1 /*
2 * parse and load elf binaries
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation;
7 * version 2.1 of the License.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; If not, see <http://www.gnu.org/licenses/>.
16 */
17
18 #ifdef __XEN__
19 #include <xen/guest_access.h>
20 #endif
21
22 #include "libelf-private.h"
23
24 /* ------------------------------------------------------------------------ */
25
26 /* Number of section header needed in order to fit the SYMTAB and STRTAB. */
27 #define ELF_BSDSYM_SECTIONS 3
28 struct elf_sym_header {
29 uint32_t size;
30 struct {
31 elf_ehdr header;
32 elf_shdr section[ELF_BSDSYM_SECTIONS];
33 } elf_header;
34 } __attribute__((packed));
35
elf_init(struct elf_binary * elf,const char * image_input,size_t size)36 elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t size)
37 {
38 ELF_HANDLE_DECL(elf_shdr) shdr;
39 unsigned i, count, section, link;
40 uint64_t offset;
41
42 if ( !elf_is_elfbinary(image_input, size) )
43 {
44 elf_err(elf, "ELF: not an ELF binary\n");
45 return -1;
46 }
47
48 elf_memset_unchecked(elf, 0, sizeof(*elf));
49 elf->image_base = image_input;
50 elf->size = size;
51 elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input);
52 elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]);
53 elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]);
54
55 /* Sanity check phdr. */
56 offset = elf_uval(elf, elf->ehdr, e_phoff) +
57 elf_uval(elf, elf->ehdr, e_phentsize) * elf_phdr_count(elf);
58 if ( offset > elf->size )
59 {
60 elf_err(elf, "ELF: phdr overflow (off %" PRIx64 " > size %lx)\n",
61 offset, (unsigned long)elf->size);
62 return -1;
63 }
64
65 /* Sanity check shdr. */
66 offset = elf_uval(elf, elf->ehdr, e_shoff) +
67 elf_uval(elf, elf->ehdr, e_shentsize) * elf_shdr_count(elf);
68 if ( offset > elf->size )
69 {
70 elf_err(elf, "ELF: shdr overflow (off %" PRIx64 " > size %lx)\n",
71 offset, (unsigned long)elf->size);
72 return -1;
73 }
74
75 /* Find section string table. */
76 section = elf_uval(elf, elf->ehdr, e_shstrndx);
77 shdr = elf_shdr_by_index(elf, section);
78 if ( ELF_HANDLE_VALID(shdr) )
79 elf->sec_strtab = elf_section_start(elf, shdr);
80
81 /* Find symbol table and symbol string table. */
82 count = elf_shdr_count(elf);
83 for ( i = 1; i < count; i++ )
84 {
85 shdr = elf_shdr_by_index(elf, i);
86 if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
87 /* input has an insane section header count field */
88 break;
89 if ( elf_uval(elf, shdr, sh_type) != SHT_SYMTAB )
90 continue;
91
92 link = elf_uval(elf, shdr, sh_link);
93 if ( link == SHN_UNDEF || link >= count )
94 /* out-of-bounds link value. */
95 break;
96
97 elf->sym_tab = shdr;
98 shdr = elf_shdr_by_index(elf, link);
99 if ( !ELF_HANDLE_VALID(shdr) )
100 {
101 elf->sym_tab = ELF_INVALID_HANDLE(elf_shdr);
102 continue;
103 }
104 elf->sym_strtab = elf_section_start(elf, shdr);
105 break;
106 }
107
108 return 0;
109 }
110
111 #ifndef __XEN__
elf_call_log_callback(struct elf_binary * elf,bool iserr,const char * fmt,...)112 void elf_call_log_callback(struct elf_binary *elf, bool iserr,
113 const char *fmt,...) {
114 va_list al;
115
116 if (!elf->log_callback)
117 return;
118 if (!(iserr || elf->verbose))
119 return;
120
121 va_start(al,fmt);
122 elf->log_callback(elf, elf->log_caller_data, iserr, fmt, al);
123 va_end(al);
124 }
125
elf_set_log(struct elf_binary * elf,elf_log_callback * log_callback,void * log_caller_data,bool verbose)126 void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
127 void *log_caller_data, bool verbose)
128 {
129 elf->log_callback = log_callback;
130 elf->log_caller_data = log_caller_data;
131 elf->verbose = verbose;
132 }
133
elf_load_image(struct elf_binary * elf,elf_ptrval dst,elf_ptrval src,uint64_t filesz,uint64_t memsz)134 static elf_errorstatus elf_load_image(struct elf_binary *elf,
135 elf_ptrval dst, elf_ptrval src,
136 uint64_t filesz, uint64_t memsz)
137 {
138 elf_memcpy_safe(elf, dst, src, filesz);
139 elf_memset_safe(elf, dst + filesz, 0, memsz - filesz);
140 return 0;
141 }
142 #else
143
elf_set_verbose(struct elf_binary * elf)144 void elf_set_verbose(struct elf_binary *elf)
145 {
146 elf->verbose = 1;
147 }
148
elf_memcpy(struct vcpu * v,void * dst,void * src,uint64_t size)149 static elf_errorstatus elf_memcpy(struct vcpu *v, void *dst, void *src,
150 uint64_t size)
151 {
152 unsigned int res;
153
154 #ifdef CONFIG_X86
155 if ( is_hvm_vcpu(v) )
156 {
157 enum hvm_translation_result rc;
158
159 rc = hvm_copy_to_guest_phys((paddr_t)dst, src, size, v);
160 return rc != HVMTRANS_okay ? -1 : 0;
161 }
162 #endif
163
164 res = src ? raw_copy_to_guest(dst, src, size) :
165 raw_clear_guest(dst, size);
166
167 return res ? -1 : 0;
168 }
169
elf_load_image(struct elf_binary * elf,elf_ptrval dst,elf_ptrval src,uint64_t filesz,uint64_t memsz)170 static elf_errorstatus elf_load_image(struct elf_binary *elf, elf_ptrval dst, elf_ptrval src, uint64_t filesz, uint64_t memsz)
171 {
172 elf_errorstatus rc;
173 if ( filesz > ULONG_MAX || memsz > ULONG_MAX )
174 return -1;
175 /* We trust the dom0 kernel image completely, so we don't care
176 * about overruns etc. here. */
177 rc = elf_memcpy(elf->vcpu, ELF_UNSAFE_PTR(dst), ELF_UNSAFE_PTR(src),
178 filesz);
179 if ( rc != 0 )
180 return -1;
181 rc = elf_memcpy(elf->vcpu, ELF_UNSAFE_PTR(dst + filesz), NULL,
182 memsz - filesz);
183 if ( rc != 0 )
184 return -1;
185 return 0;
186 }
187 #endif
188
189 /* Calculate the required additional kernel space for the elf image */
elf_parse_bsdsyms(struct elf_binary * elf,uint64_t pstart)190 void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
191 {
192 uint64_t sz;
193 ELF_HANDLE_DECL(elf_shdr) shdr;
194
195 if ( !ELF_HANDLE_VALID(elf->sym_tab) )
196 {
197 elf_mark_broken(elf, "invalid ELF handle for symtab section");
198 return;
199 }
200
201 pstart = elf_round_up(elf, pstart);
202
203 /* Space to store the size of the elf image */
204 sz = sizeof(uint32_t);
205
206 /* Space for the ELF header and section headers */
207 sz += offsetof(struct elf_sym_header, elf_header.section) +
208 ELF_BSDSYM_SECTIONS * (elf_64bit(elf) ? sizeof(Elf64_Shdr) :
209 sizeof(Elf32_Shdr));
210 sz = elf_round_up(elf, sz);
211
212 /*
213 * No need to search for the symtab section header again, it's handler
214 * is stored in elf->sym_tab by the elf_init function.
215 */
216
217 /* Space for the symbol and string tables. */
218 sz = elf_round_up(elf, sz + elf_uval(elf, elf->sym_tab, sh_size));
219
220 shdr = elf_shdr_by_index(elf, elf_uval(elf, elf->sym_tab, sh_link));
221
222 if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
223 /* input has an insane section header count field */
224 return;
225
226 if ( elf_uval(elf, shdr, sh_type) != SHT_STRTAB )
227 /* Invalid symtab -> strtab link */
228 return;
229
230 sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size));
231
232 elf->bsd_symtab_pstart = pstart;
233 elf->bsd_symtab_pend = pstart + sz;
234 }
235
elf_load_bsdsyms(struct elf_binary * elf)236 static void elf_load_bsdsyms(struct elf_binary *elf)
237 {
238 /*
239 * Header that is placed at the end of the kernel and allows
240 * the OS to find where the symtab and strtab have been loaded.
241 * It mimics a valid ELF file header, although it only contains
242 * a symtab and a strtab section. The layout in memory is the
243 * following:
244 *
245 * +------------------------+
246 * | |
247 * | KERNEL |
248 * | |
249 * +------------------------+ pend
250 * | ALIGNMENT |
251 * +------------------------+ bsd_symtab_pstart
252 * | |
253 * | size | bsd_symtab_pend - bsd_symtab_pstart
254 * | |
255 * +------------------------+ bsd_symtab_pstart + 4
256 * | |
257 * | ELF header |
258 * | |
259 * +------------------------+
260 * | |
261 * | ELF section header 0 | Undefined section header
262 * | |
263 * +------------------------+
264 * | |
265 * | ELF section header 1 | SYMTAB section header
266 * | |
267 * +------------------------+
268 * | |
269 * | ELF section header 2 | STRTAB section header
270 * | |
271 * +------------------------+
272 * | |
273 * | SYMTAB |
274 * | |
275 * +------------------------+
276 * | |
277 * | STRTAB |
278 * | |
279 * +------------------------+ bsd_symtab_pend
280 *
281 * NB: according to the ELF spec there's only ONE symtab per ELF
282 * file, and accordingly we will only load the corresponding
283 * strtab, so we only need three section headers in our fake ELF
284 * header (first section header is always the undefined section).
285 */
286 struct elf_sym_header header;
287 ELF_HANDLE_DECL(elf_ehdr) header_handle;
288 unsigned long shdr_size, ehdr_size, header_size;
289 ELF_HANDLE_DECL(elf_shdr) section_handle;
290 unsigned int link, rc, i;
291 elf_ptrval header_base;
292 elf_ptrval elf_header_base;
293 elf_ptrval symtab_base;
294 elf_ptrval strtab_base;
295
296 if ( !elf->bsd_symtab_pstart )
297 return;
298
299 #define elf_store_field_bitness(_elf, _hdr, _elm, _val) \
300 do { \
301 if ( elf_64bit(_elf) ) \
302 elf_store_field(_elf, _hdr, e64._elm, _val); \
303 else \
304 elf_store_field(_elf, _hdr, e32._elm, _val); \
305 } while ( 0 )
306
307 #define SYMTAB_INDEX 1
308 #define STRTAB_INDEX 2
309
310 /* Allow elf_memcpy_safe to write to header. */
311 elf_set_xdest(elf, &header, sizeof(header));
312
313 /*
314 * Calculate the position of the various elements in GUEST MEMORY SPACE.
315 * This addresses MUST only be used with elf_load_image.
316 *
317 * NB: strtab_base cannot be calculated at this point because we don't
318 * know the size of the symtab yet, and the strtab will be placed after it.
319 */
320 header_base = elf_get_ptr(elf, elf->bsd_symtab_pstart);
321 elf_header_base = elf_get_ptr(elf, elf->bsd_symtab_pstart) +
322 sizeof(uint32_t);
323 symtab_base = elf_round_up(elf, header_base + sizeof(header));
324
325 /*
326 * Set the size of the ELF header and the section headers, based on the
327 * size of our local copy.
328 */
329 ehdr_size = elf_64bit(elf) ? sizeof(header.elf_header.header.e64) :
330 sizeof(header.elf_header.header.e32);
331 shdr_size = elf_64bit(elf) ? sizeof(header.elf_header.section[0].e64) :
332 sizeof(header.elf_header.section[0].e32);
333
334 /* Fill the ELF header, copied from the original ELF header. */
335 header_handle = ELF_MAKE_HANDLE(elf_ehdr,
336 ELF_REALPTR2PTRVAL(&header.elf_header.header));
337 elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(header_handle),
338 ELF_HANDLE_PTRVAL(elf->ehdr), ehdr_size);
339
340 /*
341 * Set the ELF header size, section header entry size and version
342 * (in case we are dealing with an input ELF header that has extensions).
343 */
344 elf_store_field_bitness(elf, header_handle, e_ehsize, ehdr_size);
345 elf_store_field_bitness(elf, header_handle, e_shentsize, shdr_size);
346 elf_store_field_bitness(elf, header_handle, e_version, EV_CURRENT);
347
348 /* Set the offset to the shdr array. */
349 elf_store_field_bitness(elf, header_handle, e_shoff,
350 offsetof(typeof(header.elf_header), section));
351
352 /* Set the right number of section headers. */
353 elf_store_field_bitness(elf, header_handle, e_shnum, ELF_BSDSYM_SECTIONS);
354
355 /* Clear a couple of fields we don't use. */
356 elf_store_field_bitness(elf, header_handle, e_phoff, 0);
357 elf_store_field_bitness(elf, header_handle, e_phentsize, 0);
358 elf_store_field_bitness(elf, header_handle, e_phnum, 0);
359 elf_store_field_bitness(elf, header_handle, e_shstrndx, 0);
360
361 /*
362 * The symtab section header is going to reside in section[SYMTAB_INDEX],
363 * while the corresponding strtab is going to be placed in
364 * section[STRTAB_INDEX]. sh_offset is mangled so it points to the offset
365 * where the sections are actually loaded (relative to the ELF header
366 * location).
367 */
368 section_handle = ELF_MAKE_HANDLE(elf_shdr,
369 ELF_REALPTR2PTRVAL(&header.elf_header.section[SYMTAB_INDEX]));
370
371 elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(section_handle),
372 ELF_HANDLE_PTRVAL(elf->sym_tab),
373 shdr_size);
374
375 /* Copy the original sh_link field before mangling it. */
376 link = elf_uval(elf, section_handle, sh_link);
377
378 /* Load symtab into guest memory. */
379 rc = elf_load_image(elf, symtab_base,
380 elf_section_start(elf, section_handle),
381 elf_uval(elf, section_handle, sh_size),
382 elf_uval(elf, section_handle, sh_size));
383 if ( rc != 0 )
384 {
385 elf_mark_broken(elf, "unable to load symtab into guest memory");
386 return;
387 }
388
389 /* Adjust the sh_offset and sh_link of the copied section header. */
390 elf_store_field_bitness(elf, section_handle, sh_offset,
391 symtab_base - elf_header_base);
392 elf_store_field_bitness(elf, section_handle, sh_link,
393 STRTAB_INDEX);
394
395 /* Calculate the guest address where strtab is loaded. */
396 strtab_base = elf_round_up(elf, symtab_base +
397 elf_uval(elf, section_handle, sh_size));
398
399 /* Load strtab section header. */
400 section_handle = ELF_MAKE_HANDLE(elf_shdr,
401 ELF_REALPTR2PTRVAL(&header.elf_header.section[STRTAB_INDEX]));
402 elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(section_handle),
403 ELF_HANDLE_PTRVAL(elf_shdr_by_index(elf, link)),
404 shdr_size);
405
406 if ( elf_uval(elf, section_handle, sh_type) != SHT_STRTAB )
407 {
408 elf_mark_broken(elf, "strtab not found");
409 return;
410 }
411
412 /* Load strtab into guest memory. */
413 rc = elf_load_image(elf, strtab_base,
414 elf_section_start(elf, section_handle),
415 elf_uval(elf, section_handle, sh_size),
416 elf_uval(elf, section_handle, sh_size));
417 if ( rc != 0 )
418 {
419 elf_mark_broken(elf, "unable to load strtab into guest memory");
420 return;
421 }
422
423 elf_store_field_bitness(elf, section_handle, sh_offset,
424 strtab_base - elf_header_base);
425
426 /* Store the whole size (including headers and loaded sections). */
427 header.size = strtab_base + elf_uval(elf, section_handle, sh_size) -
428 elf_header_base;
429
430 /* Load the size plus ELF header. */
431 header_size = offsetof(typeof(header), elf_header.section);
432 rc = elf_load_image(elf, header_base, ELF_REALPTR2PTRVAL(&header),
433 header_size, header_size);
434 if ( rc != 0 )
435 {
436 elf_mark_broken(elf, "unable to load ELF headers into guest memory");
437 return;
438 }
439
440 /*
441 * Load the section headers.
442 *
443 * NB: this _must_ be done one by one, and taking the bitness into account,
444 * so that the guest can treat this as an array of type Elf{32/64}_Shdr.
445 */
446 for ( i = 0; i < ELF_BSDSYM_SECTIONS; i++ )
447 {
448 rc = elf_load_image(elf, header_base + header_size + shdr_size * i,
449 ELF_REALPTR2PTRVAL(&header.elf_header.section[i]),
450 shdr_size, shdr_size);
451 if ( rc != 0 )
452 {
453 elf_mark_broken(elf,
454 "unable to load ELF section header into guest memory");
455 return;
456 }
457 }
458
459 /* Remove permissions from elf_memcpy_safe. */
460 elf_set_xdest(elf, NULL, 0);
461
462 #undef SYMTAB_INDEX
463 #undef STRTAB_INDEX
464 #undef elf_store_field_bitness
465 }
466
elf_parse_binary(struct elf_binary * elf)467 void elf_parse_binary(struct elf_binary *elf)
468 {
469 ELF_HANDLE_DECL(elf_phdr) phdr;
470 uint64_t low = -1, high = 0, paddr, memsz;
471 uint64_t max_align = 0, palign;
472 unsigned i, count;
473
474 count = elf_phdr_count(elf);
475 for ( i = 0; i < count; i++ )
476 {
477 phdr = elf_phdr_by_index(elf, i);
478 if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) )
479 /* input has an insane program header count field */
480 break;
481 if ( !elf_phdr_is_loadable(elf, phdr) )
482 continue;
483 paddr = elf_uval(elf, phdr, p_paddr);
484 memsz = elf_uval(elf, phdr, p_memsz);
485 palign = elf_uval(elf, phdr, p_align);
486 elf_msg(elf, "ELF: phdr: paddr=%#" PRIx64 " memsz=%#" PRIx64 "\n",
487 paddr, memsz);
488 if ( low > paddr )
489 low = paddr;
490 if ( high < paddr + memsz )
491 high = paddr + memsz;
492 if ( max_align < palign )
493 max_align = palign;
494 }
495 elf->pstart = low;
496 elf->pend = high;
497 elf->palign = max_align;
498 elf_msg(elf, "ELF: memory: %#" PRIx64 " -> %#" PRIx64 "\n",
499 elf->pstart, elf->pend);
500 }
501
elf_load_binary(struct elf_binary * elf)502 elf_errorstatus elf_load_binary(struct elf_binary *elf)
503 {
504 ELF_HANDLE_DECL(elf_phdr) phdr;
505 uint64_t paddr, offset, filesz, memsz;
506 unsigned i, count;
507 elf_ptrval dest;
508 /*
509 * Let bizarre ELFs write the output image up to twice; this
510 * calculation is just to ensure our copying loop is no worse than
511 * O(domain_size).
512 */
513 uint64_t remain_allow_copy = (uint64_t)elf->dest_size * 2;
514
515 count = elf_phdr_count(elf);
516 for ( i = 0; i < count; i++ )
517 {
518 phdr = elf_phdr_by_index(elf, i);
519 if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) )
520 /* input has an insane program header count field */
521 break;
522 if ( !elf_phdr_is_loadable(elf, phdr) )
523 continue;
524 paddr = elf_uval(elf, phdr, p_paddr);
525 offset = elf_uval(elf, phdr, p_offset);
526 filesz = elf_uval(elf, phdr, p_filesz);
527 memsz = elf_uval(elf, phdr, p_memsz);
528 dest = elf_get_ptr(elf, paddr);
529
530 /*
531 * We need to check that the input image doesn't have us copy
532 * the whole image zillions of times, as that could lead to
533 * O(n^2) time behaviour and possible DoS by a malicous ELF.
534 */
535 if ( remain_allow_copy < memsz )
536 {
537 elf_mark_broken(elf, "program segments total to more"
538 " than the input image size");
539 break;
540 }
541 remain_allow_copy -= memsz;
542
543 elf_msg(elf,
544 "ELF: phdr %u at %#"ELF_PRPTRVAL" -> %#"ELF_PRPTRVAL"\n",
545 i, dest, (elf_ptrval)(dest + filesz));
546 if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 )
547 return -1;
548 }
549
550 elf_load_bsdsyms(elf);
551 return 0;
552 }
553
elf_get_ptr(struct elf_binary * elf,unsigned long addr)554 elf_ptrval elf_get_ptr(struct elf_binary *elf, unsigned long addr)
555 {
556 return ELF_REALPTR2PTRVAL(elf->dest_base) + addr - elf->pstart;
557 }
558
elf_lookup_addr(struct elf_binary * elf,const char * symbol)559 uint64_t elf_lookup_addr(struct elf_binary * elf, const char *symbol)
560 {
561 ELF_HANDLE_DECL(elf_sym) sym;
562 uint64_t value;
563
564 sym = elf_sym_by_name(elf, symbol);
565 if ( !ELF_HANDLE_VALID(sym) )
566 {
567 elf_err(elf, "%s: not found: %s\n", __func__, symbol);
568 return -1;
569 }
570
571 value = elf_uval(elf, sym, st_value);
572 elf_msg(elf, "%s: symbol \"%s\" at 0x%" PRIx64 "\n", __func__,
573 symbol, value);
574 return value;
575 }
576
577 /*
578 * Local variables:
579 * mode: C
580 * c-file-style: "BSD"
581 * c-basic-offset: 4
582 * tab-width: 4
583 * indent-tabs-mode: nil
584 * End:
585 */
586