George S. Coker, II
2009-Mar-09 18:08 UTC
[Xen-devel][PATCH][RFC] _chk_fail and _chk canaries for minios and newlib
Samuel, I''ve made a small patch (attached) to minios and newlib that addresses long standing linking issues for ocaml stubdomains on non-debian distros. While minios and associated libraries are compiled with fno-stack-protector and no fortify buffer overflow protections, this doesn''t produce a stubdom free of these dependencies when linking against third party libraries, e.g. Libasmrun for ocaml. It seems impractical to keep building minios specific libraries given that these options are common on all distros (now) and a potential impediment to creating stubdomains out of existing system libraries. This patch implements a minios version of the stack_chk_fail from glibc. fprintf_chk and sprintf_chk functions have been added to newlib. This split was made to ensure that minios would dump the stack and exit on a stack_chk_fail but avoid a cross-dependency between minios and newlib. If anyone has other suggestions, let me know. The _chk functions are just pass through stubs because the actual fortify implementation is not trivial for newlib. It''s also not clear that minios domains benefit much from the fortify protections. This patch supports the needs of the ocaml stubdomain, other stubdomains using existing system libraries may need additional _chk stubs. George -- George S. Coker, II <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Samuel Thibault
2009-Mar-09 18:13 UTC
Re: [Xen-devel][PATCH][RFC] _chk_fail and _chk canaries for minios and newlib
Hello, George S. Coker, II, le Mon 09 Mar 2009 13:08:04 -0500, a écrit :> This patch implements a minios version of the stack_chk_fail from glibc. > fprintf_chk and sprintf_chk functions have been added to newlib.Cool! That''d be useful indeed. I''m however wondering whether your patch is enough for the stack protection: in my memory, gcc assumes that the glibc is used, and on e.g. i386, it uses gs:(0x14) for the stack canary (see a disassembly of a program compiled with -fstack-protector-all, there''s a mov %gs:0x14,%eax lying in functions), and as a result we need to define a proper gs in MiniOS that follows glibc''s tcbhead_t. The fortified printfs should be fine. Samuel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Sreenivasa Honnur
2009-Mar-09 18:47 UTC
[Xen-devel] boot issues with PV guest OS on Xen-3.4 unstable
Hi, I am facing some problem in booting PV-Guest OS, can someone please help me out? I am creating a disk image for PV-Guest as in below link http://www.virtuatopia.com/index.php/Building_a_Xen_Virtual_Guest_Filesy stem_on_a_Disk_Image_%28Cloning_Host_System%29 PV-guest configuration files is like below # Kernel image file. kernel = "/boot/vmlinuz-2.6.18.8-xen" # Optional ramdisk. #ramdisk = "/boot/initrd.gz" ramdisk = "/boot/initrd-2.6.18.8-xen" memory = 512 disk = [''tap:aio:/home/xen/PV/XenGuest1.img,xvda1,w'', ''tap:aio:/home/xen/PV/XenGuest1.swap,xvda2,w''] extra = "3 xencons=tty" # Set root device. root = "/dev/xvda1" Error messages while booting guest ----------------------------- xm create -c xmexample_ext3 . . . Waiting for device /dev/xvda1 to appear: ok rootfs: major=202 minor=1 devn=51713 Mounting root /dev/xvda1 EXT3-fs: INFO: recovery required on readonly filesystem. EXT3-fs: write access will be enabled during recovery. kjournald starting. Commit interval 5 seconds EXT3-fs: recovery complete. EXT3-fs: mounted filesystem with ordered data mode. EXT3 FS on xvda1, internal journal INIT: version 2.86 booting INIT: cannot execute "/etc/init.d/boot" INIT: Entering runlevel: 3 INIT: cannot execute "/etc/init.d/rc" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: cannot execute "/sbin/mingetty" INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: no more processes left in this runlevel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Samuel Thibault
2009-Mar-09 18:50 UTC
Re: [Xen-devel][PATCH][RFC] _chk_fail and _chk canaries for minios and newlib
George S. Coker, II, le Mon 09 Mar 2009 14:28:22 -0500, a écrit :> It probably isn''t enough. It''s more of a stub to make the linker and > libraries happy.Right, in this particular case it''s read-only code so it shouldn''t harm so much and the code could be checked-in as is. I''m however wondering how these reads do not trigger traps, as we unmap page 0 in clear_bootstrap(), and thus e.g. on i386 gs:0x14 should trap.> I was a little uncertain about the split between minios and newlib.The way you did it seems right to me: checking printf size is more a matter of newlib, while reacting to stack smashing is a kernel matter. Samuel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
George S. Coker, II
2009-Mar-09 19:28 UTC
Re: [Xen-devel][PATCH][RFC] _chk_fail and _chk canaries for minios and newlib
On 3/9/09 1:13 PM, "Samuel Thibault" <samuel.thibault@ens-lyon.org> wrote:> Hello, > > George S. Coker, II, le Mon 09 Mar 2009 13:08:04 -0500, a écrit : >> This patch implements a minios version of the stack_chk_fail from glibc. >> fprintf_chk and sprintf_chk functions have been added to newlib. > > Cool! That''d be useful indeed. I''m however wondering whether > your patch is enough for the stack protection: in my memory, gcc > assumes that the glibc is used, and on e.g. i386, it uses gs:(0x14) > for the stack canary (see a disassembly of a program compiled with > -fstack-protector-all, there''s a mov %gs:0x14,%eax lying in functions), > and as a result we need to define a proper gs in MiniOS that follows > glibc''s tcbhead_t. >It probably isn''t enough. It''s more of a stub to make the linker and libraries happy. I can work on a more proper patch, but I was a little uncertain about the split between minios and newlib. It''s just not clear where to add new funcs because of the out-of-tree dependency on newlib.> The fortified printfs should be fine. > > Samuel-- George S. Coker, II <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Samuel Thibault
2009-Mar-25 13:31 UTC
[Xen-devel][PATCH] minios: _chk_fail and _chk canaries for minios and newlib
Hello, Just resending George''s patch for inclusion. Samuel minios: _chk_fail and _chk canaries for minios and newlib Add __stack_chk_fail to mini-os and __sprintf_chk __fprintf_chk to newlib, to cope with ocaml runtimes compiled with -fstack-protector. From: "George S. Coker, II" <gscoker@alpha.ncsc.mil> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> diff -r f8187a343ad2 extras/mini-os/lib/stack_chk_fail.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extras/mini-os/lib/stack_chk_fail.c Sat Feb 28 04:56:36 2009 -0500 @@ -0,0 +1,8 @@ +#include <kernel.h> +#include <console.h> + +void __stack_chk_fail(void) +{ + printk("stack smashing detected\n"); + do_exit(); +} diff -r f8187a343ad2 stubdom/Makefile --- a/stubdom/Makefile Fri Feb 20 17:02:36 2009 +0000 +++ b/stubdom/Makefile Sat Feb 28 04:56:36 2009 -0500 @@ -93,6 +93,7 @@ newlib-$(NEWLIB_VERSION): newlib-$(NEWLIB_VERSION).tar.gz tar xzf $< patch -d $@ -p0 < newlib.patch + patch -d $@ -p0 < newlib-chk.patch touch $@ NEWLIB_STAMPFILE=$(CROSS_ROOT)/$(GNU_TARGET_ARCH)-xen-elf/lib/libc.a diff -r f8187a343ad2 stubdom/newlib-chk.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/stubdom/newlib-chk.patch Sat Feb 28 04:56:36 2009 -0500 @@ -0,0 +1,159 @@ +diff -Naur newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c +--- newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c 1969-12-31 19:00:00.000000000 -0500 ++++ newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c 2009-02-26 19:02:53.000000000 -0500 +@@ -0,0 +1,21 @@ ++#include <stdarg.h> ++#include <stdio.h> ++ ++/* ++ * Stub implementation of __fprintf_chk adapted from glibc 2.7. This ++ * doesn''t actually implement any buffer overflow protection. It just makes ++ * the linker happy :) ++*/ ++int ++__fprintf_chk (FILE *fp, int flag, const char *format, ...) ++{ ++ va_list ap; ++ int done; ++ ++ va_start (ap, format); ++ done = vfprintf (fp, format, ap); ++ va_end (ap); ++ ++ return done; ++} ++ +diff -Naur newlib-1.16.0/newlib/libc/stdio/Makefile.am newlib-1.16.0/newlib/libc/stdio/Makefile.am +--- ./newlib-1.16.0/newlib/libc/stdio/Makefile.am 2007-08-02 16:23:06.000000000 -0400 ++++ ./newlib-1.16.0/newlib/libc/stdio/Makefile.am 2009-02-26 18:14:53.000000000 -0500 +@@ -20,6 +20,7 @@ + flags.c \ + fopen.c \ + fprintf.c \ ++ fprintf_chk.c \ + fputc.c \ + fputs.c \ + fread.c \ +@@ -65,6 +66,7 @@ + sniprintf.c \ + snprintf.c \ + sprintf.c \ ++ sprintf_chk.c \ + sscanf.c \ + stdio.c \ + tmpfile.c \ +diff -Naur newlib-1.16.0/newlib/libc/stdio/Makefile.in newlib-1.16.0/newlib/libc/stdio/Makefile.in +--- newlib-1.16.0/newlib/libc/stdio/Makefile.in 2007-12-19 17:36:38.000000000 -0500 ++++ newlib-1.16.0/newlib/libc/stdio/Makefile.in 2009-02-26 18:43:52.000000000 -0500 +@@ -63,7 +63,8 @@ + lib_a-fgets.$(OBJEXT) lib_a-fileno.$(OBJEXT) \ + lib_a-findfp.$(OBJEXT) lib_a-fiprintf.$(OBJEXT) \ + lib_a-flags.$(OBJEXT) lib_a-fopen.$(OBJEXT) \ +- lib_a-fprintf.$(OBJEXT) lib_a-fputc.$(OBJEXT) \ ++ lib_a-fprintf.$(OBJEXT) lib_a-fprintf_chk.$(OBJEXT) \ ++ lib_a-fputc.$(OBJEXT) \ + lib_a-fputs.$(OBJEXT) lib_a-fread.$(OBJEXT) \ + lib_a-freopen.$(OBJEXT) lib_a-fscanf.$(OBJEXT) \ + lib_a-fiscanf.$(OBJEXT) lib_a-fseek.$(OBJEXT) \ +@@ -86,6 +87,7 @@ + lib_a-setvbuf.$(OBJEXT) lib_a-siprintf.$(OBJEXT) \ + lib_a-siscanf.$(OBJEXT) lib_a-sniprintf.$(OBJEXT) \ + lib_a-snprintf.$(OBJEXT) lib_a-sprintf.$(OBJEXT) \ ++ lib_a-sprintf_chk.$(OBJEXT) \ + lib_a-sscanf.$(OBJEXT) lib_a-stdio.$(OBJEXT) \ + lib_a-tmpfile.$(OBJEXT) lib_a-tmpnam.$(OBJEXT) \ + lib_a-ungetc.$(OBJEXT) lib_a-vdiprintf.$(OBJEXT) \ +@@ -122,15 +124,15 @@ + LTLIBRARIES = $(noinst_LTLIBRARIES) + am__objects_4 = clearerr.lo fclose.lo fdopen.lo feof.lo ferror.lo \ + fflush.lo fgetc.lo fgetpos.lo fgets.lo fileno.lo findfp.lo \ +- fiprintf.lo flags.lo fopen.lo fprintf.lo fputc.lo fputs.lo \ +- fread.lo freopen.lo fscanf.lo fiscanf.lo fseek.lo fsetpos.lo \ ++ fiprintf.lo flags.lo fopen.lo fprintf.lo fprintf_chk.lo fputc.lo \ ++ fputs.lo fread.lo freopen.lo fscanf.lo fiscanf.lo fseek.lo fsetpos.lo \ + ftell.lo fvwrite.lo fwalk.lo fwrite.lo getc.lo getchar.lo \ + getc_u.lo getchar_u.lo getdelim.lo getline.lo gets.lo \ + iprintf.lo iscanf.lo makebuf.lo perror.lo printf.lo putc.lo \ + putchar.lo putc_u.lo putchar_u.lo puts.lo refill.lo remove.lo \ + rename.lo rewind.lo rget.lo scanf.lo sccl.lo setbuf.lo \ + setbuffer.lo setlinebuf.lo setvbuf.lo siprintf.lo siscanf.lo \ +- sniprintf.lo snprintf.lo sprintf.lo sscanf.lo stdio.lo \ ++ sniprintf.lo snprintf.lo sprintf.lo sprintf_chk.lo sscanf.lo stdio.lo \ + tmpfile.lo tmpnam.lo ungetc.lo vdiprintf.lo vdprintf.lo \ + viprintf.lo viscanf.lo vprintf.lo vscanf.lo vsiprintf.lo \ + vsiscanf.lo vsnprintf.lo vsniprintf.lo vsprintf.lo vsscanf.lo \ +@@ -344,6 +346,7 @@ + flags.c \ + fopen.c \ + fprintf.c \ ++ fprintf_chk.c \ + fputc.c \ + fputs.c \ + fread.c \ +@@ -389,6 +392,7 @@ + sniprintf.c \ + snprintf.c \ + sprintf.c \ ++ sprintf_chk.c \ + sscanf.c \ + stdio.c \ + tmpfile.c \ +@@ -508,6 +512,7 @@ + siprintf.def \ + siscanf.def \ + sprintf.def \ ++ sprintf_chk.def \ + sscanf.def \ + tmpfile.def \ + tmpnam.def \ +@@ -678,6 +683,12 @@ + lib_a-fprintf.obj: fprintf.c + $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf.obj `if test -f ''fprintf.c''; then $(CYGPATH_W) ''fprintf.c''; else $(CYGPATH_W) ''$(srcdir)/fprintf.c''; fi` + ++lib_a-fprintf_chk.o: fprintf_chk.c ++ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf_chk.o `test -f ''fprintf_chk.c'' || echo ''$(srcdir)/''`fprintf_chk.c ++ ++lib_a-fprintf_chk.obj: fprintf_chk.c ++ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf_chk.obj `if test -f ''fprintf_chk.c''; then $(CYGPATH_W) ''fprintf_chk.c''; else $(CYGPATH_W) ''$(srcdir)/fprintf_chk.c''; fi` ++ + lib_a-fputc.o: fputc.c + $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fputc.o `test -f ''fputc.c'' || echo ''$(srcdir)/''`fputc.c + +@@ -948,6 +959,12 @@ + lib_a-sprintf.obj: sprintf.c + $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf.obj `if test -f ''sprintf.c''; then $(CYGPATH_W) ''sprintf.c''; else $(CYGPATH_W) ''$(srcdir)/sprintf.c''; fi` + ++lib_a-sprintf_chk.o: sprintf_chk.c ++ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf_chk.o `test -f ''sprintf_chk.c'' || echo ''$(srcdir)/''`sprintf_chk.c ++ ++lib_a-sprintf_chk.obj: sprintf_chk.c ++ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf_chk.obj `if test -f ''sprintf_chk.c''; then $(CYGPATH_W) ''sprintf_chk.c''; else $(CYGPATH_W) ''$(srcdir)/sprintf_chk.c''; fi` ++ + lib_a-sscanf.o: sscanf.c + $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sscanf.o `test -f ''sscanf.c'' || echo ''$(srcdir)/''`sscanf.c + +diff -Naur ./newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c ../newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c +--- newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c 1969-12-31 19:00:00.000000000 -0500 ++++ newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c 2009-02-26 19:02:26.000000000 -0500 +@@ -0,0 +1,21 @@ ++#include <stdarg.h> ++#include <stdio.h> ++ ++/* ++ * Stub implementation of __sprintf_chk adapted from glibc 2.7. This ++ * doesn''t actually implement any buffer overflow protection. It just makes ++ * the linker happy :) ++*/ ++int ++__sprintf_chk (char *s, int flags, size_t slen, const char *format, ...) ++{ ++ va_list arg; ++ int done; ++ ++ va_start (arg, format); ++ done = vsprintf (s, format, arg); ++ va_end (arg); ++ ++ return done; ++} ++ _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel