+16 -6

tests/multiboot/Makefile

··· 3 3 ASFLAGS=-m32 4 4 5 5 LD=ld 6 6 - LDFLAGS=-melf_i386 -T link.ld 6 6 + LDFLAGS_ELF=-melf_i386 -T link.ld 7 7 + LDFLAGS_BIN=-melf_i386 -T link.ld --oformat=binary 7 8 LIBS=$(shell $(CC) $(CCFLAGS) -print-libgcc-file-name) 8 9 9 9 - all: mmap.elf modules.elf 10 10 + AOUT_KLUDGE_BIN=$(foreach x,$(shell seq 1 9),aout_kludge_$x.bin) 10 11 11 11 - mmap.elf: start.o mmap.o libc.o 12 12 - $(LD) $(LDFLAGS) -o $@ $^ $(LIBS) 12 12 + all: mmap.elf modules.elf $(AOUT_KLUDGE_BIN) 13 13 14 14 - modules.elf: start.o modules.o libc.o 15 15 - $(LD) $(LDFLAGS) -o $@ $^ $(LIBS) 14 14 + mmap.elf: start.o mmap.o libc.o link.ld 15 15 + $(LD) $(LDFLAGS_ELF) -o $@ $^ $(LIBS) 16 16 + 17 17 + modules.elf: start.o modules.o libc.o link.ld 18 18 + $(LD) $(LDFLAGS_ELF) -o $@ $^ $(LIBS) 19 19 + 20 20 + aout_kludge_%.bin: aout_kludge_%.o link.ld 21 21 + $(LD) $(LDFLAGS_BIN) -o $@ $^ $(LIBS) 22 22 + 23 23 + .PRECIOUS: aout_kludge_%.o 24 24 + aout_kludge_%.o: aout_kludge.S 25 25 + $(CC) $(ASFLAGS) -DSCENARIO=$* -c -o $@ $^ 16 26 17 27 %.o: %.c 18 28 $(CC) $(CCFLAGS) -c -o $@ $^

+138

tests/multiboot/aout_kludge.S

··· 1 1 + /* 2 2 + * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com> 3 3 + * 4 4 + * Permission is hereby granted, free of charge, to any person obtaining a copy 5 5 + * of this software and associated documentation files (the "Software"), to deal 6 6 + * in the Software without restriction, including without limitation the rights 7 7 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 8 + * copies of the Software, and to permit persons to whom the Software is 9 9 + * furnished to do so, subject to the following conditions: 10 10 + * 11 11 + * The above copyright notice and this permission notice shall be included in 12 12 + * all copies or substantial portions of the Software. 13 13 + * 14 14 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 15 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 16 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 17 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 18 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 19 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 20 + * THE SOFTWARE. 21 21 + */ 22 22 + 23 23 + .section multiboot 24 24 + 25 25 + #define MB_MAGIC 0x1badb002 26 26 + #define MB_FLAGS 0x10000 27 27 + #define MB_CHECKSUM -(MB_MAGIC + MB_FLAGS) 28 28 + 29 29 + .align 4 30 30 + .int MB_MAGIC 31 31 + .int MB_FLAGS 32 32 + .int MB_CHECKSUM 33 33 + 34 34 + #define LAST_BYTE_VALUE 0xa5 35 35 + 36 36 + /* 37 37 + * Order of fields in the a.out kludge header fields: 38 38 + * 39 39 + * header_addr 40 40 + * load_addr 41 41 + * load_end_addr 42 42 + * bss_end_addr 43 43 + * entry_addr 44 44 + */ 45 45 + #if SCENARIO == 1 46 46 + /* Well-behaved kernel file with explicit bss_end */ 47 47 + .int 0x100000 48 48 + .int 0x100000 49 49 + .int data_end 50 50 + .int data_end 51 51 + .int _start 52 52 + #elif SCENARIO == 2 53 53 + /* Well-behaved kernel file with default bss_end */ 54 54 + .int 0x100000 55 55 + .int 0x100000 56 56 + .int data_end 57 57 + .int 0 58 58 + .int _start 59 59 + #elif SCENARIO == 3 60 60 + /* Well-behaved kernel file with default load_end */ 61 61 + .int 0x100000 62 62 + .int 0x100000 63 63 + .int 0 64 64 + .int 0 65 65 + .int _start 66 66 + #elif SCENARIO == 4 67 67 + /* Well-behaved kernel file with load_end < data_end and bss > data_end */ 68 68 + #undef LAST_BYTE_VALUE 69 69 + #define LAST_BYTE_VALUE 0 70 70 + .int 0x100000 71 71 + .int 0x100000 72 72 + .int code_end 73 73 + .int 0x140000 74 74 + .int _start 75 75 + #elif SCENARIO == 5 76 76 + /* header < load */ 77 77 + .int 0x10000 78 78 + .int 0x100000 79 79 + .int data_end 80 80 + .int data_end 81 81 + .int _start 82 82 + #elif SCENARIO == 6 83 83 + /* load_end < load */ 84 84 + .int 0x100000 85 85 + .int 0x100000 86 86 + .int 0x10000 87 87 + .int data_end 88 88 + .int _start 89 89 + #elif SCENARIO == 7 90 90 + /* header much larger than in reality with default load_end */ 91 91 + .int 0x80000000 92 92 + .int 0x100000 93 93 + .int 0 94 94 + .int data_end 95 95 + .int _start 96 96 + #elif SCENARIO == 8 97 97 + /* bss_end < load_end - load (regression test for CVE-2018-7550) */ 98 98 + .int 0x100000 99 99 + .int 0x100000 100 100 + .int data_end 101 101 + .int code_end 102 102 + .int _start 103 103 + #elif SCENARIO == 9 104 104 + /* Default load_end_addr, load_addr + kernel_file_size > UINT32_MAX */ 105 105 + .int 0xfffff000 106 106 + .int 0xfffff000 107 107 + .int 0 108 108 + .int 0xfffff001 109 109 + .int _start 110 110 + #else 111 111 + #error Invalid SCENARIO 112 112 + #endif 113 113 + 114 114 + .section .text 115 115 + .global _start 116 116 + _start: 117 117 + xor %eax, %eax 118 118 + 119 119 + cmpb $LAST_BYTE_VALUE, last_byte 120 120 + je passed 121 121 + or $0x1, %eax 122 122 + passed: 123 123 + 124 124 + /* Test device exit */ 125 125 + outl %eax, $0xf4 126 126 + 127 127 + cli 128 128 + hlt 129 129 + jmp . 130 130 + code_end: 131 131 + 132 132 + #if SCENARIO != 8 133 133 + .space 8192 134 134 + #endif 135 135 + 136 136 + last_byte: 137 137 + .byte 0xa5 138 138 + data_end:

+42

tests/multiboot/aout_kludge.out

··· 1 1 + 2 2 + 3 3 + 4 4 + === Running test case: aout_kludge_1.bin === 5 5 + 6 6 + 7 7 + 8 8 + === Running test case: aout_kludge_2.bin === 9 9 + 10 10 + 11 11 + 12 12 + === Running test case: aout_kludge_3.bin === 13 13 + 14 14 + 15 15 + 16 16 + === Running test case: aout_kludge_4.bin === 17 17 + 18 18 + 19 19 + 20 20 + === Running test case: aout_kludge_5.bin === 21 21 + 22 22 + qemu-system-x86_64: invalid load_addr address 23 23 + 24 24 + 25 25 + === Running test case: aout_kludge_6.bin === 26 26 + 27 27 + qemu-system-x86_64: invalid load_end_addr address 28 28 + 29 29 + 30 30 + === Running test case: aout_kludge_7.bin === 31 31 + 32 32 + qemu-system-x86_64: invalid header_addr address 33 33 + 34 34 + 35 35 + === Running test case: aout_kludge_8.bin === 36 36 + 37 37 + qemu-system-x86_64: invalid bss_end_addr address 38 38 + 39 39 + 40 40 + === Running test case: aout_kludge_9.bin === 41 41 + 42 42 + qemu-system-x86_64: kernel does not fit in address space

+8 -2

tests/multiboot/run_test.sh

··· 34 34 -device isa-debugcon,chardev=stdio \ 35 35 -chardev file,path=test.out,id=stdio \ 36 36 -device isa-debug-exit,iobase=0xf4,iosize=0x4 \ 37 37 - "$@" 37 37 + "$@" >> test.log 2>&1 38 38 ret=$? 39 39 40 40 cat test.out >> test.log ··· 67 67 run_qemu modules.elf -initrd "module.txt,module.txt argument,module.txt" 68 68 } 69 69 70 70 + aout_kludge() { 71 71 + for i in $(seq 1 9); do 72 72 + run_qemu aout_kludge_$i.bin 73 73 + done 74 74 + } 75 75 + 70 76 make all 71 77 72 72 - for t in mmap modules; do 78 78 + for t in mmap modules aout_kludge; do 73 79 74 80 echo > test.log 75 81 pass=1