NetBSD Problem Report #43830

From www@NetBSD.org  Thu Sep  2 15:38:25 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 5B21C63BC61
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  2 Sep 2010 15:38:25 +0000 (UTC)
Message-Id: <20100902153824.E972663BC5B@www.NetBSD.org>
Date: Thu,  2 Sep 2010 15:38:24 +0000 (UTC)
From: uwe@NetBSD.org
Reply-To: uwe@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
X-Send-Pr-Version: www-1.0

>Number:         43830
>Category:       kern
>Synopsis:       libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 02 15:40:01 +0000 2010
>Closed-Date:    Thu Sep 02 17:47:21 +0000 2010
>Last-Modified:  Thu Sep 02 17:47:21 +0000 2010
>Originator:     Valery Ushakov
>Release:        NetBSD 5.99.39
>Organization:
>Environment:
NetBSD brick 5.99.39 NetBSD 5.99.39 (MRCOFFEE_OFW) #0: Tue Aug 31 15:56:05 MSD 2010  uwe@shravaka:/mnt/netbsd/cvs/src/sys/arch/sparc/compile/MRCOFFEE_OFW sparc

>Description:
In sys/lib/libsa/loadfile_elf32.c in revision 1.25 code was added to
add support for loading CTF sections for DTrace.  As part of this
change loadfile_elf32 now loads .shstrtab.  The code to load it uses
READ() macro unconditionally, while it should only be used when caller
asked for the actual section contents to be loaded.

E.g. sparc bootloader calls loadfile twice, once with COUNT_KERNEL to
figure out how much memory to set up, and then with LOAD_KERNEL to
actually load kernel into the memory it's just allocated.

During the first call (COUNT_KERNEL) the READ() macro must not be used,
but the code to read CTF sections doesn't check COUNT_* vs. LOAD_*
flags.

This happen to work on real hardware, but depends on some OpenBoot
magic mappings and I'm not sure they are guaranteed to exist.

This code fails under qemu that uses OpenBIOS as its OpenFirmware
implementation and apparently doesn't provide the same magic mappings.

I don't really want to figure out the exact nature of that magic.
I think that the code should obey the constraint that READ() must not
be used unless LOAD_* flags are passed.

>How-To-Repeat:
Try to boot current'ish NetBSD/sparc in qemu, e.g.

  $ qemu-system-sparc -m 32 -nographic -boot d \
        -cdrom $(RELEASEDIR)/iso/sparccd.iso

if you have it built locally, or just grab a current iso image from releng autobuild.

Observe:

  >> NetBSD/sparc Secondary Boot, Revision 1.15
  >> (uwe@shravaka, Thu Sep  2 02:19:06 MSD 2010)
  Booting netbsd
  Unhandled Exception 0x00000009
  PC = 0x00393fc0 NPC = 0x00393fc4
  Stopping execution

where that pc is in inflate() when it tries to write data to the buffer
passed to READ() at loadfile_elf32.c:419

>Fix:

>Release-Note:

>Audit-Trail:
From: Izumi Tsutsui <tsutsui@ceres.dti.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org,
        tsutsui@ceres.dti.ne.jp
Subject: Re: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated
	 memory
Date: Fri, 3 Sep 2010 00:51:13 +0900

 IMO all CTF changes should be reverted because it was not
 reviewed on public list, it might break ABI compatibility,
 it also broke bootloaders, and no action for those problems.
 ---
 Izumi Tsutsui

From: Martin Husemann <martin@duskware.de>
To: Izumi Tsutsui <tsutsui@ceres.dti.ne.jp>
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/43830: libsa/loadfile_elf32.c loads .shstrtab into unallocated memory
Date: Thu, 2 Sep 2010 18:40:57 +0200

 On Fri, Sep 03, 2010 at 12:51:13AM +0900, Izumi Tsutsui wrote:
 > IMO all CTF changes should be reverted because it was not
 > reviewed on public list, it might break ABI compatibility,
 > it also broke bootloaders, and no action for those problems.

 Seconded - furthermore the whole CTF concept looks like a hack to me
 (not that I know of a clean(er) solution in dtrace context...)

 Martin

From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43830 CVS commit: src/sys/lib/libsa
Date: Thu, 2 Sep 2010 13:10:15 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Thu Sep  2 17:10:15 UTC 2010

 Modified Files:
 	src/sys/lib/libsa: loadfile_elf32.c

 Log Message:
 PR/43830: Valery Ushakov: libsa/loadfile_elf32.c loads .shstrtab into
 unallocated memory. Don't load if counting.


 To generate a diff of this commit:
 cvs rdiff -u -r1.25 -r1.26 src/sys/lib/libsa/loadfile_elf32.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: uwe@NetBSD.org
State-Changed-When: Thu, 02 Sep 2010 17:47:21 +0000
State-Changed-Why:
With this fix qemu can boot sparc kernel.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.