Page MenuHomeFreeBSD

ARM compressed boot : NULL ELF section cause integer overflow
Needs ReviewPublic

Authored by soutade_gmail.com on Sep 20 2016, 9:29 AM.

Details

Reviewers
manu
imp
Summary

Using the latest toolchain (clang 3.8), it appears that the stack section is described with offset 0 and size 0. load_kernel() procedure in sys/arm/arm/elf_trampoline.c parses all sections to determine last address, but doesn't checks if header address if above KERNVIRTADDR which cause an integer overflow.

Program Header:
0x70000001 off 0x0074f4f8 vaddr 0xc0b4f4f8 paddr 0xc0b4f4f8 align 2**2

       filesz 0x00023100 memsz 0x00023100 flags r--
  PHDR off    0x00000034 vaddr 0xc0400034 paddr 0xc0400034 align 2**2
       filesz 0x000000c0 memsz 0x000000c0 flags r-x
INTERP off    0x006f3808 vaddr 0xc0af3808 paddr 0xc0af3808 align 2**0
       filesz 0x0000000d memsz 0x0000000d flags r--
  LOAD off    0x00000000 vaddr 0xc0400000 paddr 0xc0400000 align 2**15
       filesz 0x007b70a4 memsz 0x008ec000 flags rwx

DYNAMIC off 0x007b703c vaddr 0xc0bb703c paddr 0xc0bb703c align 2**2

      filesz 0x00000068 memsz 0x00000068 flags rw-
STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
      filesz 0x00000000 memsz 0x00000000 flags rwx

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

soutade_gmail.com retitled this revision from to ARM compressed boot : NULL ELF section cause integer overflow.
soutade_gmail.com updated this object.
soutade_gmail.com edited the test plan for this revision. (Show Details)
soutade_gmail.com added reviewers: manu, imp.
soutade_gmail.com set the repository for this revision to rS FreeBSD src repository - subversion.
soutade_gmail.com added a project: ARM.