1. Patchew
  2. QEMU
  3. View series

[PATCH] linux-user/elfload: fix address calculation in fallback scenario

Vincent Fazio posted 1 patch 4 years, 9 months ago
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20210131061948.15990-1-vfazio@xes-inc.com
Maintainers: Laurent Vivier <laurent@vivier.eu>
linux-user/elfload.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] linux-user/elfload: fix address calculation in fallback scenario
Posted by Vincent Fazio 4 years, 9 months ago 
From: Vincent Fazio <vfazio@gmail.com>

Previously, guest_loaddr was not taken into account when returning an
address from pgb_find_hole when /proc/self/maps was unavailable which
caused an improper guest_base address to be calculated.

This could cause a SIGSEGV later in load_elf_image -> target_mmap for
ET_EXEC type images since the mmap MAP_FIXED flag is specified which
could clobber existing mappings at the address returnd by g2h().

  mmap(0xd87000, 16846912, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|0x100000, -1, 0) = 0xd87000
  munmap(0xd87000, 16846912)              = 0
  write(2, "Locating guest address space @ 0"..., 40Locating guest address space @ 0xd87000) = 40
  mmap(0x1187000, 16850944, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x1187000
  --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2188310} ---
  +++ killed by SIGSEGV +++

Now, pgd_find_hole accounts for guest_loaddr in this scenario.

Fixes: ad592e37dfcc ("linux-user: provide fallback pgd_find_hole for bare chroots")
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
---
 linux-user/elfload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 8d425f9ed0..6d606b9442 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2242,7 +2242,8 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
     brk = (uintptr_t)sbrk(0);
 
     if (!maps) {
-        return pgd_find_hole_fallback(guest_size, brk, align, offset);
+        ret = pgd_find_hole_fallback(guest_size, brk, align, offset);
+        return ret - guest_loaddr;
     }
 
     /* The first hole is before the first map entry. */
-- 
2.30.0
Re: [PATCH] linux-user/elfload: fix address calculation in fallback scenario
Posted by Laurent Vivier 4 years, 9 months ago 
Le 31/01/2021 à 07:19, Vincent Fazio a écrit :
> From: Vincent Fazio <vfazio@gmail.com>
> 
> Previously, guest_loaddr was not taken into account when returning an
> address from pgb_find_hole when /proc/self/maps was unavailable which
> caused an improper guest_base address to be calculated.
> 
> This could cause a SIGSEGV later in load_elf_image -> target_mmap for
> ET_EXEC type images since the mmap MAP_FIXED flag is specified which
> could clobber existing mappings at the address returnd by g2h().
> 
>   mmap(0xd87000, 16846912, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|0x100000, -1, 0) = 0xd87000
>   munmap(0xd87000, 16846912)              = 0
>   write(2, "Locating guest address space @ 0"..., 40Locating guest address space @ 0xd87000) = 40
>   mmap(0x1187000, 16850944, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x1187000
>   --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2188310} ---
>   +++ killed by SIGSEGV +++
> 
> Now, pgd_find_hole accounts for guest_loaddr in this scenario.
> 
> Fixes: ad592e37dfcc ("linux-user: provide fallback pgd_find_hole for bare chroots")
> Signed-off-by: Vincent Fazio <vfazio@gmail.com>
> ---
>  linux-user/elfload.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
> index 8d425f9ed0..6d606b9442 100644
> --- a/linux-user/elfload.c
> +++ b/linux-user/elfload.c
> @@ -2242,7 +2242,8 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
>      brk = (uintptr_t)sbrk(0);
>  
>      if (!maps) {
> -        return pgd_find_hole_fallback(guest_size, brk, align, offset);
> +        ret = pgd_find_hole_fallback(guest_size, brk, align, offset);
> +        return ret - guest_loaddr;
>      }
>  
>      /* The first hole is before the first map entry. */
> 

Reviewed-by: Laurent Vivier <laurent@vivier.eu>

CC: Alex
Re: [PATCH] linux-user/elfload: fix address calculation in fallback scenario
Posted by Vincent Fazio 4 years, 8 months ago 
Pinging per Laurent.

On 2/13/21 3:48 PM, Laurent Vivier wrote:
> Le 31/01/2021 à 07:19, Vincent Fazio a écrit :
>> From: Vincent Fazio <vfazio@gmail.com>
>>
>> Previously, guest_loaddr was not taken into account when returning an
>> address from pgb_find_hole when /proc/self/maps was unavailable which
>> caused an improper guest_base address to be calculated.
>>
>> This could cause a SIGSEGV later in load_elf_image -> target_mmap for
>> ET_EXEC type images since the mmap MAP_FIXED flag is specified which
>> could clobber existing mappings at the address returnd by g2h().
>>
>>    mmap(0xd87000, 16846912, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|0x100000, -1, 0) = 0xd87000
>>    munmap(0xd87000, 16846912)              = 0
>>    write(2, "Locating guest address space @ 0"..., 40Locating guest address space @ 0xd87000) = 40
>>    mmap(0x1187000, 16850944, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x1187000
>>    --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2188310} ---
>>    +++ killed by SIGSEGV +++
>>
>> Now, pgd_find_hole accounts for guest_loaddr in this scenario.
>>
>> Fixes: ad592e37dfcc ("linux-user: provide fallback pgd_find_hole for bare chroots")
>> Signed-off-by: Vincent Fazio <vfazio@gmail.com>
>> ---
>>   linux-user/elfload.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
>> index 8d425f9ed0..6d606b9442 100644
>> --- a/linux-user/elfload.c
>> +++ b/linux-user/elfload.c
>> @@ -2242,7 +2242,8 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
>>       brk = (uintptr_t)sbrk(0);
>>   
>>       if (!maps) {
>> -        return pgd_find_hole_fallback(guest_size, brk, align, offset);
>> +        ret = pgd_find_hole_fallback(guest_size, brk, align, offset);
>> +        return ret - guest_loaddr;
>>       }
>>   
>>       /* The first hole is before the first map entry. */
>>
> 
> Reviewed-by: Laurent Vivier <laurent@vivier.eu>
> 
> CC: Alex
>
Re: [PATCH] linux-user/elfload: fix address calculation in fallback scenario
Posted by Laurent Vivier 4 years, 8 months ago 
Le 31/01/2021 à 07:19, Vincent Fazio a écrit :
> From: Vincent Fazio <vfazio@gmail.com>
> 
> Previously, guest_loaddr was not taken into account when returning an
> address from pgb_find_hole when /proc/self/maps was unavailable which
> caused an improper guest_base address to be calculated.
> 
> This could cause a SIGSEGV later in load_elf_image -> target_mmap for
> ET_EXEC type images since the mmap MAP_FIXED flag is specified which
> could clobber existing mappings at the address returnd by g2h().
> 
>   mmap(0xd87000, 16846912, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|0x100000, -1, 0) = 0xd87000
>   munmap(0xd87000, 16846912)              = 0
>   write(2, "Locating guest address space @ 0"..., 40Locating guest address space @ 0xd87000) = 40
>   mmap(0x1187000, 16850944, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x1187000
>   --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2188310} ---
>   +++ killed by SIGSEGV +++
> 
> Now, pgd_find_hole accounts for guest_loaddr in this scenario.
> 
> Fixes: ad592e37dfcc ("linux-user: provide fallback pgd_find_hole for bare chroots")
> Signed-off-by: Vincent Fazio <vfazio@gmail.com>
> ---
>  linux-user/elfload.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
> index 8d425f9ed0..6d606b9442 100644
> --- a/linux-user/elfload.c
> +++ b/linux-user/elfload.c
> @@ -2242,7 +2242,8 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
>      brk = (uintptr_t)sbrk(0);
>  
>      if (!maps) {
> -        return pgd_find_hole_fallback(guest_size, brk, align, offset);
> +        ret = pgd_find_hole_fallback(guest_size, brk, align, offset);
> +        return ret - guest_loaddr;
>      }
>  
>      /* The first hole is before the first map entry. */
> 

Applied to my linux-user-for-6.0 branch.

Thanks,
Laurent

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.