From: "Roger Pau Monné" <royger@MacBook-Pro-de-Roger.local>
To: xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Brian Marcotte <marcotte@panix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
Jan Beulich <jbeulich@suse.com>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: [PATCH v2 XSA-followup for-4.8] libelf: fix symtab/strtab loading for 32bit domains
Date: Wed, 23 Nov 2016 12:26:14 +0000 [thread overview]
Message-ID: <20161123122614.1255-1-royger@MacBook-Pro-de-Roger.local> (raw)
From: Roger Pau Monne <roger.pau@citrix.com>
Commit ed04ca introduced a bug in the symtab/strtab loading for 32bit
guests, that corrupted the section headers array due to the padding
introduced by the elf_shdr union.
The Elf section header array on 32bit should be accessible as an array of
Elf32_Shdr elements, and the union with Elf64_Shdr done in elf_shdr was
breaking this due to size differences between Elf32_Shdr and Elf64_Shdr.
Fix this by copying each section header one by one, and using the proper
size depending on the bitness of the guest kernel. While there, also fix
a couple of consistency issues, by making sure we always use the sizes of
our local versions of the ELF header and the ELF sections headers.
Reported-by: Brian Marcotte <marcotte@panix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
Cc: Brian Marcotte <marcotte@panix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wei.liu2@citrix.com>
---
Should be backported to Xen 4.7 stable branch.
---
Changes since v5:
- Fix rebase issues. It seems like a chunk of the patch was lost during the
rebase to staging.
Changes since v4:
- Fix consistency issues: make sure the sizes of our local copy of the ELF
header and the ELF section headers are always used.
Changes since v3:
- Move the definition of elf_sym_header into libelf-loader.c.
Changes since v2:
- Use offsetof to correctly account for the memory used by the elf header.
Changes since v1:
- No need to calculate shdr_size again, it's already fetched from the
original elf header.
- Remove shdr variable.
- Use offsetof instead of subtracting two sizeofs.
- Fix elf_parse_bsdsyms so that it takes into account the size of elf_ehdr
instead of the size of the native elf header.
---
xen/common/libelf/libelf-loader.c | 78 ++++++++++++++++++++++++++++-----------
1 file changed, 57 insertions(+), 21 deletions(-)
diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
index d67e0a7..4e12a71 100644
--- a/xen/common/libelf/libelf-loader.c
+++ b/xen/common/libelf/libelf-loader.c
@@ -21,10 +21,17 @@
#include "libelf-private.h"
+/* ------------------------------------------------------------------------ */
+
/* Number of section header needed in order to fit the SYMTAB and STRTAB. */
#define ELF_BSDSYM_SECTIONS 3
-
-/* ------------------------------------------------------------------------ */
+struct elf_sym_header {
+ uint32_t size;
+ struct {
+ elf_ehdr header;
+ elf_shdr section[ELF_BSDSYM_SECTIONS];
+ } elf_header;
+} __attribute__((packed));
elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t size)
{
@@ -172,9 +179,10 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
/* Space to store the size of the elf image */
sz = sizeof(uint32_t);
- /* Space for the elf and elf section headers */
- sz += elf_uval(elf, elf->ehdr, e_ehsize) +
- ELF_BSDSYM_SECTIONS * elf_uval(elf, elf->ehdr, e_shentsize);
+ /* Space for the ELF header and section headers */
+ sz += offsetof(struct elf_sym_header, elf_header.section) +
+ ELF_BSDSYM_SECTIONS * (elf_64bit(elf) ? sizeof(Elf64_Shdr) :
+ sizeof(Elf32_Shdr));
sz = elf_round_up(elf, sz);
/*
@@ -251,18 +259,11 @@ static void elf_load_bsdsyms(struct elf_binary *elf)
* strtab, so we only need three section headers in our fake ELF
* header (first section header is always the undefined section).
*/
- struct {
- uint32_t size;
- struct {
- elf_ehdr header;
- elf_shdr section[ELF_BSDSYM_SECTIONS];
- } __attribute__((packed)) elf_header;
- } __attribute__((packed)) header;
-
+ struct elf_sym_header header;
ELF_HANDLE_DECL(elf_ehdr) header_handle;
- unsigned long shdr_size;
+ unsigned long shdr_size, ehdr_size, header_size;
ELF_HANDLE_DECL(elf_shdr) section_handle;
- unsigned int link, rc;
+ unsigned int link, rc, i;
elf_ptrval header_base;
elf_ptrval elf_header_base;
elf_ptrval symtab_base;
@@ -297,12 +298,28 @@ do { \
sizeof(uint32_t);
symtab_base = elf_round_up(elf, header_base + sizeof(header));
+ /*
+ * Set the size of the ELF header and the section headers, based on the
+ * size of our local copy.
+ */
+ ehdr_size = elf_64bit(elf) ? sizeof(header.elf_header.header.e64) :
+ sizeof(header.elf_header.header.e32);
+ shdr_size = elf_64bit(elf) ? sizeof(header.elf_header.section[0].e64) :
+ sizeof(header.elf_header.section[0].e32);
+
/* Fill the ELF header, copied from the original ELF header. */
header_handle = ELF_MAKE_HANDLE(elf_ehdr,
ELF_REALPTR2PTRVAL(&header.elf_header.header));
elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(header_handle),
- ELF_HANDLE_PTRVAL(elf->ehdr),
- elf_uval(elf, elf->ehdr, e_ehsize));
+ ELF_HANDLE_PTRVAL(elf->ehdr), ehdr_size);
+
+ /*
+ * Set the ELF header size, section header entry size and version
+ * (in case we are dealing with an input ELF header that has extensions).
+ */
+ elf_store_field_bitness(elf, header_handle, e_ehsize, ehdr_size);
+ elf_store_field_bitness(elf, header_handle, e_shentsize, shdr_size);
+ elf_store_field_bitness(elf, header_handle, e_version, EV_CURRENT);
/* Set the offset to the shdr array. */
elf_store_field_bitness(elf, header_handle, e_shoff,
@@ -315,8 +332,7 @@ do { \
elf_store_field_bitness(elf, header_handle, e_phoff, 0);
elf_store_field_bitness(elf, header_handle, e_phentsize, 0);
elf_store_field_bitness(elf, header_handle, e_phnum, 0);
-
- shdr_size = elf_uval(elf, elf->ehdr, e_shentsize);
+ elf_store_field_bitness(elf, header_handle, e_shstrndx, 0);
/*
* The symtab section header is going to reside in section[SYMTAB_INDEX],
@@ -387,15 +403,35 @@ do { \
header.size = strtab_base + elf_uval(elf, section_handle, sh_size) -
elf_header_base;
- /* Load the headers. */
+ /* Load the size plus ELF header. */
+ header_size = offsetof(typeof(header), elf_header.section);
rc = elf_load_image(elf, header_base, ELF_REALPTR2PTRVAL(&header),
- sizeof(header), sizeof(header));
+ header_size, header_size);
if ( rc != 0 )
{
elf_mark_broken(elf, "unable to load ELF headers into guest memory");
return;
}
+ /*
+ * Load the section headers.
+ *
+ * NB: this _must_ be done one by one, and taking the bitness into account,
+ * so that the guest can treat this as an array of type Elf{32/64}_Shdr.
+ */
+ for ( i = 0; i < ELF_BSDSYM_SECTIONS; i++ )
+ {
+ rc = elf_load_image(elf, header_base + header_size + shdr_size * i,
+ ELF_REALPTR2PTRVAL(&header.elf_header.section[i]),
+ shdr_size, shdr_size);
+ if ( rc != 0 )
+ {
+ elf_mark_broken(elf,
+ "unable to load ELF section header into guest memory");
+ return;
+ }
+ }
+
/* Remove permissions from elf_memcpy_safe. */
elf_set_xdest(elf, NULL, 0);
--
2.9.3 (Apple Git-75)
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next reply other threads:[~2016-11-23 12:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-23 12:26 Roger Pau Monné [this message]
2016-11-23 12:27 [PATCH v2 XSA-followup for-4.8] libelf: fix symtab/strtab loading for 32bit domains Roger Pau Monne
2016-11-23 13:13 ` Wei Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161123122614.1255-1-royger@MacBook-Pro-de-Roger.local \
--to=royger@macbook-pro-de-roger.local \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=marcotte@panix.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.