kvmtool: invalid embedded ELF binaries' size

"G. Campana" <gcampana+kvm@xxxxxxxxxxxxx> · Tue, 3 Jan 2017 15:57:22 +0100

Hi,

I just noticed that a typo is present in the original subject (kvmtool
is misspelled.) I assume that some of you filter messages according to
their subject, hence this new mail.

Sorry for the spam.

-------- Forwarded Message --------
Subject: kmvtool: invalid embedded ELF binaries' size
Date: Mon, 2 Jan 2017 15:04:50 +0100
To: kvm@xxxxxxxxxxxxxxx

Hi,

A user of the NoFear project reported a bug (
https://github.com/cappsule/nofear/issues/6 ) suggesting that kvmtool is
broken if compiled with a specific gcc version. This issue can be
reproduced with gcc version 6.2.1 20161124 (Debian 6.2.1-5), but not
with gcc version 6.1.1 20160802 (Debian 6.1.1-11).

The function extract_file() writes embedded ELF files to the filesystem:

    static int extract_file(const char *guestfs_name, const char *filename,
			    const void *data, const void *_size)
        ...
	    ret = xwrite(fd, data, (size_t)_size);
        ...
    }

    extern char _binary_guest_init_start;
    extern char _binary_guest_init_size;
    extern char _binary_guest_pre_init_start;
    extern char _binary_guest_pre_init_size;

I didn't manage to find how _binary_guest_init_size and
_binary_guest_pre_init_size are created during the link step, but a
quick debug session shows that they're 4 bytes wide:

    (gdb) disass kvm_setup_guest_init
    Dump of assembler code for function kvm_setup_guest_init:
    => 0x00005599b846dc60 <+0>:     push   rbx
       0x00005599b846dc61 <+1>:     lea    rcx,[rip+0xffffffffffff76a8]
      # 0x5599b8465310
       0x00005599b846dc68 <+8>:     lea    rdx,[rip+0x22a809]        #
0x5599b8698478
       0x00005599b846dc6f <+15>:    lea    rsi,[rip+0x18a2c]        #
0x5599b84866a2
       0x00005599b846dc76 <+22>:    mov    rbx,rdi
       0x00005599b846dc79 <+25>:    call   0x5599b846d9e0 <extract_file>
       ...
    (gdb) x/xw 0x5599b8465310
    0x5599b8465310: 0x000004c2
    (gdb) x/xg 0x5599b8465310
    0x5599b8465310: 0x00000012000004c2

Casting _size to size_t in extract_file() is wrong because _size is 4
bytes wide. On x64, xwrite thus fails when the 4 bytes following
_binary_guest_init_size/_binary_guest_pre_init_size are different than 0.

I think that casting _size to unsigned int should fix this issue, but I
would appreciate if someone can explain how _binary_guest_init_size and
_binary_guest_pre_init_size are produced by the linker.

Thanks
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html