Comment 4 for bug 1865032
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
------- Comment From <email address hidden> 2020-03-12 06:21 EDT-------
(In reply to comment #9)
> I am thinking more of elevating beyond root, and doing things that HMC
> should be preventing.
>
> For example, if HMC is enforcing secureboot and the user has no access in
> HMC to disable that, can this bug open up an opportunity to load and execute
> unsigned stage3 zipl code, or for example load an unsigned kernel which HMC
> should be prohibiting?
The way I see it the bug should no allow execution of unsigned code. Here's why:
1) The stack is located above the code in memory
-> a buffer overflow can only overwrite the stack and any data "behind" the loader
2) For the loader _not_ to crash %r14 (return address) on the stack has to contain a valid absolute address
-> the MSBs of %r14 must be zero, otherwise it would point behind the memory present in the system and the loader would crash with an program check
-> partial overwrites of %r14 don't work on s390 as they would overwrite the MSB (big endian)
3) All but one prints are hard coded. The one exception is when the menu is printed (i.e. the titles set in zipl.conf). In that case the data is interpreted as string. Thus any zero byte would be interpreted as end of string which is in conflict with 2).
Please let me know if you find a flaw in the logic