From b947527941b17c8f4a31f95dfa114e467ba1325d Mon Sep 17 00:00:00 2001 From: Cédric VINCENT Date: Wed, 1 Jun 2011 14:36:38 +0200 Subject: linux-user: Fix the load of ELF files that have no "useful" symbol MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch fixes a "double free()" due to "realloc(syms, 0)" in the loader when the ELF file has no "useful" symbol, as with the following example (compiled with "sh4-linux-gcc -nostdlib"): .text .align 1 .global _start _start: mov #1, r3 trapa #40 // syscall(__NR_exit) nop The bug appears when the log (option "-d") is enabled. Signed-off-by: Cédric VINCENT Signed-off-by: Yves JANIN Signed-off-by: Riku Voipio Reviewed-by: Richard Henderson --- linux-user/elfload.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) (limited to 'linux-user/elfload.c') diff --git a/linux-user/elfload.c b/linux-user/elfload.c index dcfeb7a286..a4aabd5ca1 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -1643,9 +1643,9 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) { int i, shnum, nsyms, sym_idx = 0, str_idx = 0; struct elf_shdr *shdr; - char *strings; - struct syminfo *s; - struct elf_sym *syms, *new_syms; + char *strings = NULL; + struct syminfo *s = NULL; + struct elf_sym *new_syms, *syms = NULL; shnum = hdr->e_shnum; i = shnum * sizeof(struct elf_shdr); @@ -1670,24 +1670,19 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) /* Now know where the strtab and symtab are. Snarf them. */ s = malloc(sizeof(*s)); if (!s) { - return; + goto give_up; } i = shdr[str_idx].sh_size; s->disas_strtab = strings = malloc(i); if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) { - free(s); - free(strings); - return; + goto give_up; } i = shdr[sym_idx].sh_size; syms = malloc(i); if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) { - free(s); - free(strings); - free(syms); - return; + goto give_up; } nsyms = i / sizeof(struct elf_sym); @@ -1710,16 +1705,18 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) } } + /* No "useful" symbol. */ + if (nsyms == 0) { + goto give_up; + } + /* Attempt to free the storage associated with the local symbols that we threw away. Whether or not this has any effect on the memory allocation depends on the malloc implementation and how many symbols we managed to discard. */ new_syms = realloc(syms, nsyms * sizeof(*syms)); if (new_syms == NULL) { - free(s); - free(syms); - free(strings); - return; + goto give_up; } syms = new_syms; @@ -1734,6 +1731,13 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) s->lookup_symbol = lookup_symbolxx; s->next = syminfos; syminfos = s; + + return; + +give_up: + free(s); + free(strings); + free(syms); } int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs, -- cgit 1.4.1 From f3ed1f5d476bfc18c4b2e27bf2386f54c98561f1 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 17 May 2011 13:34:46 +0100 Subject: linux-user: Handle images where lowest vaddr is not page aligned Fix a bug in the linux-user ELF loader code where it was not correctly handling images where the lowest vaddr to be loaded was not page aligned. The problem was that the code to probe for a suitable guest base address was changing the 'loaddr' variable (by rounding it to a page boundary), which meant that the load bias would then be incorrectly calculated unless loaddr happened to already be page-aligned. Binaries generated by gcc with the default linker script do start with a loadable segment at a page-aligned vaddr, so were unaffected. This bug was noticed with a binary created by the Google Go toolchain for ARM. We fix the bug by refactoring the "probe for guest base" code out into its own self-contained function. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/elfload.c | 130 +++++++++++++++++++++++++++++---------------------- 1 file changed, 73 insertions(+), 57 deletions(-) (limited to 'linux-user/elfload.c') diff --git a/linux-user/elfload.c b/linux-user/elfload.c index a4aabd5ca1..a13eb7be62 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -1288,6 +1288,78 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, return sp; } +static void probe_guest_base(const char *image_name, + abi_ulong loaddr, abi_ulong hiaddr) +{ + /* Probe for a suitable guest base address, if the user has not set + * it explicitly, and set guest_base appropriately. + * In case of error we will print a suitable message and exit. + */ +#if defined(CONFIG_USE_GUEST_BASE) + const char *errmsg; + if (!have_guest_base && !reserved_va) { + unsigned long host_start, real_start, host_size; + + /* Round addresses to page boundaries. */ + loaddr &= qemu_host_page_mask; + hiaddr = HOST_PAGE_ALIGN(hiaddr); + + if (loaddr < mmap_min_addr) { + host_start = HOST_PAGE_ALIGN(mmap_min_addr); + } else { + host_start = loaddr; + if (host_start != loaddr) { + errmsg = "Address overflow loading ELF binary"; + goto exit_errmsg; + } + } + host_size = hiaddr - loaddr; + while (1) { + /* Do not use mmap_find_vma here because that is limited to the + guest address space. We are going to make the + guest address space fit whatever we're given. */ + real_start = (unsigned long) + mmap((void *)host_start, host_size, PROT_NONE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, -1, 0); + if (real_start == (unsigned long)-1) { + goto exit_perror; + } + if (real_start == host_start) { + break; + } + /* That address didn't work. Unmap and try a different one. + The address the host picked because is typically right at + the top of the host address space and leaves the guest with + no usable address space. Resort to a linear search. We + already compensated for mmap_min_addr, so this should not + happen often. Probably means we got unlucky and host + address space randomization put a shared library somewhere + inconvenient. */ + munmap((void *)real_start, host_size); + host_start += qemu_host_page_size; + if (host_start == loaddr) { + /* Theoretically possible if host doesn't have any suitably + aligned areas. Normally the first mmap will fail. */ + errmsg = "Unable to find space for application"; + goto exit_errmsg; + } + } + qemu_log("Relocating guest address space from 0x" + TARGET_ABI_FMT_lx " to 0x%lx\n", + loaddr, real_start); + guest_base = real_start - loaddr; + } + return; + +exit_perror: + errmsg = strerror(errno); +exit_errmsg: + fprintf(stderr, "%s: %s\n", image_name, errmsg); + exit(-1); +#endif +} + + /* Load an ELF image into the address space. IMAGE_NAME is the filename of the image, to use in error messages. @@ -1373,63 +1445,7 @@ static void load_elf_image(const char *image_name, int image_fd, /* This is the main executable. Make sure that the low address does not conflict with MMAP_MIN_ADDR or the QEMU application itself. */ -#if defined(CONFIG_USE_GUEST_BASE) - /* - * In case where user has not explicitly set the guest_base, we - * probe here that should we set it automatically. - */ - if (!have_guest_base && !reserved_va) { - unsigned long host_start, real_start, host_size; - - /* Round addresses to page boundaries. */ - loaddr &= qemu_host_page_mask; - hiaddr = HOST_PAGE_ALIGN(hiaddr); - - if (loaddr < mmap_min_addr) { - host_start = HOST_PAGE_ALIGN(mmap_min_addr); - } else { - host_start = loaddr; - if (host_start != loaddr) { - errmsg = "Address overflow loading ELF binary"; - goto exit_errmsg; - } - } - host_size = hiaddr - loaddr; - while (1) { - /* Do not use mmap_find_vma here because that is limited to the - guest address space. We are going to make the - guest address space fit whatever we're given. */ - real_start = (unsigned long) - mmap((void *)host_start, host_size, PROT_NONE, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, -1, 0); - if (real_start == (unsigned long)-1) { - goto exit_perror; - } - if (real_start == host_start) { - break; - } - /* That address didn't work. Unmap and try a different one. - The address the host picked because is typically right at - the top of the host address space and leaves the guest with - no usable address space. Resort to a linear search. We - already compensated for mmap_min_addr, so this should not - happen often. Probably means we got unlucky and host - address space randomization put a shared library somewhere - inconvenient. */ - munmap((void *)real_start, host_size); - host_start += qemu_host_page_size; - if (host_start == loaddr) { - /* Theoretically possible if host doesn't have any suitably - aligned areas. Normally the first mmap will fail. */ - errmsg = "Unable to find space for application"; - goto exit_errmsg; - } - } - qemu_log("Relocating guest address space from 0x" - TARGET_ABI_FMT_lx " to 0x%lx\n", loaddr, real_start); - guest_base = real_start - loaddr; - } -#endif + probe_guest_base(image_name, loaddr, hiaddr); } load_bias = load_addr - loaddr; -- cgit 1.4.1 From 14322bad88c46e41b962ff8f4a6f524dd883670c Mon Sep 17 00:00:00 2001 From: Laurent ALFONSI Date: Mon, 20 Jun 2011 08:43:13 +0200 Subject: linux-user: Define AT_RANDOM to support target stack protection mechanism. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dynamic linker from the GNU C library v2.10+ uses the ELF auxiliary vector AT_RANDOM [1] as a pointer to 16 bytes with random values to initialize the stack protection mechanism. Technically the emulated GNU dynamic linker crashes due to a NULL pointer derefencement if it is built with stack protection enabled and if AT_RANDOM is not defined by the QEMU ELF loader. [1] This ELF auxiliary vector was introduced in Linux v2.6.29. This patch can be tested with the code above: #include /* Elf*_auxv_t, AT_RANDOM, */ #include /* printf(3), */ #include /* exit(3), EXIT_*, */ #include /* uint8_t, */ #include /* memcpy(3), */ #if defined(__LP64__) || defined(__ILP64__) || defined(__LLP64__) # define Elf_auxv_t Elf64_auxv_t #else # define Elf_auxv_t Elf32_auxv_t #endif main(int argc, char* argv[], char* envp[]) { Elf_auxv_t *auxv; /* *envp = NULL marks end of envp. */ while (*envp++ != NULL); /* auxv->a_type = AT_NULL marks the end of auxv. */ for (auxv = (Elf_auxv_t *)envp; auxv->a_type != AT_NULL; auxv++) { if (auxv->a_type == AT_RANDOM) { int i; uint8_t rand_bytes[16]; printf("AT_RANDOM is: 0x%x\n", auxv->a_un.a_val); memcpy(rand_bytes, (const uint8_t *)auxv->a_un.a_val, sizeof(rand_bytes)); printf("it points to: "); for (i = 0; i < 16; i++) { printf("0x%02x ", rand_bytes[i]); } printf("\n"); exit(EXIT_SUCCESS); } } exit(EXIT_FAILURE); } Changes introduced in v2 and v3: * Fix typos + thinko (AT_RANDOM is used for stack canary, not for ASLR) * AT_RANDOM points to 16 random bytes stored inside the user stack. * Add a small test program. Signed-off-by: Cédric VINCENT Signed-off-by: Laurent ALFONSI Signed-off-by: Riku Voipio --- linux-user/elfload.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'linux-user/elfload.c') diff --git a/linux-user/elfload.c b/linux-user/elfload.c index a13eb7be62..b2746f2558 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -927,7 +927,7 @@ struct exec #define TARGET_ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(TARGET_ELF_EXEC_PAGESIZE-1)) #define TARGET_ELF_PAGEOFFSET(_v) ((_v) & (TARGET_ELF_EXEC_PAGESIZE-1)) -#define DLINFO_ITEMS 12 +#define DLINFO_ITEMS 13 static inline void memcpy_fromfs(void * to, const void * from, unsigned long n) { @@ -1202,6 +1202,9 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, { abi_ulong sp; int size; + int i; + abi_ulong u_rand_bytes; + uint8_t k_rand_bytes[16]; abi_ulong u_platform; const char *k_platform; const int n = sizeof(elf_addr_t); @@ -1231,6 +1234,20 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, /* FIXME - check return value of memcpy_to_target() for failure */ memcpy_to_target(sp, k_platform, len); } + + /* + * Generate 16 random bytes for userspace PRNG seeding (not + * cryptically secure but it's not the aim of QEMU). + */ + srand((unsigned int) time(NULL)); + for (i = 0; i < 16; i++) { + k_rand_bytes[i] = rand(); + } + sp -= 16; + u_rand_bytes = sp; + /* FIXME - check return value of memcpy_to_target() for failure */ + memcpy_to_target(sp, k_rand_bytes, 16); + /* * Force 16 byte _final_ alignment here for generality. */ @@ -1271,6 +1288,8 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, NEW_AUX_ENT(AT_EGID, (abi_ulong) getegid()); NEW_AUX_ENT(AT_HWCAP, (abi_ulong) ELF_HWCAP); NEW_AUX_ENT(AT_CLKTCK, (abi_ulong) sysconf(_SC_CLK_TCK)); + NEW_AUX_ENT(AT_RANDOM, (abi_ulong) u_rand_bytes); + if (k_platform) NEW_AUX_ENT(AT_PLATFORM, u_platform); #ifdef ARCH_DLINFO -- cgit 1.4.1