[ipxe-devel] memory corruption with embedded script as initrd

Michael Brown mbrown at fensystems.co.uk
Thu Feb 9 16:54:50 UTC 2012

On Wednesday 08 Feb 2012 01:24:09 Till Straumann wrote:
> When I used a script ('embedded' via the initrd method)
> then I observed hangs or crashes.
> I tracked this down to memory corruption due to the following:
> arch/i386/core/runtime.c
> allocates and registers an image for the embedded script
> from 'inird_init()' which is a 'init_fn'.
> Since the data area for this image is allocated via
> umalloc() the heap 'lazy-init' kicks in at this point.
> (arch/i386/interface/pcbios/memtop_umalloc.c)
> However, this seems too early since now the entire (bios-reported)
> memory which includes everything used/occupied by ipxe itself
> is used by the heap.
> It seems to me that using umalloc() can only safely
> be called after 'hide_etherboot()' (arch/i386/firmware/pcbios/hidemem.c)
> has constrained the reported memory to exclude the areas
> used by iPXE. Note that 'hide_etherboot()' is a 'startup_fn'
> and as such is only called *after* all 'init_fn's (and thus
> 'initrd_init()').
> Once I converted 'initrd_init()' from a 'init_fn' to a
> __startup_fn( STARTUP_NORMAL ) everything worked fine.

Thanks for debugging this.  I've committed what I think ought to be the 
"correct" fix:


I can't think of a circumstance in which it would be problematic to scan for 
the command line at startup time rather than initialisation time, so I kept it 
simple and moved both cmdline and initrd to startup.

Image unregistration is tricky, since the image may have already been 
unregistered (and freed) by the time iPXE exits (e.g. via the "imgfree" 
command).  I preserved the existing behaviour, which leaves the images 
registered unless explicitly freed by "imgfree".



More information about the ipxe-devel mailing list