tech-toolchain: Re: va 0 mapped - NULL pointer dereference succeeds

Subject: Re: va 0 mapped - NULL pointer dereference succeeds
To: Charles M. Hannum <abuse@spamalicious.com>
From: Simon Burge <simonb@wasabisystems.com>
List: tech-toolchain
Date: 10/25/2003 22:32:01
On Fri, Oct 24, 2003 at 05:40:43PM +0000, Charles M. Hannum wrote:

> On Friday 24 October 2003 05:31 pm, Matthias Drochner wrote:
> > Hi -
> > on a pmax/-current, compiled with gcc3, I'm observing
> >
> > # pmap
> > 00000000     52K read/exec         /libexec/ld.elf_so
> > 0000D000    252K                     [ anon ]
> > 0004C000      8K read/write          [ anon ]
> > 00400000    208K read/exec         /bin/csh
> > [...]
> >
> > And indeed, a small (dynamically linked) test program can read
> > from NULL, gets the contents of /libexec/ld.elf_so as expected.
> >
> > This shouldn't happen...
> 
> MIPS is still defining ELF_INTERP_NON_RELOCATABLE, a vestige from before I 
> made ld.elf_so relocatable on that platform.  My guess is that a newer 
> version of binutils stopped linking it with the traditional VA offset 
> (0x5ffe0000), and so now it's mapping at 0.
> 
> Either the ld scripts should be fixed to use the old offset, or 
> ELF_INTERP_NON_RELOCATABLE should be removed, or both.  It certainly makes no 
> sense as is.

As Matthias mentioned, ld.elf_so is still linked at 0x5ffe0000 (for
reasons I can't find - a long while ago I tried at VA offset 0 and
everything still seemed to work fine).

With the trailing patch, patch and COMPAT_16 I see:

	rhone 2> ./null
	foo = 0x0
	*foo = 0x464c457f
	rhone 3>

and without COMPAT_16 I see:

	rhone 2> ./null
	foo = 0x0
	Segmentation fault (core dumped)
	Exit 139
	rhone 3>

and pmap says:

	rhone 1> pmap
	00400000    524K read/exec         /usr/pkg/bin/tcsh
	10000000     12K read/write        /usr/pkg/bin/tcsh
	10003000    508K read/write          [ anon ]
	30000000     52K read/exec         /libexec/ld.elf_so
	3000D000    252K                     [ anon ]
	3004C000      4K read/write        /libexec/ld.elf_so
	3004D000      8K read/write          [ anon ]
	3004F000      4K read/exec           [ uvm_aobj ]
	30050000     32K read/write          [ anon ]
	...

Look OK to commit?

Simon.
--
Simon Burge                                   <simonb@wasabisystems.com>
NetBSD Development, Support and Service:   http://www.wasabisystems.com/


Index: elf_machdep.h
===================================================================
RCS file: /cvsroot/src/sys/arch/mips/include/elf_machdep.h,v
retrieving revision 1.8
diff -d -p -u -r1.8 elf_machdep.h
--- elf_machdep.h	9 Dec 2001 23:05:58 -0000	1.8
+++ elf_machdep.h	25 Oct 2003 12:11:03 -0000
@@ -86,10 +86,15 @@
 #define DT_MIPS_HIPAGENO	0x70000014
 #define	DT_MIPS_RLD_MAP		0x70000016	/* address of loader map */
 
+#ifdef _KERNEL
+#ifdef _KERNEL_OPT
+#include "opt_compat_netbsd.h"
+#endif
+#ifdef COMPAT_16
 /*
  * Tell the kernel ELF exec code not to try relocating the interpreter
  * (ld.so) for dynamically-linked ELF binaries.
  */
-#ifdef _KERNEL
 #define ELF_INTERP_NON_RELOCATABLE
-#endif
+#endif /* COMPAT_16 */
+#endif /* _KERNEL */