From patchwork Wed Oct 5 15:11:47 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 9363125 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id AE1066077E for ; Wed, 5 Oct 2016 15:15:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F49728C6E for ; Wed, 5 Oct 2016 15:15:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 93C3728C82; Wed, 5 Oct 2016 15:15:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D7B2B28C77 for ; Wed, 5 Oct 2016 15:15:00 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1brnrZ-00042p-QT; Wed, 05 Oct 2016 15:12:05 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1brnrY-00042j-Gl for xen-devel@lists.xenproject.org; Wed, 05 Oct 2016 15:12:04 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id CB/DE-12967-24815F75; Wed, 05 Oct 2016 15:12:02 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnkeJIrShJLcpLzFFi42JxWrrBXtde4mu 4wdJeEYvvWyYzOTB6HP5whSWAMYo1My8pvyKBNWNz/wHmgmfSFTM/NLI0MDaLdjFyckgI+Etc nb+AEcRmE9CRuDh3J1sXIweHiICKxO29Bl2MXBzMAhOZJZ7+ucoGUiMs4COxu+0tM4jNAlTz5 sgDdpB6XgEXid9zlSBG6ko8PPebFcTmFRCUODnzCQuIzSygKdG6/Tc7hC0v0bx1NtgYIQFFif 55D8DWSghwS/zttp/AyDsLSfcsJN2zkHQvYGRexahRnFpUllqka2Skl1SUmZ5RkpuYmaNraGC sl5taXJyYnpqTmFSsl5yfu4kRGFD1DAyMOxinnvA7xCjJwaQkyruJ42u4EF9SfkplRmJxRnxR aU5q8SFGGQ4OJQleK3GgnGBRanpqRVpmDjC0YdISHDxKIrytIGne4oLE3OLMdIjUKUZFKXFeU 5CEAEgiozQPrg0WT5cYZaWEeRkZGBiEeApSi3IzS1DlXzGKczAqCfOWgEzhycwrgZv+CmgxE9 Di/KVfQBaXJCKkpBoYvZMVXA4xec258aGe81LUj7iwVzcqH6m3/Zcudap6xCjLfrmUgeMns24 Ha8j90x/3XFaq1eRdudTZbvnVdy8e8llt+vRBmLd/QZClXhZryb9ZDa6PFmWLhJa9XZs2Y2NY +ubYZ7sDF/xlEp/yneHFjoPGVT9Loup2v7jxTPax5K09NqyhC6rmKrEUZyQaajEXFScCACojv 9KiAgAA X-Env-Sender: prvs=079183c95=roger.pau@citrix.com X-Msg-Ref: server-12.tower-31.messagelabs.com!1475680317!47821840!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 29534 invoked from network); 5 Oct 2016 15:11:59 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-12.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 5 Oct 2016 15:11:58 -0000 X-IronPort-AV: E=Sophos;i="5.31,449,1473120000"; d="scan'208";a="390876904" From: Roger Pau Monne To: Date: Wed, 5 Oct 2016 17:11:47 +0200 Message-ID: <1475680307-66003-1-git-send-email-roger.pau@citrix.com> X-Mailer: git-send-email 2.7.4 (Apple Git-66) MIME-Version: 1.0 X-DLP: MIA1 Cc: Stefano Stabellini , Wei Liu , George Dunlap , Andrew Cooper , Brian Marcotte , Ian Jackson , Tim Deegan , Jan Beulich , Roger Pau Monne Subject: [Xen-devel] [PATCH for-4.8] libelf: fix symtab/strtab loading for 32bit domains X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Commit ed04ca introduced a bug in the symtab/strtab loading for 32bit guests, that corrupted the section headers array due to the padding introduced by the elf_shdr union. The Elf section header array on 32bit should be accessible as an array of Elf32_Shdr elements, and the union with Elf64_Shdr done in elf_shdr was breaking this due to size differences between Elf32_Shdr and Elf64_Shdr. Fix this by copying each section header one by one, and using the proper size depending on the bitness of the guest kernel. Reported-by: Brian Marcotte Signed-off-by: Roger Pau Monné --- Cc: Brian Marcotte Cc: Andrew Cooper Cc: George Dunlap Cc: Ian Jackson Cc: Jan Beulich Cc: Konrad Rzeszutek Wilk Cc: Stefano Stabellini Cc: Tim Deegan Cc: Wei Liu --- Should be backported to Xen 4.7 stable branch. --- xen/common/libelf/libelf-loader.c | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c index 2626a40..3faff62 100644 --- a/xen/common/libelf/libelf-loader.c +++ b/xen/common/libelf/libelf-loader.c @@ -262,13 +262,14 @@ static void elf_load_bsdsyms(struct elf_binary *elf) } __attribute__((packed)) header; ELF_HANDLE_DECL(elf_ehdr) header_handle; - unsigned long shdr_size; + unsigned long shdr_size, ehdr_size; ELF_HANDLE_DECL(elf_shdr) section_handle; - unsigned int link, rc; + unsigned int link, rc, i; elf_ptrval header_base; elf_ptrval elf_header_base; elf_ptrval symtab_base; elf_ptrval strtab_base; + void *shdr; if ( !elf->bsd_symtab_pstart ) return; @@ -394,15 +395,40 @@ do { \ header.size = strtab_base + elf_uval(elf, section_handle, sh_size) - elf_header_base; - /* Load the headers. */ + /* Load the size plus elf header. */ + ehdr_size = sizeof(header) - sizeof(header.elf_header.section); rc = elf_load_image(elf, header_base, ELF_REALPTR2PTRVAL(&header), - sizeof(header), sizeof(header)); + ehdr_size, ehdr_size); if ( rc != 0 ) { elf_mark_broken(elf, "unable to load ELF headers into guest memory"); return; } + /* + * Load the section headers. + * + * NB: this _must_ be done one by one, and taking the bitness into account, + * so that the guest can treat this as an array of type Elf{32/64}_Shdr. + */ + shdr_size = elf_64bit(elf) ? sizeof(Elf64_Shdr) : sizeof(Elf32_Shdr); + for ( i = 0; i < ELF_BSDSYM_SECTIONS; i++ ) + { + if ( elf_64bit(elf) ) + shdr = &header.elf_header.section[i].e64; + else + shdr = &header.elf_header.section[i].e32; + + rc = elf_load_image(elf, header_base + ehdr_size + shdr_size * i, + ELF_REALPTR2PTRVAL(shdr), shdr_size, shdr_size); + if ( rc != 0 ) + { + elf_mark_broken(elf, + "unable to load ELF section header into guest memory"); + return; + } + } + /* Remove permissions from elf_memcpy_safe. */ elf->caller_xdest_base = NULL; elf->caller_xdest_size = 0;