Re: [2.6] binfmt_elf bug (exposed by klibc).

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Paweł Sikora" <pluto@agmk.net>
To: "linux-os \(Dick Johnson\)" <linux-os@analogic.com>
Cc: "Horst von Brand" <vonbrand@inf.utfsm.cl>, linux-kernel@vger.kernel.org
Subject: Re: [2.6] binfmt_elf bug (exposed by klibc).
Date: Fri, 7 Oct 2005 23:20:17 +0200	[thread overview]
Message-ID: <200510072320.18263.pluto@agmk.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0510071200340.11579@chaos.analogic.com>

Dnia piątek, 7 października 2005 18:16, linux-os (Dick Johnson) napisał:
> On Fri, 7 Oct 2005, [UTF-8] Pawe? Sikora wrote:
> > Dnia pitek, 7 padziernika 2005 17:33, Horst von Brand napisa:
> >> Pawe Sikora <pluto@agmk.net> wrote:
> >>> Dnia pitek, 7 padziernika 2005 15:46, Horst von Brand napisa:
> >>
> >> [...]
> >>
> >>>> binutils-2.16.91.0.2-4 doesn't. It looks like you are using broken
> >>>> tools.
> >>>
> >>> I didn't say that is (or not) a binutils bug.
> >>> I'm only saying that kernel is killng a valid micro application.
> >>
> >> If binutils generates an invalid executable, it is not a valid
> >> application.
> >
> > ehh, please look again at my first post :)
> > binutils-2.16 generates VALID app with .text/.interp and *without* .bss.
> > kernel always calls padzero() for the .bss section inside
> > load_elf_binary(). finally it kills a valid app. did i miss something?
> >
>
> The executable created by this:
>
> $ cat <<EOF >xxx.S
> .section	.rodata
> hello:		.string	"Hello World!\n"
> STRLEN = .-hello
> WRITE=4
> EXIT=1
>
> .section	.text
> .global		_start
> .type		_start,@function
> _start:
>  	movl	$WRITE, %eax
>  	movl	$1, %ebx
>  	movl	$hello, %ecx
>  	movl	$STRLEN, %edx
>  	int	$0x80
>  	movl	$EXIT, %eax
>  	movl	$0, %ebx
>  	int	$0x80
> .end
> EOF
>
> $ as -o xxx.o xxx.S
> $ ld -o xxx xxx.o
> $ ./xxx
> Hello World!
> $
>
> ... does not have a .bss section. It also runs fine. The linker
> creates a 0 length .bss section starting at label "_end". There
> is no way to prevent it from happening so the kernel's zeroing
> the zero-length section is perfectly valid. Maybe you have
> executed `strip` and stripped out that section? If so, you
> no longer have a valid executable and the kernel should kill
> it.

What????????????
Do you suggest that stripped executables are invalid?

$ cat xxx.S
.section        .text
.global         _start
.type           _start,@function
_start:
        movl    $1, %eax
        movl    $0, %ebx
        int     $0x80
.end

$ as xxx.S -o xxx.o; ld xxx.o -o xxx -s; objdump -x xxx

xxx:     file format elf32-i386
xxx
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x08048094

Program Header:
    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
         filesz 0x000000a0 memsz 0x000000a0 flags r-x
PAX_FLAGS off   0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
         filesz 0x00000000 memsz 0x00000000 flags --- 2800

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         0000000c  08048094  08048094  00000094  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE

We have a pure executable, no .data/.rodata/.bss/etc.

On 2.6.14rc3-git6 this executable doesn't work:

$ strace ./xxx
execve("./xxx", ["./xxx"], [/* 24 vars */]) = -1 EFAULT (Bad address)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

With hacked kernel it works pretty fine:

$ strace ./xxx
execve("./xxx", ["./xxx"], [/* 24 vars */]) = 0
_exit(0)

-- 
The only thing necessary for the triumph of evil
  is for good men to do nothing.
                                           - Edmund Burke

next prev parent reply	other threads:[~2005-10-07 21:20 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-07 10:09 [2.6] binfmt_elf bug (exposed by klibc) Paweł Sikora
2005-10-07 13:46 ` Horst von Brand
2005-10-07 14:11   ` linux-os (Dick Johnson)
2005-10-07 14:21   ` Paweł Sikora
2005-10-07 15:33     ` Horst von Brand
2005-10-07 15:41       ` Paweł Sikora
     [not found]         ` <Pine.LNX.4.61.0510071200340.11579@chaos.analogic.com>
2005-10-07 21:20           ` Paweł Sikora [this message]
     [not found]             ` <Pine.LNX.4.61.0510071740040.13291@chaos.analogic.com>
2005-10-07 22:42               ` Paweł Sikora
2005-10-08 14:30                 ` Jan-Benedict Glaw
2005-10-08 19:29                   ` Paweł Sikora

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200510072320.18263.pluto@agmk.net \
    --to=pluto@agmk.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-os@analogic.com \
    --cc=vonbrand@inf.utfsm.cl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox