocated to a higher address
early on in the boot process, at the end of startup_64. setup_data,
however, stays in the same place, since those links are self referential
and nothing fixes them up.  So the decompressed kernel clobbers it.

Fix this by appending setup_data to the cmdline blob rather than the
kernel image blob, which remains at a lower address that won't get
clobbered.

This could have been done by overwriting the initrd blob instead, but
that poses big difficulties, such as no longer being able to use memory
mapped files for initrd, hurting performance, and, more importantly, the
initrd address calculation is hard coded in qboot, and it always grows
down rather than up, which means lots of brittle semantics would have to
be changed around, incurring more complexity. In contrast, using cmdline
is simple and doesn't interfere with anything.

The microvm machine has a gross hack where it fiddles with fw_cfg data
after the fact. So this hack is updated to account for this appending,
by reserving some bytes.

Fixup-by: Michael S. Tsirkin <mst@redhat.com>
Cc: x86@kernel.org
Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-Id: <20221230220725.618763-1-Jason@zx2c4.com>
Message-ID: <20230128061015-mutt-send-email-mst@kernel.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Eric Biggers <ebiggers@google.com>
Tested-by: Mathias Krause <minipli@grsecurity.net>
2023-01-28 06:21:29 -05:00
..
9pfs coroutine: Split qemu/coroutine-core.h off qemu/coroutine.h 2023-01-20 07:21:46 +01:00
acpi hw/acpi/acpi_dev_interface: Remove unused parameter from AcpiDeviceIfClass::madt_cpu 2023-01-27 11:47:02 -05:00
adc hw/adc: Make adci[*] R/W in NPCM7XX ADC 2022-07-18 13:20:14 +01:00
alpha include/hw/pci: Break inclusion loop pci_bridge.h and cxl.h 2023-01-08 01:54:22 -05:00
arm hw/i2c/versatile_i2c: Rename versatile_i2c -> arm_sbcon_i2c 2023-01-23 13:32:38 +00:00
audio include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
avr
block virtio-blk: simplify virtio_blk_dma_restart_cb() 2023-01-23 15:01:23 -05:00
char hw/riscv: spike: Decouple create_fdt() dependency to ELF loading 2023-01-20 10:14:13 +10:00
core virtio-rng-pci: fix migration compat for vectors 2023-01-27 11:47:02 -05:00
cpu hw/cpu: Mark arm11 and realview mpcore as target-independent code 2023-01-16 17:51:20 +01:00
cris
cxl hw/cxl/cxl-host: Fix an error message typo 2023-01-17 10:02:37 +01:00
display Monitor patches for 2023-01-19 2023-01-19 18:58:03 +00:00
dma bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
gpio hw/gpio/omap_gpio: Use CamelCase for TYPE_OMAP2_GPIO type name 2023-01-12 17:15:09 +00:00
hppa hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
hyperv hw/hyperv/vmbus: Use device_cold_reset() and bus_cold_reset() 2022-12-16 15:55:32 +00:00
i2c hw/isa/isa-bus: Turn isa_build_aml() into qbus_build_aml() 2023-01-27 11:47:02 -05:00
i386 x86: don't let decompressed kernel image clobber setup_data 2023-01-28 06:21:29 -05:00
ide virtio,pc,pci: features, cleanups, fixes 2023-01-09 10:07:12 +00:00
input hw/input/tsc2xxx: Constify set_transform()'s MouseTransformInfo arg 2023-01-05 14:11:15 +00:00
intc Header cleanup patches for 2023-01-20 2023-01-20 13:17:55 +00:00
ipack include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
ipmi include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
isa hw/isa/isa-bus: Turn isa_build_aml() into qbus_build_aml() 2023-01-27 11:47:02 -05:00
loongarch hw/intc/loongarch_pch: Change default irq number of pch irq controller 2023-01-06 14:12:43 +08:00
m68k hw: Add compat machines for 8.0 2022-12-21 06:35:28 -05:00
mem hw/cxl/device: Add Flex Bus Port DVSEC 2022-12-21 07:32:24 -05:00
microblaze hw/microblaze: pass random seed to fdt 2022-09-21 19:59:56 +02:00
mips hw/mips/boston: Rename MachineState 'mc' pointer to 'ms' 2023-01-13 16:22:57 +01:00
misc bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
net bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
nios2 hw/nios2: set machine->fdt in nios2_load_dtb() 2022-10-17 16:15:10 -03:00
nubus
nvme hw/nvme updates 2023-01-11 16:41:13 +00:00
nvram x86: don't let decompressed kernel image clobber setup_data 2023-01-28 06:21:29 -05:00
openrisc openrisc: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
pci shpc: disallow unplug when power indicator is blinking 2023-01-27 09:48:49 -05:00
pci-bridge bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
pci-host hw/pci-host: Use register definitions from PCI standard 2023-01-27 11:47:02 -05:00
pcmcia
ppc Header cleanup patches for 2023-01-20 2023-01-20 13:17:55 +00:00
rdma hw/pvrdma: Protect against buggy or malicious guest driver 2023-01-16 18:49:38 +01:00
remote hw/pci/pci: Factor out pci_bus_map_irqs() from pci_bus_irqs() 2023-01-13 16:22:57 +01:00
riscv hw/riscv/virt.c: move create_fw_cfg() back to virt_machine_init() 2023-01-20 10:14:14 +10:00
rtc bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
rx rx: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
s390x s390x/pv: Implement a CGS check helper 2023-01-18 12:27:21 +01:00
scsi vhost-scsi: fix memleak of vsc->inflight 2023-01-08 01:54:23 -05:00
sd hw/arm/omap: Drop useless casts from void * to pointer 2023-01-12 17:15:09 +00:00
sensor hw/sensor: Add Renesas ISL69259 device model 2022-07-14 16:24:38 +02:00
sh4 bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
smbios include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
sparc machine: make memory-backend a link property 2022-05-12 12:29:44 +02:00
sparc64 hw/sparc64/niagara: Use blk_name() instead of open-coding it 2023-01-20 07:25:01 +01:00
ssi trivial branch pull request 20230118 2023-01-19 15:05:29 +00:00
timer bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
tpm hw/tpm: Move tpm_ppi.c out of target-specific source set 2023-01-16 17:51:20 +01:00
tricore
usb ccid-card-emulated: fix cast warning/error 2023-01-16 18:46:03 +01:00
vfio include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
virtio vhost-user: Correct a reference of TARGET_AARCH64 2023-01-27 11:47:02 -05:00
watchdog include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
xen bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
xenpv Warn user if the vga flag is passed but no vga device is created 2022-05-09 08:21:14 +02:00
xtensa
Kconfig hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00
meson.build hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00