Re: [PATCH v5 09/28] xsplice: Add helper elf routines

[Konrad Rzeszutek Wilk <konrad@kernel.org>]

> > +static int elf_resolve_sections(struct xsplice_elf *elf, const void *data)
> > +{
.. snip..
> > +    /* N.B. We also will ingest SHN_UNDEF sections. */
> 
> Because of? The meaning of the fields in the 0-th section header is
> different from that of ordinary ones.
> 
> > +    for ( i = 0; i < elf->hdr->e_shnum; i++ )

The reason for this is not obvious .. In the payload loading patch I
iterate over each elf->sec (starting at zero) and immediately
dereference the sh_type:
	if ( (elf->sec[i].sec->sh_flags .. )

As you can imagine if I don't set elf->sec[0].sec this blows up. Hence
the odd start at zero.

However one can as well just fix the loop in 'move_payload' to start
at 1 instead of 0 - which is what I did.

> > +    {
> > +        ssize_t delta = elf->hdr->e_shoff + i * elf->hdr->e_shentsize;
> 
> Why ssize_t? (This anyway should be a suitable ELF type.)
> 
> > +
> > +        if ( delta + sizeof(Elf_Shdr) > elf->len )
> > +        {
> > +            dprintk(XENLOG_DEBUG, "%s%s: Section header [%d] is past end of payload!\n",
> > +                    XSPLICE, elf->name, i);
> 
> XSPLICE is a string literal, so should be prepended to the format
> string instead of forced through %s. And %u please for unsigned
> arguments.
> 
> Also this check doesn't need doing inside the loop - you can simply
> check once (using e_shnum) that the entire section table is valid.
> 
> > +            return -EINVAL;
> > +        }
> > +
> > +        sec[i].sec = (Elf_Shdr *)(data + delta);
> 
> Pointless cast bogusly casting away constness.
> 
> > +        delta = sec[i].sec->sh_offset;
> > +
> > +        if ( delta > elf->len )
> 
> This is relevant only for sections having non-zero size. And then you of
> course need to take size into account when dong the bounds check.
> 
> > +        {
> > +            dprintk(XENLOG_DEBUG, "%s%s: Section [%d] data is past end of payload!\n",
> > +                    XSPLICE, elf->name, i);
> > +            return -EINVAL;
> > +        }
> > +
> > +        sec[i].data = data + delta;
> > +        /* Name is populated in xsplice_elf_sections_name. */
> > +        sec[i].name = NULL;
> > +
> > +        if ( sec[i].sec->sh_type == SHT_SYMTAB )
> > +        {
> > +            if ( elf->symtab )
> > +            {
> > +                dprintk(XENLOG_DEBUG, "%s%s: Multiple symbol tables!\n",
> > +                        XSPLICE, elf->name);
> > +                return -EINVAL;
> 
> There's nothing invalid about this, it's simply unsupported by the
> implementation (read: a better error code please).
> 
> > +            }
> > +
> > +            elf->symtab = &sec[i];
> > +
> > +            /*
> > +             * elf->symtab->sec->sh_link would point to the right section
> > +             * but we hadn't finished parsing all the sections.
> > +             */
> > +            if ( elf->symtab->sec->sh_link > elf->hdr->e_shnum )
> 
> >=
> 
> > +            {
> > +                dprintk(XENLOG_DEBUG, "%s%s: Symbol table idx (%d) to strtab past end (%d)\n",
> > +                        XSPLICE, elf->name, elf->symtab->sec->sh_link,
> > +                        elf->hdr->e_shnum);
> > +                return -EINVAL;
> > +            }
> > +        }
> > +    }
> > +
> > +    if ( !elf->symtab )
> > +    {
> > +        dprintk(XENLOG_DEBUG, "%s%s: No symbol table found!\n",
> > +                XSPLICE, elf->name);
> > +        return -EINVAL;
> > +    }
> > +
> > +    /* There can be multiple SHT_STRTAB so pick the right one. */
> > +    elf->strtab = &sec[elf->symtab->sec->sh_link];
> 
> How about checking this really is a SHT_STRTAB section?
> 
> > +    if ( !elf->symtab->sec->sh_size || !elf->symtab->sec->sh_entsize ||
> > +         elf->symtab->sec->sh_entsize != sizeof(Elf_Sym) )
> 
> The first sh_entsize check is redundant with the second, and the
> second is too strict (< suffices).
> 
> Also shouldn't the string table section also have at least non-zero
> size? And its first and last bytes be NUL?
> 
> > +static int elf_resolve_section_names(struct xsplice_elf *elf, const void *data)
> > +{
> > +    const char *shstrtab;
> > +    unsigned int i;
> > +    unsigned int offset, delta;
> > +
> > +    /*
> > +     * The elf->sec[0 -> e_shnum] structures have been verified by
> > +     * elf_resolve_sections. Find file offset for section string table.
> > +     */
> > +    offset =  elf->sec[elf->hdr->e_shstrndx].sec->sh_offset;
> 
> Truncating the value on 64-bit ELF.
> 
> > +    if ( offset > elf->len )
> > +    {
> > +        dprintk(XENLOG_DEBUG, "%s%s: shstrtab section offset (%u) past end of payload!\n",
> > +                XSPLICE, elf->name, elf->hdr->e_shstrndx);
> > +        return -EINVAL;
> > +    }
> > +
> > +    shstrtab = (data + offset);
> 
> Pointless parentheses.
> 
> > +    /* We could ignore the first as it is reserved.. */
> 
> Double full stop.
> 
> > +    for ( i = 0; i < elf->hdr->e_shnum; i++ )
> > +    {
> > +        delta = elf->sec[i].sec->sh_name;
> > +
> > +        if ( offset + delta > elf->len )
> 
> This is too weak: After having bounds checked the string table section
> to be inside the image, you now need to bounds check the string offset
> to be inside the string table. Also it seems (just like above) you
> no-where check that the referenced section actually is a string table.
> 
> > +static int elf_get_sym(struct xsplice_elf *elf, const void *data)
> > +{
> > +    struct xsplice_elf_sec *symtab_sec, *strtab_sec;
> > +    struct xsplice_elf_sym *sym;
> > +    unsigned int i, delta, offset, nsym;
> > +
> > +    symtab_sec = elf->symtab;
> > +    strtab_sec = elf->strtab;
> > +
> > +    /* Pointers arithmetic to get file offset. */
> > +    offset = strtab_sec->data - data;
> > +
> > +    ASSERT(offset == strtab_sec->sec->sh_offset);
> > +
> > +    /* symtab_sec->data was computed in elf_resolve_sections. */
> > +    ASSERT((symtab_sec->sec->sh_offset + data) == symtab_sec->data);
> > +
> > +    /* No need to check values as elf_resolve_sections did it. */
> > +    nsym = symtab_sec->sec->sh_size / symtab_sec->sec->sh_entsize;
> > +
> > +    sym = xmalloc_array(struct xsplice_elf_sym, nsym);
> > +    if ( !sym )
> > +    {
> > +        printk(XENLOG_ERR "%s%s: Could not allocate memory for symbols\n",
> > +               XSPLICE, elf->name);
> > +        return -ENOMEM;
> > +    }
> > +
> > +    /* So we don't leak memory. */
> > +    elf->sym = sym;
> > +    for ( i = 0; i < nsym; i++ )
> 
> As with sections, the 0th symbol table entry is special too.
> 
> > +    {
> > +        Elf_Sym *s;
> > +
> > +        if ( i * sizeof(Elf_Sym) > elf->len )
> 
> Considering that we know the symbol table section is within bounds,
> I don't think this check does any good. Plus it ought to be adding 1
> to i and take the section file offset into account.
> 
> > +        {
> > +            dprintk(XENLOG_DEBUG, "%s%s: Symbol header [%d] is past end of  payload!\n",
> > +                    XSPLICE, elf->name, i);
> > +            return -EINVAL;
> > +        }
> > +
> > +        s = &((Elf_Sym *)symtab_sec->data)[i];
> > +
> > +        /* If st->name is STN_UNDEF is zero, the check will always be true. */
> 
> Odd double use of "is".
> 
> > +        delta = s->st_name;
> > +
> > +        /* Offset has been computed earlier. */
> > +        if ( offset + delta > elf->len )
> 
> This should again check against the string table size and again use >= .

I reworked this a bit (borrowed your idea of checking the full size of
the section before the loop) - which removes the need to check
the offset.

What I ended up is something much simpler (as I know the offset
is OK - I just need to check that the delta is within the section):
	if ( delta && (delta > strtab_sec->sec->sec_sh_size) )
		..

The offset gets (in the new patchset) checked in elf_resolve_section.

Albeit I am not sure about the >= instead of >, .. I need to think of
that.

.. snip..
> > +void xsplice_elf_free(struct xsplice_elf *elf)
> > +{
> > +    xfree(elf->sec);
> > +    elf->sec = NULL;
> > +    xfree(elf->sym);
> > +    elf->sym = NULL;
> > +    elf->nsym = 0;
> > +    elf->name = NULL;
> > +    elf->len = 0;
> > +}
> 
> Instead of zeroing these fields, wouldn't it make sense to simply
> xfree(elf) as the last action here?

The  struct xsplice_elf is allocated on the stack (in the next
patch).

> > --- /dev/null
> > +++ b/xen/include/xen/xsplice_elf.h
.. snip..
> > +struct xsplice_elf_sym {
> > +    Elf_Sym *sym;
> 
> const?

.. this is much harder. I end up computing the values for
these symbols and have to write to this this structure a couple of times
(at worst).
> 
> > +    const char *name;
> > +};
> > +
> > +struct xsplice_elf {
> > +    const char *name;              /* Pointer to payload->name. */
> > +    ssize_t len;                   /* Length of the ELF file. */
> 
> Why ssize_t?

Made it 'size_t'
> 
> > +    Elf_Ehdr *hdr;                 /* ELF file. */
> > +    struct xsplice_elf_sec *sec;   /* Array of sections, allocated by us. */
> > +    struct xsplice_elf_sym *sym;   /* Array of symbols , allocated by us. */
> > +    unsigned int nsym;
> > +    struct xsplice_elf_sec *symtab;/* Pointer to .symtab section - aka to sec[x]. */
> > +    struct xsplice_elf_sec *strtab;/* Pointer to .strtab section - aka to sec[y]. */
> 
> Many times - const?

I have made the symtab and strtab const, but the 'sec' and 'sym'
I can't easily. There are many instances where I poke in the
section (like for ELF relocations) and have to modify this.

I can do some casting but it gets a bit .. messy.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel