Page MenuHomeFreeBSD

ARM compressed boot : NULL ELF section cause integer overflow
Needs ReviewPublic

Authored by on Sep 20 2016, 9:29 AM.



Using the latest toolchain (clang 3.8), it appears that the stack section is described with offset 0 and size 0. load_kernel() procedure in sys/arm/arm/elf_trampoline.c parses all sections to determine last address, but doesn't checks if header address if above KERNVIRTADDR which cause an integer overflow.

Program Header:
0x70000001 off 0x0074f4f8 vaddr 0xc0b4f4f8 paddr 0xc0b4f4f8 align 2**2

       filesz 0x00023100 memsz 0x00023100 flags r--
  PHDR off    0x00000034 vaddr 0xc0400034 paddr 0xc0400034 align 2**2
       filesz 0x000000c0 memsz 0x000000c0 flags r-x
INTERP off    0x006f3808 vaddr 0xc0af3808 paddr 0xc0af3808 align 2**0
       filesz 0x0000000d memsz 0x0000000d flags r--
  LOAD off    0x00000000 vaddr 0xc0400000 paddr 0xc0400000 align 2**15
       filesz 0x007b70a4 memsz 0x008ec000 flags rwx

DYNAMIC off 0x007b703c vaddr 0xc0bb703c paddr 0xc0bb703c align 2**2

      filesz 0x00000068 memsz 0x00000068 flags rw-
STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
      filesz 0x00000000 memsz 0x00000000 flags rwx

Diff Detail

rS FreeBSD src repository - subversion
Lint Skipped
Unit Tests Skipped

Event Timeline retitled this revision from to ARM compressed boot : NULL ELF section cause integer overflow. updated this object. edited the test plan for this revision. (Show Details) added reviewers: manu, imp. set the repository for this revision to rS FreeBSD src repository - subversion. added a project: ARM.