|
|
28f7f8 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
28f7f8 |
From: Vladimir Serbinenko <phcoder@gmail.com>
|
|
|
28f7f8 |
Date: Thu, 31 Dec 2015 15:29:28 +0100
|
|
|
28f7f8 |
Subject: [PATCH] module-verifier: Check range-limited relative relocations.
|
|
|
28f7f8 |
|
|
|
28f7f8 |
Check that they point to the same module, so will end up in the same
|
|
|
28f7f8 |
chunk of memory.
|
|
|
28f7f8 |
---
|
|
|
28f7f8 |
util/grub-module-verifier.c | 19 ++++++++++---
|
|
|
28f7f8 |
util/grub-module-verifierXX.c | 62 ++++++++++++++++++++++++++++++++++--------
|
|
|
28f7f8 |
include/grub/module_verifier.h | 1 +
|
|
|
28f7f8 |
3 files changed, 67 insertions(+), 15 deletions(-)
|
|
|
28f7f8 |
|
|
|
28f7f8 |
diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
|
|
|
28f7f8 |
index d2d6984033c..c027f0a0fb1 100644
|
|
|
28f7f8 |
--- a/util/grub-module-verifier.c
|
|
|
28f7f8 |
+++ b/util/grub-module-verifier.c
|
|
|
28f7f8 |
@@ -15,9 +15,13 @@ struct grub_module_verifier_arch archs[] = {
|
|
|
28f7f8 |
{ "x86_64", 8, 0, EM_X86_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
|
|
|
28f7f8 |
R_X86_64_64,
|
|
|
28f7f8 |
R_X86_64_PC64,
|
|
|
28f7f8 |
- /* R_X86_64_32, R_X86_64_32S, R_X86_64_PC32 are supported but shouldn't be used because of their limited range. */
|
|
|
28f7f8 |
+ /* R_X86_64_32, R_X86_64_32S are supported but shouldn't be used because of their limited range. */
|
|
|
28f7f8 |
-1
|
|
|
28f7f8 |
- } },
|
|
|
28f7f8 |
+ }, (int[]){
|
|
|
28f7f8 |
+ R_X86_64_PC32,
|
|
|
28f7f8 |
+ -1
|
|
|
28f7f8 |
+ }
|
|
|
28f7f8 |
+ },
|
|
|
28f7f8 |
{ "powerpc", 4, 1, EM_PPC, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
|
|
|
28f7f8 |
GRUB_ELF_R_PPC_ADDR16_LO,
|
|
|
28f7f8 |
GRUB_ELF_R_PPC_REL24, /* It has limited range but GRUB adds trampolines when necessarry. */
|
|
|
28f7f8 |
@@ -39,17 +43,24 @@ struct grub_module_verifier_arch archs[] = {
|
|
|
28f7f8 |
} },
|
|
|
28f7f8 |
{ "ia64", 8, 0, EM_IA_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
|
|
|
28f7f8 |
R_IA64_PCREL21B, /* We should verify that it's pointing either
|
|
|
28f7f8 |
- to a function or to a section in the same module. */
|
|
|
28f7f8 |
+ to a function or to a section in the same module.
|
|
|
28f7f8 |
+ Checking that external symbol is a function is
|
|
|
28f7f8 |
+ non-trivial and I have never seen this relocation used
|
|
|
28f7f8 |
+ for anything else, so assume that it always points to a
|
|
|
28f7f8 |
+ function.
|
|
|
28f7f8 |
+ */
|
|
|
28f7f8 |
R_IA64_SEGREL64LSB,
|
|
|
28f7f8 |
R_IA64_FPTR64LSB,
|
|
|
28f7f8 |
R_IA64_DIR64LSB,
|
|
|
28f7f8 |
R_IA64_PCREL64LSB,
|
|
|
28f7f8 |
- R_IA64_GPREL22, /* We should verify that it's pointing to a section in the same module. */
|
|
|
28f7f8 |
R_IA64_LTOFF22X,
|
|
|
28f7f8 |
R_IA64_LTOFF22,
|
|
|
28f7f8 |
R_IA64_LTOFF_FPTR22,
|
|
|
28f7f8 |
R_IA64_LDXMOV,
|
|
|
28f7f8 |
-1
|
|
|
28f7f8 |
+ }, (int[]){
|
|
|
28f7f8 |
+ R_IA64_GPREL22,
|
|
|
28f7f8 |
+ -1
|
|
|
28f7f8 |
} },
|
|
|
28f7f8 |
{ "mipsel", 4, 0, EM_MIPS, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
|
|
|
28f7f8 |
R_MIPS_HI16,
|
|
|
28f7f8 |
diff --git a/util/grub-module-verifierXX.c b/util/grub-module-verifierXX.c
|
|
|
28f7f8 |
index 904be27d39b..25988ebc21d 100644
|
|
|
28f7f8 |
--- a/util/grub-module-verifierXX.c
|
|
|
28f7f8 |
+++ b/util/grub-module-verifierXX.c
|
|
|
28f7f8 |
@@ -161,14 +161,12 @@ check_license (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
|
|
|
28f7f8 |
grub_util_error ("incompatible license");
|
|
|
28f7f8 |
}
|
|
|
28f7f8 |
|
|
|
28f7f8 |
-static void
|
|
|
28f7f8 |
-check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
|
|
|
28f7f8 |
+static Elf_Sym *
|
|
|
28f7f8 |
+get_symtab (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e, Elf_Word *size, Elf_Word *entsize)
|
|
|
28f7f8 |
{
|
|
|
28f7f8 |
unsigned i;
|
|
|
28f7f8 |
Elf_Shdr *s, *sections;
|
|
|
28f7f8 |
Elf_Sym *sym;
|
|
|
28f7f8 |
- const char *str;
|
|
|
28f7f8 |
- Elf_Word size, entsize;
|
|
|
28f7f8 |
|
|
|
28f7f8 |
sections = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff));
|
|
|
28f7f8 |
for (i = 0, s = sections;
|
|
|
28f7f8 |
@@ -181,11 +179,19 @@ check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
|
|
|
28f7f8 |
grub_util_error ("no symbol table");
|
|
|
28f7f8 |
|
|
|
28f7f8 |
sym = (Elf_Sym *) ((char *) e + grub_target_to_host (s->sh_offset));
|
|
|
28f7f8 |
- size = grub_target_to_host (s->sh_size);
|
|
|
28f7f8 |
- entsize = grub_target_to_host (s->sh_entsize);
|
|
|
28f7f8 |
+ *size = grub_target_to_host (s->sh_size);
|
|
|
28f7f8 |
+ *entsize = grub_target_to_host (s->sh_entsize);
|
|
|
28f7f8 |
+ return sym;
|
|
|
28f7f8 |
+}
|
|
|
28f7f8 |
|
|
|
28f7f8 |
- s = (Elf_Shdr *) ((char *) sections + grub_target_to_host16 (e->e_shentsize) * grub_target_to_host32 (s->sh_link));
|
|
|
28f7f8 |
- str = (char *) e + grub_target_to_host (s->sh_offset);
|
|
|
28f7f8 |
+static void
|
|
|
28f7f8 |
+check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
|
|
|
28f7f8 |
+{
|
|
|
28f7f8 |
+ Elf_Sym *sym;
|
|
|
28f7f8 |
+ Elf_Word size, entsize;
|
|
|
28f7f8 |
+ unsigned i;
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
+ sym = get_symtab (arch, e, &size, &entsize);
|
|
|
28f7f8 |
|
|
|
28f7f8 |
for (i = 0;
|
|
|
28f7f8 |
i < size / entsize;
|
|
|
28f7f8 |
@@ -208,19 +214,41 @@ check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
|
|
|
28f7f8 |
}
|
|
|
28f7f8 |
}
|
|
|
28f7f8 |
|
|
|
28f7f8 |
-/* Relocate symbols. */
|
|
|
28f7f8 |
+static int
|
|
|
28f7f8 |
+is_symbol_local(Elf_Sym *sym)
|
|
|
28f7f8 |
+{
|
|
|
28f7f8 |
+ switch (ELF_ST_TYPE (sym->st_info))
|
|
|
28f7f8 |
+ {
|
|
|
28f7f8 |
+ case STT_NOTYPE:
|
|
|
28f7f8 |
+ case STT_OBJECT:
|
|
|
28f7f8 |
+ if (sym->st_name != 0 && sym->st_shndx == 0)
|
|
|
28f7f8 |
+ return 0;
|
|
|
28f7f8 |
+ return 1;
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
+ case STT_FUNC:
|
|
|
28f7f8 |
+ case STT_SECTION:
|
|
|
28f7f8 |
+ return 1;
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
+ default:
|
|
|
28f7f8 |
+ return 0;
|
|
|
28f7f8 |
+ }
|
|
|
28f7f8 |
+}
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
static void
|
|
|
28f7f8 |
section_check_relocations (const struct grub_module_verifier_arch *arch, void *ehdr,
|
|
|
28f7f8 |
Elf_Shdr *s, size_t target_seg_size)
|
|
|
28f7f8 |
{
|
|
|
28f7f8 |
Elf_Rel *rel, *max;
|
|
|
28f7f8 |
+ Elf_Sym *symtab;
|
|
|
28f7f8 |
+ Elf_Word symtabsize, symtabentsize;
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
+ symtab = get_symtab (arch, ehdr, &symtabsize, &symtabentsize);
|
|
|
28f7f8 |
|
|
|
28f7f8 |
for (rel = (Elf_Rel *) ((char *) ehdr + grub_target_to_host (s->sh_offset)),
|
|
|
28f7f8 |
max = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_size));
|
|
|
28f7f8 |
rel < max;
|
|
|
28f7f8 |
rel = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_entsize)))
|
|
|
28f7f8 |
{
|
|
|
28f7f8 |
- Elf_Word *addr;
|
|
|
28f7f8 |
Elf_Sym *sym;
|
|
|
28f7f8 |
unsigned i;
|
|
|
28f7f8 |
|
|
|
28f7f8 |
@@ -235,8 +263,20 @@ section_check_relocations (const struct grub_module_verifier_arch *arch, void *e
|
|
|
28f7f8 |
for (i = 0; arch->supported_relocations[i] != -1; i++)
|
|
|
28f7f8 |
if (type == arch->supported_relocations[i])
|
|
|
28f7f8 |
break;
|
|
|
28f7f8 |
- if (arch->supported_relocations[i] == -1)
|
|
|
28f7f8 |
+ if (arch->supported_relocations[i] != -1)
|
|
|
28f7f8 |
+ continue;
|
|
|
28f7f8 |
+ if (!arch->short_relocations)
|
|
|
28f7f8 |
grub_util_error ("unsupported relocation 0x%x", type);
|
|
|
28f7f8 |
+ for (i = 0; arch->short_relocations[i] != -1; i++)
|
|
|
28f7f8 |
+ if (type == arch->short_relocations[i])
|
|
|
28f7f8 |
+ break;
|
|
|
28f7f8 |
+ if (arch->short_relocations[i] == -1)
|
|
|
28f7f8 |
+ grub_util_error ("unsupported relocation 0x%x", type);
|
|
|
28f7f8 |
+ sym = (Elf_Sym *) ((char *) symtab + symtabentsize * ELF_R_SYM (grub_target_to_host (rel->r_info)));
|
|
|
28f7f8 |
+
|
|
|
28f7f8 |
+ if (is_symbol_local (sym))
|
|
|
28f7f8 |
+ continue;
|
|
|
28f7f8 |
+ grub_util_error ("relocation 0x%x is not module-local", type);
|
|
|
28f7f8 |
}
|
|
|
28f7f8 |
}
|
|
|
28f7f8 |
|
|
|
28f7f8 |
diff --git a/include/grub/module_verifier.h b/include/grub/module_verifier.h
|
|
|
28f7f8 |
index 9e3a2ba720f..6cddff30f2e 100644
|
|
|
28f7f8 |
--- a/include/grub/module_verifier.h
|
|
|
28f7f8 |
+++ b/include/grub/module_verifier.h
|
|
|
28f7f8 |
@@ -13,6 +13,7 @@ struct grub_module_verifier_arch {
|
|
|
28f7f8 |
int machine;
|
|
|
28f7f8 |
int flags;
|
|
|
28f7f8 |
const int *supported_relocations;
|
|
|
28f7f8 |
+ const int *short_relocations;
|
|
|
28f7f8 |
};
|
|
|
28f7f8 |
|
|
|
28f7f8 |
void grub_module_verify64(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch);
|