From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Vladimir Serbinenko Date: Thu, 31 Dec 2015 13:09:15 +0100 Subject: [PATCH] Verify modules on build-time rather than failing in runtime. --- util/grub-module-verifier.c | 122 ++++++++++++++++ util/grub-module-verifier32.c | 2 + util/grub-module-verifier64.c | 2 + util/grub-module-verifierXX.c | 315 +++++++++++++++++++++++++++++++++++++++++ include/grub/module_verifier.h | 19 +++ grub-core/Makefile.am | 6 +- grub-core/genmod.sh.in | 5 +- 7 files changed, 468 insertions(+), 3 deletions(-) create mode 100644 util/grub-module-verifier.c create mode 100644 util/grub-module-verifier32.c create mode 100644 util/grub-module-verifier64.c create mode 100644 util/grub-module-verifierXX.c create mode 100644 include/grub/module_verifier.h diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c new file mode 100644 index 00000000000..d2d6984033c --- /dev/null +++ b/util/grub-module-verifier.c @@ -0,0 +1,122 @@ +#include +#include + +#include +#include +#include +#include + +struct grub_module_verifier_arch archs[] = { + { "i386", 4, 0, EM_386, GRUB_MODULE_VERIFY_SUPPORTS_REL, (int[]){ + R_386_32, + R_386_PC32, + -1 + } }, + { "x86_64", 8, 0, EM_X86_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_X86_64_64, + R_X86_64_PC64, + /* R_X86_64_32, R_X86_64_32S, R_X86_64_PC32 are supported but shouldn't be used because of their limited range. */ + -1 + } }, + { "powerpc", 4, 1, EM_PPC, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + GRUB_ELF_R_PPC_ADDR16_LO, + GRUB_ELF_R_PPC_REL24, /* It has limited range but GRUB adds trampolines when necessarry. */ + GRUB_ELF_R_PPC_ADDR16_HA, + GRUB_ELF_R_PPC_ADDR32, + GRUB_ELF_R_PPC_REL32, + -1 + } }, + { "sparc64", 8, 1, EM_SPARCV9, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_SPARC_WDISP30, /* It has limited range but GRUB adds trampolines when necessarry. */ + R_SPARC_HH22, + R_SPARC_HM10, + R_SPARC_LM22, + R_SPARC_LO10, + R_SPARC_64, + R_SPARC_OLO10, + /* R_SPARC_32, R_SPARC_HI22 are supported but shouldn't be used because of their limited range. */ + -1 + } }, + { "ia64", 8, 0, EM_IA_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_IA64_PCREL21B, /* We should verify that it's pointing either + to a function or to a section in the same module. */ + R_IA64_SEGREL64LSB, + R_IA64_FPTR64LSB, + R_IA64_DIR64LSB, + R_IA64_PCREL64LSB, + R_IA64_GPREL22, /* We should verify that it's pointing to a section in the same module. */ + R_IA64_LTOFF22X, + R_IA64_LTOFF22, + R_IA64_LTOFF_FPTR22, + R_IA64_LDXMOV, + -1 + } }, + { "mipsel", 4, 0, EM_MIPS, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_MIPS_HI16, + R_MIPS_LO16, + R_MIPS_32, + R_MIPS_GPREL32, + R_MIPS_26, + R_MIPS_GOT16, + R_MIPS_CALL16, + R_MIPS_JALR, + -1 + } }, + { "mips", 4, 1, EM_MIPS, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_MIPS_HI16, + R_MIPS_LO16, + R_MIPS_32, + R_MIPS_GPREL32, + R_MIPS_26, + R_MIPS_GOT16, + R_MIPS_CALL16, + R_MIPS_JALR, + -1 + } }, + { "arm", 4, 0, EM_ARM, GRUB_MODULE_VERIFY_SUPPORTS_REL, (int[]){ + /* Some relocations are range-limited but trampolines are added when necessarry. */ + R_ARM_ABS32, + R_ARM_CALL, + R_ARM_JUMP24, + R_ARM_THM_CALL, + R_ARM_THM_JUMP24, + R_ARM_V4BX, + R_ARM_THM_MOVW_ABS_NC, + R_ARM_THM_MOVT_ABS, + R_ARM_THM_JUMP19, + -1 + } }, + { "arm64", 8, 0, EM_AARCH64, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){ + R_AARCH64_ABS64, + R_AARCH64_CALL26, + R_AARCH64_JUMP26, + -1 + } }, +}; + + +int +main (int argc, char **argv) +{ + size_t module_size; + unsigned arch; + char *module_img; + if (argc != 3) { + fprintf (stderr, "usage: %s FILE ARCH\n", argv[0]); + return 1; + } + + for (arch = 0; arch < ARRAY_SIZE(archs); arch++) + if (strcmp(archs[arch].name, argv[2]) == 0) + break; + if (arch == ARRAY_SIZE(archs)) + grub_util_error("unknown arch: %s", argv[2]); + + module_size = grub_util_get_image_size (argv[1]); + module_img = grub_util_read_image (argv[1]); + if (archs[arch].voidp_sizeof == 8) + grub_module_verify64(module_img, module_size, &archs[arch]); + else + grub_module_verify32(module_img, module_size, &archs[arch]); + return 0; +} diff --git a/util/grub-module-verifier32.c b/util/grub-module-verifier32.c new file mode 100644 index 00000000000..257229f8f08 --- /dev/null +++ b/util/grub-module-verifier32.c @@ -0,0 +1,2 @@ +#define MODULEVERIFIER_ELF32 1 +#include "grub-module-verifierXX.c" diff --git a/util/grub-module-verifier64.c b/util/grub-module-verifier64.c new file mode 100644 index 00000000000..4db6b4bedd1 --- /dev/null +++ b/util/grub-module-verifier64.c @@ -0,0 +1,2 @@ +#define MODULEVERIFIER_ELF64 1 +#include "grub-module-verifierXX.c" diff --git a/util/grub-module-verifierXX.c b/util/grub-module-verifierXX.c new file mode 100644 index 00000000000..904be27d39b --- /dev/null +++ b/util/grub-module-verifierXX.c @@ -0,0 +1,315 @@ +#include + +#include +#include +#include + +#if defined(MODULEVERIFIER_ELF32) +# define SUFFIX(x) x ## 32 +# define ELFCLASSXX ELFCLASS32 +# define Elf_Ehdr Elf32_Ehdr +# define Elf_Phdr Elf32_Phdr +# define Elf_Nhdr Elf32_Nhdr +# define Elf_Addr Elf32_Addr +# define Elf_Sym Elf32_Sym +# define Elf_Off Elf32_Off +# define Elf_Shdr Elf32_Shdr +# define Elf_Rela Elf32_Rela +# define Elf_Rel Elf32_Rel +# define Elf_Word Elf32_Word +# define Elf_Half Elf32_Half +# define Elf_Section Elf32_Section +# define ELF_R_SYM(val) ELF32_R_SYM(val) +# define ELF_R_TYPE(val) ELF32_R_TYPE(val) +# define ELF_ST_TYPE(val) ELF32_ST_TYPE(val) +#elif defined(MODULEVERIFIER_ELF64) +# define SUFFIX(x) x ## 64 +# define ELFCLASSXX ELFCLASS64 +# define Elf_Ehdr Elf64_Ehdr +# define Elf_Phdr Elf64_Phdr +# define Elf_Nhdr Elf64_Nhdr +# define Elf_Addr Elf64_Addr +# define Elf_Sym Elf64_Sym +# define Elf_Off Elf64_Off +# define Elf_Shdr Elf64_Shdr +# define Elf_Rela Elf64_Rela +# define Elf_Rel Elf64_Rel +# define Elf_Word Elf64_Word +# define Elf_Half Elf64_Half +# define Elf_Section Elf64_Section +# define ELF_R_SYM(val) ELF64_R_SYM(val) +# define ELF_R_TYPE(val) ELF64_R_TYPE(val) +# define ELF_ST_TYPE(val) ELF64_ST_TYPE(val) +#else +#error "I'm confused" +#endif + +#define grub_target_to_host32(x) (grub_target_to_host32_real (arch, (x))) +#define grub_host_to_target32(x) (grub_host_to_target32_real (arch, (x))) +#define grub_target_to_host64(x) (grub_target_to_host64_real (arch, (x))) +#define grub_host_to_target64(x) (grub_host_to_target64_real (arch, (x))) +#define grub_host_to_target_addr(x) (grub_host_to_target_addr_real (arch, (x))) +#define grub_target_to_host16(x) (grub_target_to_host16_real (arch, (x))) +#define grub_host_to_target16(x) (grub_host_to_target16_real (arch, (x))) +#define grub_target_to_host(val) grub_target_to_host_real(arch, (val)) + +static inline grub_uint32_t +grub_target_to_host32_real (const struct grub_module_verifier_arch *arch, + grub_uint32_t in) +{ + if (arch->bigendian) + return grub_be_to_cpu32 (in); + else + return grub_le_to_cpu32 (in); +} + +static inline grub_uint64_t +grub_target_to_host64_real (const struct grub_module_verifier_arch *arch, + grub_uint64_t in) +{ + if (arch->bigendian) + return grub_be_to_cpu64 (in); + else + return grub_le_to_cpu64 (in); +} + +static inline grub_uint64_t +grub_host_to_target64_real (const struct grub_module_verifier_arch *arch, + grub_uint64_t in) +{ + if (arch->bigendian) + return grub_cpu_to_be64 (in); + else + return grub_cpu_to_le64 (in); +} + +static inline grub_uint32_t +grub_host_to_target32_real (const struct grub_module_verifier_arch *arch, + grub_uint32_t in) +{ + if (arch->bigendian) + return grub_cpu_to_be32 (in); + else + return grub_cpu_to_le32 (in); +} + +static inline grub_uint16_t +grub_target_to_host16_real (const struct grub_module_verifier_arch *arch, + grub_uint16_t in) +{ + if (arch->bigendian) + return grub_be_to_cpu16 (in); + else + return grub_le_to_cpu16 (in); +} + +static inline grub_uint16_t +grub_host_to_target16_real (const struct grub_module_verifier_arch *arch, + grub_uint16_t in) +{ + if (arch->bigendian) + return grub_cpu_to_be16 (in); + else + return grub_cpu_to_le16 (in); +} + +static inline grub_uint64_t +grub_host_to_target_addr_real (const struct grub_module_verifier_arch *arch, grub_uint64_t in) +{ + if (arch->voidp_sizeof == 8) + return grub_host_to_target64_real (arch, in); + else + return grub_host_to_target32_real (arch, in); +} + +static inline grub_uint64_t +grub_target_to_host_real (const struct grub_module_verifier_arch *arch, grub_uint64_t in) +{ + if (arch->voidp_sizeof == 8) + return grub_target_to_host64_real (arch, in); + else + return grub_target_to_host32_real (arch, in); +} + + +static Elf_Shdr * +find_section (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e, const char *name) +{ + Elf_Shdr *s; + const char *str; + unsigned i; + + s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff) + grub_target_to_host16 (e->e_shstrndx) * grub_target_to_host16 (e->e_shentsize)); + str = (char *) e + grub_target_to_host (s->sh_offset); + + for (i = 0, s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff)); + i < grub_target_to_host16 (e->e_shnum); + i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize))) + if (strcmp (str + grub_target_to_host32 (s->sh_name), name) == 0) + return s; + return NULL; +} + +static void +check_license (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e) +{ + Elf_Shdr *s = find_section (arch, e, ".module_license"); + if (s && (strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3") == 0 + || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3+") == 0 + || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0)) + return; + grub_util_error ("incompatible license"); +} + +static void +check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e) +{ + unsigned i; + Elf_Shdr *s, *sections; + Elf_Sym *sym; + const char *str; + Elf_Word size, entsize; + + sections = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff)); + for (i = 0, s = sections; + i < grub_target_to_host16 (e->e_shnum); + i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize))) + if (grub_target_to_host32 (s->sh_type) == SHT_SYMTAB) + break; + + if (i == grub_target_to_host16 (e->e_shnum)) + grub_util_error ("no symbol table"); + + sym = (Elf_Sym *) ((char *) e + grub_target_to_host (s->sh_offset)); + size = grub_target_to_host (s->sh_size); + entsize = grub_target_to_host (s->sh_entsize); + + s = (Elf_Shdr *) ((char *) sections + grub_target_to_host16 (e->e_shentsize) * grub_target_to_host32 (s->sh_link)); + str = (char *) e + grub_target_to_host (s->sh_offset); + + for (i = 0; + i < size / entsize; + i++, sym = (Elf_Sym *) ((char *) sym + entsize)) + { + unsigned char type = ELF_ST_TYPE (sym->st_info); + + switch (type) + { + case STT_NOTYPE: + case STT_OBJECT: + case STT_FUNC: + case STT_SECTION: + case STT_FILE: + break; + + default: + return grub_util_error ("unknown symbol type `%d'", (int) type); + } + } +} + +/* Relocate symbols. */ +static void +section_check_relocations (const struct grub_module_verifier_arch *arch, void *ehdr, + Elf_Shdr *s, size_t target_seg_size) +{ + Elf_Rel *rel, *max; + + for (rel = (Elf_Rel *) ((char *) ehdr + grub_target_to_host (s->sh_offset)), + max = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_size)); + rel < max; + rel = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_entsize))) + { + Elf_Word *addr; + Elf_Sym *sym; + unsigned i; + + if (target_seg_size < grub_target_to_host (rel->r_offset)) + grub_util_error ("reloc offset is out of the segment"); + + grub_uint32_t type = ELF_R_TYPE (grub_target_to_host (rel->r_info)); + + if (arch->machine == EM_SPARCV9) + type &= 0xff; + + for (i = 0; arch->supported_relocations[i] != -1; i++) + if (type == arch->supported_relocations[i]) + break; + if (arch->supported_relocations[i] == -1) + grub_util_error ("unsupported relocation 0x%x", type); + } +} + +static void +check_relocations (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e) +{ + Elf_Shdr *s; + unsigned i; + + for (i = 0, s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff)); + i < grub_target_to_host16 (e->e_shnum); + i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize))) + if (grub_target_to_host32 (s->sh_type) == SHT_REL || grub_target_to_host32 (s->sh_type) == SHT_RELA) + { + Elf_Shdr *ts; + + if (grub_target_to_host32 (s->sh_type) == SHT_REL && !(arch->flags & GRUB_MODULE_VERIFY_SUPPORTS_REL)) + grub_util_error ("unsupported SHT_REL"); + if (grub_target_to_host32 (s->sh_type) == SHT_RELA && !(arch->flags & GRUB_MODULE_VERIFY_SUPPORTS_RELA)) + grub_util_error ("unsupported SHT_RELA"); + + /* Find the target segment. */ + if (grub_target_to_host32 (s->sh_info) >= grub_target_to_host16 (e->e_shnum)) + grub_util_error ("orphaned reloc section"); + ts = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff) + grub_target_to_host32 (s->sh_info) * grub_target_to_host16 (e->e_shentsize)); + + section_check_relocations (arch, e, s, grub_target_to_host (ts->sh_size)); + } +} + +void +SUFFIX(grub_module_verify) (void *module_img, size_t size, const struct grub_module_verifier_arch *arch) +{ + Elf_Ehdr *e = module_img; + + /* Check the header size. */ + if (size < sizeof (Elf_Ehdr)) + grub_util_error ("ELF header smaller than expected"); + + /* Check the magic numbers. */ + if (e->e_ident[EI_MAG0] != ELFMAG0 + || e->e_ident[EI_MAG1] != ELFMAG1 + || e->e_ident[EI_MAG2] != ELFMAG2 + || e->e_ident[EI_MAG3] != ELFMAG3 + || e->e_ident[EI_VERSION] != EV_CURRENT + || grub_target_to_host32 (e->e_version) != EV_CURRENT) + grub_util_error ("invalid arch-independent ELF magic"); + + if (e->e_ident[EI_CLASS] != ELFCLASSXX + || e->e_ident[EI_DATA] != (arch->bigendian ? ELFDATA2MSB : ELFDATA2LSB) + || grub_target_to_host16 (e->e_machine) != arch->machine) + grub_util_error ("invalid arch-dependent ELF magic"); + + if (grub_target_to_host16 (e->e_type) != ET_REL) + { + grub_util_error ("this ELF file is not of the right type"); + } + + /* Make sure that every section is within the core. */ + if (size < grub_target_to_host (e->e_shoff) + + grub_target_to_host16 (e->e_shentsize) * grub_target_to_host16(e->e_shnum)) + { + grub_util_error ("ELF sections outside core"); + } + + check_license (arch, e); + + Elf_Shdr *s; + + s = find_section (arch, e, ".modname"); + if (!s) + grub_util_error ("no module name found"); + + check_symbols(arch, e); + check_relocations(arch, e); +} diff --git a/include/grub/module_verifier.h b/include/grub/module_verifier.h new file mode 100644 index 00000000000..9e3a2ba720f --- /dev/null +++ b/include/grub/module_verifier.h @@ -0,0 +1,19 @@ +#include +#include + +#include + +#define GRUB_MODULE_VERIFY_SUPPORTS_REL 1 +#define GRUB_MODULE_VERIFY_SUPPORTS_RELA 2 + +struct grub_module_verifier_arch { + const char *name; + int voidp_sizeof; + int bigendian; + int machine; + int flags; + const int *supported_relocations; +}; + +void grub_module_verify64(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch); +void grub_module_verify32(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch); diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am index be29e327f77..77205f16358 100644 --- a/grub-core/Makefile.am +++ b/grub-core/Makefile.am @@ -39,6 +39,10 @@ gentrigtables$(BUILD_EXEEXT): gentrigtables.c $(BUILD_CC) -o $@ -I$(top_srcdir)/include $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $(BUILD_LDFLAGS) $< $(BUILD_LIBM) CLEANFILES += gentrigtables$(BUILD_EXEEXT) +build-grub-module-verifier$(BUILD_EXEEXT): $(top_srcdir)/util/grub-module-verifier.c $(top_srcdir)/util/grub-module-verifier32.c $(top_srcdir)/util/grub-module-verifier64.c $(top_srcdir)/grub-core/kern/emu/misc.c $(top_srcdir)/util/misc.c + $(BUILD_CC) -o $@ -I$(top_srcdir)/include $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $(BUILD_LDFLAGS) -DGRUB_BUILD=1 -DGRUB_UTIL=1 -DGRUB_BUILD_PROGRAM_NAME=\"build-grub-module-verifier\" $^ +CLEANFILES += build-grub-module-verifier$(BUILD_EXEEXT) + # trigtables.c trigtables.c: gentrigtables$(BUILD_EXEEXT) gentrigtables.c $(top_srcdir)/configure.ac ./gentrigtables$(BUILD_EXEEXT) > $@ @@ -387,7 +391,7 @@ moddep.lst: syminfo.lst genmoddep.awk video.lst platform_DATA += moddep.lst CLEANFILES += config.log syminfo.lst moddep.lst -$(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) +$(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) build-grub-module-verifier TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@ platform_DATA += $(MOD_FILES) platform_DATA += modinfo.sh diff --git a/grub-core/genmod.sh.in b/grub-core/genmod.sh.in index 789732b108b..7dcafd9d370 100644 --- a/grub-core/genmod.sh.in +++ b/grub-core/genmod.sh.in @@ -15,12 +15,12 @@ set -e # # Example: # -# genmod.sh moddep.lst normal.module normal.mod +# genmod.sh moddep.lst normal.module build-grub-module-verifier normal.mod # moddep=$1 infile=$2 -outfile=$3 +outfile=$4 tmpfile=${outfile}.tmp modname=`echo $infile | sed -e 's@\.module.*$@@'` @@ -93,4 +93,5 @@ else -wd1106 -nu -nd $tmpfile.bin $tmpfile || exit 1 rm -f $name.bin fi +./build-grub-module-verifier $tmpfile @target_cpu@ mv $tmpfile $outfile