From 08f3a96b33e7eef39b651af9edb5e6de8ff13371 Mon Sep 17 00:00:00 2001 From: Nicolas Surbayrole Date: Mon, 8 Mar 2021 10:19:59 +0100 Subject: [PATCH 1/5] linux-user: Fix executable page of /proc/self/maps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The guest binary and libraries are not always map with the executable bit in the host process. The guest may read a /proc/self/maps with no executable address range. The perm fields should be based on the guest permission inside Qemu. Signed-off-by: Nicolas Surbayrole Reviewed-by: Richard Henderson Acked-by: Alex Bennée Message-Id: <20210308091959.986540-1-nsurbayrole@quarkslab.com> Signed-off-by: Laurent Vivier --- linux-user/syscall.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 9522f603aa..1e508576c7 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7890,9 +7890,9 @@ static int open_self_maps(void *cpu_env, int fd) count = dprintf(fd, TARGET_ABI_FMT_ptr "-" TARGET_ABI_FMT_ptr " %c%c%c%c %08" PRIx64 " %s %"PRId64, h2g(min), h2g(max - 1) + 1, - e->is_read ? 'r' : '-', - e->is_write ? 'w' : '-', - e->is_exec ? 'x' : '-', + (flags & PAGE_READ) ? 'r' : '-', + (flags & PAGE_WRITE_ORG) ? 'w' : '-', + (flags & PAGE_EXEC) ? 'x' : '-', e->is_priv ? 'p' : '-', (uint64_t) e->offset, e->dev, e->inode); if (path) { From 6e1c0d7b951e19c53b8467e8bc4b71ee73a394ea Mon Sep 17 00:00:00 2001 From: Laurent Vivier Date: Mon, 22 Feb 2021 11:50:04 +0100 Subject: [PATCH 2/5] linux-user: manage binfmt-misc preserve-arg[0] flag Add --preserve-argv0 in qemu-binfmt-conf.sh to configure the preserve-argv0 flag. This patch allows to use new flag in AT_FLAGS to detect if preserve-argv0 is configured for this interpreter: argv[0] (the full pathname provided by binfmt-misc) is removed and replaced by argv[1] (the original argv[0] provided by binfmt-misc when 'P'/preserve-arg[0] is set) For instance with this patch and kernel support for AT_FLAGS: $ sudo chroot m68k-chroot sh -c 'echo $0' sh without this patch: $ sudo chroot m68k-chroot sh -c 'echo $0' /usr/bin/sh The new flag is available in kernel (v5.12) since: 2347961b11d4 ("binfmt_misc: pass binfmt_misc flags to the interpreter") This can be tested with something like: # cp ..../qemu-ppc /chroot/powerpc/jessie # qemu-binfmt-conf.sh --qemu-path / --systemd ppc --credential yes \ --persistent no --preserve-argv0 yes # systemctl restart systemd-binfmt.service # cat /proc/sys/fs/binfmt_misc/qemu-ppc enabled interpreter //qemu-ppc flags: POC offset 0 magic 7f454c4601020100000000000000000000020014 mask ffffffffffffff00fffffffffffffffffffeffff # chroot /chroot/powerpc/jessie sh -c 'echo $0' sh # qemu-binfmt-conf.sh --qemu-path / --systemd ppc --credential yes \ --persistent no --preserve-argv0 no # systemctl restart systemd-binfmt.service # cat /proc/sys/fs/binfmt_misc/qemu-ppc enabled interpreter //qemu-ppc flags: OC offset 0 magic 7f454c4601020100000000000000000000020014 mask ffffffffffffff00fffffffffffffffffffeffff # chroot /chroot/powerpc/jessie sh -c 'echo $0' /bin/sh Signed-off-by: Laurent Vivier Message-Id: <20210222105004.1642234-1-laurent@vivier.eu> --- linux-user/main.c | 24 ++++++++++++++++++++ scripts/qemu-binfmt-conf.sh | 44 +++++++++++++++++++++++-------------- 2 files changed, 51 insertions(+), 17 deletions(-) diff --git a/linux-user/main.c b/linux-user/main.c index 4f4746dce8..f956afccab 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "qapi/error.h" #include "qemu.h" @@ -49,6 +50,11 @@ #include "cpu_loop-common.h" #include "crypto/init.h" +#ifndef AT_FLAGS_PRESERVE_ARGV0 +#define AT_FLAGS_PRESERVE_ARGV0_BIT 0 +#define AT_FLAGS_PRESERVE_ARGV0 (1 << AT_FLAGS_PRESERVE_ARGV0_BIT) +#endif + char *exec_path; int singlestep; @@ -632,6 +638,7 @@ int main(int argc, char **argv, char **envp) int execfd; int log_mask; unsigned long max_reserved_va; + bool preserve_argv0; error_init(argv[0]); module_call_init(MODULE_INIT_TRACE); @@ -688,6 +695,9 @@ int main(int argc, char **argv, char **envp) init_qemu_uname_release(); + /* + * Manage binfmt-misc open-binary flag + */ execfd = qemu_getauxval(AT_EXECFD); if (execfd == 0) { execfd = open(exec_path, O_RDONLY); @@ -697,6 +707,20 @@ int main(int argc, char **argv, char **envp) } } + /* + * get binfmt_misc flags + */ + preserve_argv0 = !!(qemu_getauxval(AT_FLAGS) & AT_FLAGS_PRESERVE_ARGV0); + + /* + * Manage binfmt-misc preserve-arg[0] flag + * argv[optind] full path to the binary + * argv[optind + 1] original argv[0] + */ + if (optind + 1 < argc && preserve_argv0) { + optind++; + } + if (cpu_model == NULL) { cpu_model = cpu_get_model(get_elf_eflags(execfd)); } diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh index 7b5d54b887..573b5dc6ac 100755 --- a/scripts/qemu-binfmt-conf.sh +++ b/scripts/qemu-binfmt-conf.sh @@ -178,25 +178,27 @@ usage() { Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU] [--help][--credential yes|no][--exportdir PATH] [--persistent yes|no][--qemu-suffix SUFFIX] + [--preserve-argv0 yes|no] Configure binfmt_misc to use qemu interpreter - --help: display this usage - --qemu-path: set path to qemu interpreter ($QEMU_PATH) - --qemu-suffix: add a suffix to the default interpreter name - --debian: don't write into /proc, - instead generate update-binfmts templates - --systemd: don't write into /proc, - instead generate file for systemd-binfmt.service - for the given CPU. If CPU is "ALL", generate a - file for all known cpus - --exportdir: define where to write configuration files - (default: $SYSTEMDDIR or $DEBIANDIR) - --credential: if yes, credential and security tokens are - calculated according to the binary to interpret - --persistent: if yes, the interpreter is loaded when binfmt is - configured and remains in memory. All future uses - are cloned from the open file. + --help: display this usage + --qemu-path: set path to qemu interpreter ($QEMU_PATH) + --qemu-suffix: add a suffix to the default interpreter name + --debian: don't write into /proc, + instead generate update-binfmts templates + --systemd: don't write into /proc, + instead generate file for systemd-binfmt.service + for the given CPU. If CPU is "ALL", generate a + file for all known cpus + --exportdir: define where to write configuration files + (default: $SYSTEMDDIR or $DEBIANDIR) + --credential: if yes, credential and security tokens are + calculated according to the binary to interpret + --persistent: if yes, the interpreter is loaded when binfmt is + configured and remains in memory. All future uses + are cloned from the open file. + --preserve-argv0 preserve argv[0] To import templates with update-binfmts, use : @@ -269,6 +271,9 @@ qemu_generate_register() { if [ "$PERSISTENT" = "yes" ] ; then flags="${flags}F" fi + if [ "$PRESERVE_ARG0" = "yes" ] ; then + flags="${flags}P" + fi echo ":qemu-$cpu:M::$magic:$mask:$qemu:$flags" } @@ -330,9 +335,10 @@ DEBIANDIR="/usr/share/binfmts" QEMU_PATH=/usr/local/bin CREDENTIAL=no PERSISTENT=no +PRESERVE_ARG0=no QEMU_SUFFIX="" -options=$(getopt -o ds:Q:S:e:hc:p: -l debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,persistent: -- "$@") +options=$(getopt -o ds:Q:S:e:hc:p:g: -l debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,persistent:,preserve-argv0: -- "$@") eval set -- "$options" while true ; do @@ -388,6 +394,10 @@ while true ; do shift PERSISTENT="$1" ;; + -g|--preserve-argv0) + shift + PRESERVE_ARG0="$1" + ;; *) break ;; From 7e588fbc57397daac02cf23677d1849aab7c7507 Mon Sep 17 00:00:00 2001 From: Vincent Fazio Date: Sun, 31 Jan 2021 00:18:49 -0600 Subject: [PATCH 3/5] linux-user/elfload: munmap proper address in pgd_find_hole_fallback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, if the build host's libc did not define MAP_FIXED_NOREPLACE or if the running kernel didn't support that flag, it was possible for pgd_find_hole_fallback to munmap an incorrect address which could lead to SIGSEGV if the range happened to overlap with the mapped address of the QEMU binary. mmap(0x1000, 22261224, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f889d331000 munmap(0x1000, 22261224) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x84b817} --- ++ killed by SIGSEGV +++ Now, always munmap the address returned by mmap. Fixes: 2667e069e7b5 ("linux-user: don't use MAP_FIXED in pgd_find_hole_fallback") Signed-off-by: Vincent Fazio Reviewed-by: Laurent Vivier Reviewed-by: Alex Bennée Message-Id: <20210131061849.12615-1-vfazio@xes-inc.com> Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 140a971632..174ee7bad6 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2209,7 +2209,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, void * mmap_start = mmap((void *) align_start, guest_size, PROT_NONE, flags, -1, 0); if (mmap_start != MAP_FAILED) { - munmap((void *) align_start, guest_size); + munmap(mmap_start, guest_size); if (MAP_FIXED_NOREPLACE != 0 || mmap_start == (void *) align_start) { return (uintptr_t) mmap_start + offset; From 934eed517857ce2de9a8a92c2599612581b4eb4a Mon Sep 17 00:00:00 2001 From: Vincent Fazio Date: Sun, 31 Jan 2021 00:19:30 -0600 Subject: [PATCH 4/5] linux-user/elfload: do not assume MAP_FIXED_NOREPLACE kernel support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, pgd_find_hole_fallback assumed that if the build host's libc had MAP_FIXED_NOREPLACE defined that the address returned by mmap would match the requested address. This is not a safe assumption for Linux kernels prior to 4.17 Now, we always compare mmap's resultant address with the requested address and no longer short-circuit based on MAP_FIXED_NOREPLACE. Fixes: 2667e069e7b5 ("linux-user: don't use MAP_FIXED in pgd_find_hole_fallback") Signed-off-by: Vincent Fazio Reviewed-by: Laurent Vivier Reviewed-by: Alex Bennée Message-Id: <20210131061930.14554-1-vfazio@xes-inc.com> Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 174ee7bad6..e525901659 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2210,8 +2210,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, PROT_NONE, flags, -1, 0); if (mmap_start != MAP_FAILED) { munmap(mmap_start, guest_size); - if (MAP_FIXED_NOREPLACE != 0 || - mmap_start == (void *) align_start) { + if (mmap_start == (void *) align_start) { return (uintptr_t) mmap_start + offset; } } From 0266e8e3b3981b492e82be20bb97e8ed9792ed00 Mon Sep 17 00:00:00 2001 From: Vincent Fazio Date: Sun, 31 Jan 2021 00:19:48 -0600 Subject: [PATCH 5/5] linux-user/elfload: fix address calculation in fallback scenario Previously, guest_loaddr was not taken into account when returning an address from pgb_find_hole when /proc/self/maps was unavailable which caused an improper guest_base address to be calculated. This could cause a SIGSEGV later in load_elf_image -> target_mmap for ET_EXEC type images since the mmap MAP_FIXED flag is specified which could clobber existing mappings at the address returnd by g2h(). mmap(0xd87000, 16846912, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|0x100000, -1, 0) = 0xd87000 munmap(0xd87000, 16846912) = 0 write(2, "Locating guest address space @ 0"..., 40Locating guest address space @ 0xd87000) = 40 mmap(0x1187000, 16850944, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x1187000 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2188310} --- +++ killed by SIGSEGV +++ Now, pgd_find_hole accounts for guest_loaddr in this scenario. Fixes: ad592e37dfcc ("linux-user: provide fallback pgd_find_hole for bare chroots") Signed-off-by: Vincent Fazio Reviewed-by: Laurent Vivier Message-Id: <20210131061948.15990-1-vfazio@xes-inc.com> [lv: updated it to check if ret == -1] Signed-off-by: Laurent Vivier --- linux-user/elfload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index e525901659..c6731013fd 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -2235,7 +2235,8 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size, brk = (uintptr_t)sbrk(0); if (!maps) { - return pgd_find_hole_fallback(guest_size, brk, align, offset); + ret = pgd_find_hole_fallback(guest_size, brk, align, offset); + return ret == -1 ? -1 : ret - guest_loaddr; } /* The first hole is before the first map entry. */