kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
From: uwe%NetBSD.org@localhost
Date: Thu, 2 Sep 2010 15:40:01 +0000 (UTC)

>Number:         43830
>Category:       kern
>Synopsis:       libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 02 15:40:01 +0000 2010
>Originator:     Valery Ushakov
>Release:        NetBSD 5.99.39
>Organization:
>Environment:
NetBSD brick 5.99.39 NetBSD 5.99.39 (MRCOFFEE_OFW) #0: Tue Aug 31 15:56:05 MSD 
2010  uwe@shravaka:/mnt/netbsd/cvs/src/sys/arch/sparc/compile/MRCOFFEE_OFW sparc

>Description:
In sys/lib/libsa/loadfile_elf32.c in revision 1.25 code was added to
add support for loading CTF sections for DTrace.  As part of this
change loadfile_elf32 now loads .shstrtab.  The code to load it uses
READ() macro unconditionally, while it should only be used when caller
asked for the actual section contents to be loaded.

E.g. sparc bootloader calls loadfile twice, once with COUNT_KERNEL to
figure out how much memory to set up, and then with LOAD_KERNEL to
actually load kernel into the memory it's just allocated.

During the first call (COUNT_KERNEL) the READ() macro must not be used,
but the code to read CTF sections doesn't check COUNT_* vs. LOAD_*
flags.

This happen to work on real hardware, but depends on some OpenBoot
magic mappings and I'm not sure they are guaranteed to exist.

This code fails under qemu that uses OpenBIOS as its OpenFirmware
implementation and apparently doesn't provide the same magic mappings.

I don't really want to figure out the exact nature of that magic.
I think that the code should obey the constraint that READ() must not
be used unless LOAD_* flags are passed.

>How-To-Repeat:
Try to boot current'ish NetBSD/sparc in qemu, e.g.

  $ qemu-system-sparc -m 32 -nographic -boot d \
        -cdrom $(RELEASEDIR)/iso/sparccd.iso

if you have it built locally, or just grab a current iso image from releng 
autobuild.

Observe:

  >> NetBSD/sparc Secondary Boot, Revision 1.15
  >> (uwe@shravaka, Thu Sep  2 02:19:06 MSD 2010)
  Booting netbsd
  Unhandled Exception 0x00000009
  PC = 0x00393fc0 NPC = 0x00393fc4
  Stopping execution

where that pc is in inflate() when it tries to write data to the buffer
passed to READ() at loadfile_elf32.c:419

>Fix:

Follow-Ups:
- Re: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
  - From: Izumi Tsutsui

Prev by Date: port-sparc/43829: OF set console baudrate is changed once multiuser login starts
Next by Date: Re: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
Previous by Thread: port-sparc/43829: OF set console baudrate is changed once multiuser login starts
Next by Thread: Re: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
Indexes:

Home | Main Index | Thread Index | Old Index