Re: loader modules jumping back to kernel

[Robert Millan <rmh@aybabtu.com>]

On Sun, Jul 20, 2008 at 11:09:02AM +0200, Yoshinori K. Okuji wrote:
> > IIRC this causes trouble when the loadee chose an address that precisely
> > overwrites the loader, which is garanteed to happen when GRUB is loading
> > itself, AFAICT.
> 
> Sure. My recommendation is, in case where you might overwrite that part, that 
> you should write relocatable code (which is rather easy for simple code on 
> i386) at anywhere (it could be in the startup), find out a safe region when 
> loading an OS image, copy the code to the safe region, and finalize the 
> bootstrap in that code (e.g. relocating the OS image, initializing registers, 
> and jumping to it). On i386, we have a reserved region to temporarily load an 
> OS image for the very reason, so this is not difficult.

Ok.  I've been looking at grub_multiboot_load_elf32() which contains the
bound checks that make loading abort in first place;  It seems that bounds
are checked for every segment in the ELF image, in:

   /* Load every loadable segment in memory.  */
   for (i = 0; i < ehdr->e_phnum; i++)

so I'm wondering if it is safe to assume the segments are going to occupy
a single block of memory (which can be relocated in one run) or it is allowed
for them to be scattered.

As for the safe region, AFAICT the OS load area is our only choice, or maybe
the heap, but in both cases overlaps are a problem, as we don't want the
relocator code to overwrite itself.  In case of the OS load area, we could
abort on situations where payload requested region overlaps with our area,
and in case of the heap, we could play some ugly tricks in order to obtain
a non-overlapped region from malloc.

TBH I don't like either of the options.  Do you have any other suggestions?

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)