[Crash-utility] Crash-utility Digest, Vol 178, Issue 21
lijiang
lijiang at redhat.com
Thu Aug 6 03:03:15 UTC 2020
在 2020年07月30日 21:34, crash-utility-request at redhat.com 写道:
> Message: 4
> Date: Thu, 30 Jul 2020 15:34:30 +0200
> From: Mathias Krause <minipli at grsecurity.net>
> To: crash-utility at redhat.com
> Subject: [Crash-utility] [PATCH 3/3] Support core files with "unusual"
> layout
> Message-ID: <20200730133430.7773-4-minipli at grsecurity.net>
> Content-Type: text/plain; charset=US-ASCII
>
> The netdump code not only gets used for netdump/diskdump files, but also
> for kdump core files. These can also be generated with the 'vmss2core'
> tool that'll produce a slightly different format that isn't as densely
> packed as we expect it to be. In fact, the implicit assumption that the
> ELF program headers directly follow the ELF header isn't always true for
Hi, Mathias
Thanks for your patch. I agree with you, the actual files may differ.
> these files, as they may contain a small padding area after the ELF
> header -- which is totally conforming in regards to the ELF spec. This
> padding in combination with the implicit assumption of densely packed
> headers make us interpret the padding bytes as program headers which is
> obviously wrong.
>
> Support these kind of core files too by not blindly assuming the program
> headers follow the ELF header but by looking at the program header
> offset in the ELF header and use that instead. Add some guarding sanity
> checks to decline operating on obviously malicious or broken core files.
>
> To not needlessly make things too complicated, allow a "padding space" of
> up to 128 bytes only.
>
> Signed-off-by: Mathias Krause <minipli at grsecurity.net>
> ---
> netdump.c | 86 ++++++++++++++++++++++++++++++++++++++-----------------
> netdump.h | 2 ++
> 2 files changed, 61 insertions(+), 27 deletions(-)
>
> diff --git a/netdump.c b/netdump.c
> index 406416af36bf..0490bb52a8ed 100644
> --- a/netdump.c
> +++ b/netdump.c
> @@ -132,7 +132,7 @@ is_netdump(char *file, ulong source_query)
> }
> }
>
> - size = MIN_NETDUMP_ELF_HEADER_SIZE;
> + size = SAFE_NETDUMP_ELF_HEADER_SIZE;
> if ((eheader = (char *)malloc(size)) == NULL) {
> fprintf(stderr, "cannot malloc minimum ELF header buffer\n");
> clean_exit(1);
> @@ -219,8 +219,22 @@ is_netdump(char *file, ulong source_query)
> source_query))
> goto bailout;
>
> - load32 = (Elf32_Phdr *)
> - &eheader[sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr)];
For the Program Header table, could it be optional? If present, the value of
e_phoff should be non-zero, otherwise its value is zero. Would it be better
to check if the value of e_phoff is valid?
> + if (elf32->e_phoff != sizeof(Elf32_Ehdr)) {
> + if (CRASHDEBUG(1))
> + error(WARNING, "%s: first PHdr not following "
> + "EHdr (PHdr offset = %u)", file,
> + elf32->e_phoff);
> + /* it's okay as long as we've read enough data */
> + if (elf32->e_phoff > size - 2 * sizeof(Elf32_Phdr)) {
> + error(WARNING, "%s: PHdr to far into file!\n",
> + file);
> + goto bailout;
> + }
> + }
> +
> + /* skip the NOTE program header */
> + load32 = (Elf32_Phdr *)
> + &eheader[elf32->e_phoff+sizeof(Elf32_Phdr)];
>
> if ((load32->p_offset & (MIN_PAGE_SIZE-1)) ||
> (load32->p_align == 0))
> @@ -291,8 +305,22 @@ is_netdump(char *file, ulong source_query)
> source_query))
> goto bailout;
>
> - load64 = (Elf64_Phdr *)
> - &eheader[sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)];
> + if (elf64->e_phoff != sizeof(Elf64_Ehdr)) {
> + if (CRASHDEBUG(1))
> + error(WARNING, "%s: first PHdr not following "
> + "EHdr (PHdr offset = %u)", file,
> + elf64->e_phoff);
> + /* it's okay as long as we've read enough data */
> + if (elf64->e_phoff > size - 2 * sizeof(Elf64_Phdr)) {
> + error(WARNING, "%s: PHdr to far into file!\n",
> + file);
> + goto bailout;
> + }
> + }
> +
> + /* skip the NOTE program header */
> + load64 = (Elf64_Phdr *)
> + &eheader[elf64->e_phoff+sizeof(Elf64_Phdr)];
>
> if ((load64->p_offset & (MIN_PAGE_SIZE-1)) ||
> (load64->p_align == 0))
> @@ -353,9 +381,8 @@ is_netdump(char *file, ulong source_query)
> clean_exit(1);
> }
> nd->notes32 = (Elf32_Phdr *)
> - &nd->elf_header[sizeof(Elf32_Ehdr)];
> - nd->load32 = (Elf32_Phdr *)
> - &nd->elf_header[sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr)];
> + &nd->elf_header[nd->elf32->e_phoff];
> + nd->load32 = nd->notes32 + 1;
> if (format == NETDUMP_ELF32)
> nd->page_size = (uint)nd->load32->p_align;
> dump_Elf32_Ehdr(nd->elf32);
> @@ -392,9 +419,8 @@ is_netdump(char *file, ulong source_query)
> clean_exit(1);
> }
> nd->notes64 = (Elf64_Phdr *)
> - &nd->elf_header[sizeof(Elf64_Ehdr)];
> - nd->load64 = (Elf64_Phdr *)
> - &nd->elf_header[sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)];
> + &nd->elf_header[nd->elf64->e_phoff];
> + nd->load64 = nd->notes64 + 1;
> if (format == NETDUMP_ELF64)
> nd->page_size = (uint)nd->load64->p_align;
> dump_Elf64_Ehdr(nd->elf64);
> @@ -469,8 +495,8 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
> case NETDUMP_ELF32:
> case KDUMP_ELF32:
> num_pt_load_segments = elf32->e_phnum - 1;
> - header_size = sizeof(Elf32_Ehdr) + sizeof(Elf32_Phdr) +
> - (sizeof(Elf32_Phdr) * num_pt_load_segments);
> + header_size = MAX(sizeof(Elf32_Ehdr), elf32->e_phoff) +
> + (sizeof(Elf32_Phdr) * (num_pt_load_segments + 1));
> break;
>
> case NETDUMP_ELF64:
> @@ -513,8 +539,8 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
> } else
> num_pt_load_segments = elf64->e_phnum - 1;
>
> - header_size = sizeof(Elf64_Ehdr) + sizeof(Elf64_Phdr) +
> - (sizeof(Elf64_Phdr) * num_pt_load_segments);
> + header_size = MAX(sizeof(Elf64_Ehdr), elf64->e_phoff) +
> + (sizeof(Elf64_Phdr) * (num_pt_load_segments + 1));
> break;
> }
>
> @@ -544,7 +570,7 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
> {
> case NETDUMP_ELF32:
> case KDUMP_ELF32:
> - load32 = (Elf32_Phdr *)&eheader[sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr)];
> + load32 = (Elf32_Phdr *)&eheader[elf32->e_phoff+sizeof(Elf32_Phdr)];
> p_offset32 = load32->p_offset;
> for (i = 0; i < num_pt_load_segments; i++, load32 += 1) {
> if (load32->p_offset &&
> @@ -556,7 +582,7 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
>
> case NETDUMP_ELF64:
> case KDUMP_ELF64:
> - load64 = (Elf64_Phdr *)&eheader[sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)];
> + load64 = (Elf64_Phdr *)&eheader[elf64->e_phoff+sizeof(Elf64_Phdr)];
> p_offset64 = load64->p_offset;
> for (i = 0; i < num_pt_load_segments; i++, load64 += 1) {
> if (load64->p_offset &&
> @@ -4459,8 +4485,12 @@ proc_kcore_init_32(FILE *fp, int kcore_fd)
> close(fd);
>
> elf32 = (Elf32_Ehdr *)&eheader[0];
> - notes32 = (Elf32_Phdr *)&eheader[sizeof(Elf32_Ehdr)];
> - load32 = (Elf32_Phdr *)&eheader[sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr)];
> + if (elf32->e_phoff > sizeof(eheader) - 2 * sizeof(Elf32_Phdr)) {
> + error(INFO, "/proc/kcore: ELF program header offset too big!\n");
> + return FALSE;
> + }
> + notes32 = (Elf32_Phdr *)&eheader[elf32->e_phoff];
> + load32 = notes32 + 1;
>
> pkd->segments = elf32->e_phnum - 1;
>
> @@ -4479,9 +4509,8 @@ proc_kcore_init_32(FILE *fp, int kcore_fd)
> }
>
> BCOPY(&eheader[0], &pkd->elf_header[0], pkd->header_size);
> - pkd->notes32 = (Elf32_Phdr *)&pkd->elf_header[sizeof(Elf32_Ehdr)];
> - pkd->load32 = (Elf32_Phdr *)
> - &pkd->elf_header[sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr)];
> + pkd->notes32 = (Elf32_Phdr *)&pkd->elf_header[elf32->e_phoff];
> + pkd->load32 = pkd->notes32 + 1;
> pkd->flags |= KCORE_ELF32;
>
> kcore_memory_dump(CRASHDEBUG(1) ? fp : pc->nullfp);
> @@ -4529,8 +4558,12 @@ proc_kcore_init_64(FILE *fp, int kcore_fd)
> close(fd);
>
> elf64 = (Elf64_Ehdr *)&eheader[0];
> - notes64 = (Elf64_Phdr *)&eheader[sizeof(Elf64_Ehdr)];
> - load64 = (Elf64_Phdr *)&eheader[sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)];
> + if (elf64->e_phoff > sizeof(eheader) - 2 * sizeof(Elf64_Phdr)) {
> + error(INFO, "/proc/kcore: ELF program header offset too big!\n");
> + return FALSE;
> + }
> + notes64 = (Elf64_Phdr *)&eheader[elf64->e_phoff];
> + load64 = notes64 + 1;
>
> pkd->segments = elf64->e_phnum - 1;
>
> @@ -4550,9 +4583,8 @@ proc_kcore_init_64(FILE *fp, int kcore_fd)
> }
>
> BCOPY(&eheader[0], &pkd->elf_header[0], pkd->header_size);
> - pkd->notes64 = (Elf64_Phdr *)&pkd->elf_header[sizeof(Elf64_Ehdr)];
> - pkd->load64 = (Elf64_Phdr *)
> - &pkd->elf_header[sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)];
> + pkd->notes64 = (Elf64_Phdr *)&pkd->elf_header[elf64->e_phoff];
> + pkd->load64 = pkd->notes64 + 1;
> pkd->flags |= KCORE_ELF64;
>
> kcore_memory_dump(CRASHDEBUG(1) ? fp : pc->nullfp);
> diff --git a/netdump.h b/netdump.h
> index 7fa04f7c3a0f..844279bc4a00 100644
> --- a/netdump.h
> +++ b/netdump.h
> @@ -25,6 +25,8 @@
> sizeof(Elf64_Ehdr)+sizeof(Elf64_Phdr)+sizeof(Elf64_Phdr)
> #define MIN_NETDUMP_ELF_HEADER_SIZE \
> MAX(MIN_NETDUMP_ELF32_HEADER_SIZE, MIN_NETDUMP_ELF64_HEADER_SIZE)
> +#define SAFE_NETDUMP_ELF_HEADER_SIZE \
> + (MIN_NETDUMP_ELF_HEADER_SIZE+128)
>
Can you please describe more details why the size of padding area is 128 bytes?
Are there any particular reasons?
Thanks.
Lianbo
> #define NT_TASKSTRUCT 4
> #define NT_DISKDUMP 0x70000001
> -- 2.20.1
More information about the Crash-utility
mailing list