Re: [PATCH] Remove -static from Documentation/lguest/Makefile
From: Rusty Russell
Date: Fri Jul 20 2007 - 08:03:28 EST
On Thu, 2007-07-19 at 23:13 +0300, S.Çağlar Onur wrote:
> Hi;
>
> Remove -static from Documentation/lguest/Makefile, most distros only provides shared library form of zlib in their default installation.
> And shared linking also provides litte tiny security for hypotetical security problems will be introduced by zlib :).
Unfortunately, this introduces a security hole. See, the guest can
access all memory up to LGUEST_GUEST_TOP, or 0xB8000000 on my machine.
Without -static, we look like this:
> cat /proc/4137/maps
b7e0b000-b7e0d000 rw-p b7e0b000 00:00 0
b7e0d000-b7f35000 r-xp 00000000 03:03 17069 /lib/tls/libc-2.3.6.so
b7f35000-b7f3a000 r--p 00127000 03:03 17069 /lib/tls/libc-2.3.6.so
b7f3a000-b7f3c000 rw-p 0012c000 03:03 17069 /lib/tls/libc-2.3.6.so
b7f3c000-b7f3f000 rw-p b7f3c000 00:00 0
b7f3f000-b7f52000 r-xp 00000000 03:03 389723 /usr/lib/libz.so.1.2.3
b7f52000-b7f53000 rw-p 00012000 03:03 389723 /usr/lib/libz.so.1.2.3
b7f5b000-b7f5d000 rw-p b7f5b000 00:00 0
b7f5d000-b7f5e000 r-xp b7f5d000 00:00 0 [vdso]
b7f5e000-b7f73000 r-xp 00000000 03:03 16351 /lib/ld-2.3.6.so
b7f73000-b7f75000 rw-p 00014000 03:03 16351 /lib/ld-2.3.6.so
b8000000-b8004000 r-xp 00000000 03:04
2485028 /home/rusty/linux-2.6.22-git13/Documentation/lguest/lguest
b8004000-b8005000 rw-p 00004000 03:04
2485028 /home/rusty/linux-2.6.22-git13/Documentation/lguest/lguest
bfecd000-bfee3000 rw-p bfecd000 00:00 0 [stack]
Whee! Guest can overwrite our libc, libz, ld.so. Also, we allocate
pages for virtual devices from B8000000 down, so we might not run very
far if we've blatted those libraries.
The correct solution is to allocate upwards, and then hand the top
address we got to the kernel as the highest accessible guest address.
How's this?
===
Link lguest example launcher non-static
S.Caglar Onur points out that many distributions don't ship a static
zlib. Unfortunately the launcher currently maps virtual device memory
where shared libraries want to go.
The solution is to pre-scan the args to figure out how much memory we
have, then allocate devices above that, rather than down from the top.
Signed-off-by: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
diff -r d9973bf15010 Documentation/lguest/Makefile
--- a/Documentation/lguest/Makefile Fri Jul 20 21:40:49 2007 +1000
+++ b/Documentation/lguest/Makefile Fri Jul 20 21:41:44 2007 +1000
@@ -11,8 +11,7 @@ include $(KBUILD_OUTPUT)/.config
include $(KBUILD_OUTPUT)/.config
LGUEST_GUEST_TOP := ($(CONFIG_PAGE_OFFSET) - 0x08000000)
-CFLAGS:=-Wall -Wmissing-declarations -Wmissing-prototypes -O3 \
- -static -DLGUEST_GUEST_TOP="$(LGUEST_GUEST_TOP)" -Wl,-T,lguest.lds
+CFLAGS:=-Wall -Wmissing-declarations -Wmissing-prototypes -O3 -Wl,-T,lguest.lds
LDLIBS:=-lz
all: lguest.lds lguest
diff -r d9973bf15010 Documentation/lguest/lguest.c
--- a/Documentation/lguest/lguest.c Fri Jul 20 21:40:49 2007 +1000
+++ b/Documentation/lguest/lguest.c Fri Jul 20 21:55:07 2007 +1000
@@ -47,12 +47,14 @@ static bool verbose;
#define verbose(args...) \
do { if (verbose) printf(args); } while(0)
static int waker_fd;
+static u32 top;
struct device_list
{
fd_set infds;
int max_infd;
+ struct lguest_device_desc *descs;
struct device *dev;
struct device **lastdev;
};
@@ -324,8 +326,7 @@ static int tell_kernel(u32 pgdir, u32 st
static int tell_kernel(u32 pgdir, u32 start, u32 page_offset)
{
u32 args[] = { LHREQ_INITIALIZE,
- LGUEST_GUEST_TOP/getpagesize(), /* Just below us */
- pgdir, start, page_offset };
+ top/getpagesize(), pgdir, start, page_offset };
int fd;
fd = open_or_die("/dev/lguest", O_RDWR);
@@ -382,7 +383,7 @@ static void *_check_pointer(unsigned lon
static void *_check_pointer(unsigned long addr, unsigned int size,
unsigned int line)
{
- if (addr >= LGUEST_GUEST_TOP || addr + size >= LGUEST_GUEST_TOP)
+ if (addr >= top || addr + size >= top)
errx(1, "%s:%i: Invalid address %li", __FILE__, line, addr);
return (void *)addr;
}
@@ -629,24 +630,26 @@ static void handle_input(int fd, struct
}
}
-static struct lguest_device_desc *new_dev_desc(u16 type, u16 features,
- u16 num_pages)
-{
- static unsigned long top = LGUEST_GUEST_TOP;
- struct lguest_device_desc *desc;
-
- desc = malloc(sizeof(*desc));
- desc->type = type;
- desc->num_pages = num_pages;
- desc->features = features;
- desc->status = 0;
- if (num_pages) {
- top -= num_pages*getpagesize();
- map_zeroed_pages(top, num_pages);
- desc->pfn = top / getpagesize();
- } else
- desc->pfn = 0;
- return desc;
+static struct lguest_device_desc *
+new_dev_desc(struct lguest_device_desc *descs,
+ u16 type, u16 features, u16 num_pages)
+{
+ unsigned int i;
+
+ for (i = 0; i < LGUEST_MAX_DEVICES; i++) {
+ if (!descs[i].type) {
+ descs[i].type = type;
+ descs[i].features = features;
+ descs[i].num_pages = num_pages;
+ if (num_pages) {
+ map_zeroed_pages(top, num_pages);
+ descs[i].pfn = top/getpagesize();
+ top += num_pages*getpagesize();
+ }
+ return &descs[i];
+ }
+ }
+ errx(1, "too many devices");
}
static struct device *new_device(struct device_list *devices,
@@ -669,7 +672,7 @@ static struct device *new_device(struct
dev->fd = fd;
if (handle_input)
set_fd(dev->fd, devices);
- dev->desc = new_dev_desc(type, features, num_pages);
+ dev->desc = new_dev_desc(devices->descs, type, features, num_pages);
dev->mem = (void *)(dev->desc->pfn * getpagesize());
dev->handle_input = handle_input;
dev->watch_key = (unsigned long)dev->mem + watch_off;
@@ -866,30 +869,6 @@ static void setup_tun_net(const char *ar
verbose("attached to bridge: %s\n", br_name);
}
-/* Now we know how much memory we have, we copy in device descriptors */
-static void map_device_descriptors(struct device_list *devs, unsigned long mem)
-{
- struct device *i;
- unsigned int num;
- struct lguest_device_desc *descs;
-
- /* Device descriptor array sits just above top of normal memory */
- descs = map_zeroed_pages(mem, 1);
-
- for (i = devs->dev, num = 0; i; i = i->next, num++) {
- if (num == LGUEST_MAX_DEVICES)
- errx(1, "too many devices");
- verbose("Device %i: %s\n", num,
- i->desc->type == LGUEST_DEVICE_T_NET ? "net"
- : i->desc->type == LGUEST_DEVICE_T_CONSOLE ? "console"
- : i->desc->type == LGUEST_DEVICE_T_BLOCK ? "block"
- : "unknown");
- descs[num] = *i->desc;
- free(i->desc);
- i->desc = &descs[num];
- }
-}
-
static void __attribute__((noreturn))
run_guest(int lguest_fd, struct device_list *device_list)
{
@@ -934,8 +913,8 @@ static void usage(void)
int main(int argc, char *argv[])
{
- unsigned long mem, pgdir, start, page_offset, initrd_size = 0;
- int c, lguest_fd;
+ unsigned long mem = 0, pgdir, start, page_offset, initrd_size = 0;
+ int i, c, lguest_fd;
struct device_list device_list;
void *boot = (void *)0;
const char *initrd_name = NULL;
@@ -945,6 +924,15 @@ int main(int argc, char *argv[])
device_list.lastdev = &device_list.dev;
FD_ZERO(&device_list.infds);
+ /* We need to know how much memory so we can allocate devices. */
+ for (i = 1; i < argc; i++) {
+ if (argv[i][0] != '-') {
+ mem = top = atoi(argv[i]) * 1024 * 1024;
+ device_list.descs = map_zeroed_pages(top, 1);
+ top += getpagesize();
+ break;
+ }
+ }
while ((c = getopt_long(argc, argv, "v", opts, NULL)) != EOF) {
switch (c) {
case 'v':
@@ -974,15 +962,11 @@ int main(int argc, char *argv[])
setup_console(&device_list);
/* First we map /dev/zero over all of guest-physical memory. */
- mem = atoi(argv[optind]) * 1024 * 1024;
map_zeroed_pages(0, mem / getpagesize());
/* Now we load the kernel */
start = load_kernel(open_or_die(argv[optind+1], O_RDONLY),
&page_offset);
-
- /* Write the device descriptors into memory. */
- map_device_descriptors(&device_list, mem);
/* Map the initrd image if requested */
if (initrd_name) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/