Xen devel - Mar 2009 - [PATCH][RFC] _chk_fail and _chk canaries for minios and newlib

Samuel,

I''ve made a small patch (attached) to minios and newlib that addresses
long
standing linking issues for ocaml stubdomains on non-debian distros.  While
minios and associated libraries are compiled with fno-stack-protector and no
fortify buffer overflow protections, this doesn''t produce a stubdom
free of
these dependencies when linking against third party libraries, e.g.
Libasmrun for ocaml.  It seems impractical to keep building minios specific
libraries given that these options are common on all distros (now) and a
potential impediment to creating stubdomains out of existing system
libraries.

This patch implements a minios version of the stack_chk_fail from glibc.
fprintf_chk and sprintf_chk functions have been added to newlib.  This split
was made to ensure that minios would dump the stack and exit on a
stack_chk_fail but avoid a cross-dependency between minios and newlib.  If
anyone has other suggestions, let me know.

The _chk functions are just pass through stubs because the actual fortify
implementation is not trivial for newlib.  It''s also not clear that
minios
domains benefit much from the fortify protections.  This patch supports the
needs of the ocaml stubdomain, other stubdomains using existing system
libraries may need additional _chk stubs.

George

-- 
George S. Coker, II <gscoker@alpha.ncsc.mil>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hello,

George S. Coker, II, le Mon 09 Mar 2009 13:08:04 -0500, a écrit
:
> This patch implements a minios version of the stack_chk_fail from glibc.
> fprintf_chk and sprintf_chk functions have been added to newlib.
Cool!  That''d be useful indeed.  I''m however wondering whether
your patch is enough for the stack protection: in my memory, gcc
assumes that the glibc is used, and on e.g. i386, it uses gs:(0x14)
for the stack canary (see a disassembly of a program compiled with
-fstack-protector-all, there''s a mov %gs:0x14,%eax lying in functions),
and as a result we need to define a proper gs in MiniOS that follows
glibc''s tcbhead_t.

The fortified printfs should be fine.

Samuel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi,
I am facing some problem in booting PV-Guest OS, can someone please help
me out?

I am creating a disk image for PV-Guest as in below link

http://www.virtuatopia.com/index.php/Building_a_Xen_Virtual_Guest_Filesy
stem_on_a_Disk_Image_%28Cloning_Host_System%29

PV-guest configuration files is like below

# Kernel image file.
kernel = "/boot/vmlinuz-2.6.18.8-xen"

# Optional ramdisk.
#ramdisk = "/boot/initrd.gz"
ramdisk = "/boot/initrd-2.6.18.8-xen"
memory = 512
disk = [''tap:aio:/home/xen/PV/XenGuest1.img,xvda1,w'',
''tap:aio:/home/xen/PV/XenGuest1.swap,xvda2,w'']

extra = "3 xencons=tty"
# Set root device.
root = "/dev/xvda1"


Error messages while booting guest
-----------------------------
xm create -c xmexample_ext3
.
.
.
Waiting for device /dev/xvda1 to appear:  ok
rootfs: major=202 minor=1 devn=51713
Mounting root /dev/xvda1
EXT3-fs: INFO: recovery required on readonly filesystem.
EXT3-fs: write access will be enabled during recovery.
kjournald starting.  Commit interval 5 seconds
EXT3-fs: recovery complete.
EXT3-fs: mounted filesystem with ordered data mode.
EXT3 FS on xvda1, internal journal
INIT: version 2.86 booting
INIT: cannot execute "/etc/init.d/boot"
INIT: Entering runlevel: 3
INIT: cannot execute "/etc/init.d/rc"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: Id "4" respawning too fast: disabled for 5 minutes
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: no more processes left in this runlevel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

George S. Coker, II, le Mon 09 Mar 2009 14:28:22 -0500, a écrit
:
> It probably isn''t enough.  It''s more of a stub to make
the linker and
> libraries happy.
Right, in this particular case it''s read-only code so it
shouldn''t
harm so much and the code could be checked-in as is.  I''m however
wondering how these reads do not trigger traps, as we unmap page 0 in
clear_bootstrap(), and thus e.g. on i386 gs:0x14 should trap.
> I was a little uncertain about the split between minios and newlib.
The way you did it seems right to me: checking printf size is more a
matter of newlib, while reacting to stack smashing is a kernel matter.

Samuel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 3/9/09 1:13 PM, "Samuel Thibault"
<samuel.thibault@ens-lyon.org> wrote:
> Hello,
> 
> George S. Coker, II, le Mon 09 Mar 2009 13:08:04 -0500, a écrit :
>> This patch implements a minios version of the stack_chk_fail from
glibc.
>> fprintf_chk and sprintf_chk functions have been added to newlib.
> 
> Cool!  That''d be useful indeed.  I''m however wondering
whether
> your patch is enough for the stack protection: in my memory, gcc
> assumes that the glibc is used, and on e.g. i386, it uses gs:(0x14)
> for the stack canary (see a disassembly of a program compiled with
> -fstack-protector-all, there''s a mov %gs:0x14,%eax lying in
functions),
> and as a result we need to define a proper gs in MiniOS that follows
> glibc''s tcbhead_t.
> 
It probably isn''t enough.  It''s more of a stub to make the
linker and
libraries happy.  I can work on a more proper patch, but I was a little
uncertain about the split between minios and newlib.  It''s just not
clear
where to add new funcs because of the out-of-tree dependency on newlib.
> The fortified printfs should be fine.
> 
> Samuel
-- 
George S. Coker, II <gscoker@alpha.ncsc.mil>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hello,

Just resending George''s patch for inclusion.

Samuel



minios: _chk_fail and _chk canaries for minios and newlib

Add __stack_chk_fail to mini-os and __sprintf_chk __fprintf_chk to
newlib, to cope with ocaml runtimes compiled with -fstack-protector.

From: "George S. Coker, II" <gscoker@alpha.ncsc.mil>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

diff -r f8187a343ad2 extras/mini-os/lib/stack_chk_fail.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extras/mini-os/lib/stack_chk_fail.c	Sat Feb 28 04:56:36 2009 -0500
@@ -0,0 +1,8 @@
+#include <kernel.h>
+#include <console.h>
+
+void __stack_chk_fail(void)
+{
+    printk("stack smashing detected\n");
+    do_exit();
+}
diff -r f8187a343ad2 stubdom/Makefile
--- a/stubdom/Makefile	Fri Feb 20 17:02:36 2009 +0000
+++ b/stubdom/Makefile	Sat Feb 28 04:56:36 2009 -0500
@@ -93,6 +93,7 @@
 newlib-$(NEWLIB_VERSION): newlib-$(NEWLIB_VERSION).tar.gz
 	tar xzf $<
 	patch -d $@ -p0 < newlib.patch
+	patch -d $@ -p0 < newlib-chk.patch
 	touch $@
 
 NEWLIB_STAMPFILE=$(CROSS_ROOT)/$(GNU_TARGET_ARCH)-xen-elf/lib/libc.a
diff -r f8187a343ad2 stubdom/newlib-chk.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/stubdom/newlib-chk.patch	Sat Feb 28 04:56:36 2009 -0500
@@ -0,0 +1,159 @@
+diff -Naur newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c
newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c
+--- newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c	1969-12-31 19:00:00.000000000
-0500
++++ newlib-1.16.0/newlib/libc/stdio/fprintf_chk.c	2009-02-26 19:02:53.000000000
-0500
+@@ -0,0 +1,21 @@
++#include <stdarg.h>
++#include <stdio.h>
++
++/*
++ * Stub implementation of __fprintf_chk adapted from glibc 2.7.  This 
++ * doesn''t actually implement any buffer overflow protection.  It
just makes
++ * the linker happy :)
++*/
++int
++__fprintf_chk (FILE *fp, int flag, const char *format, ...)
++{
++  va_list ap;
++  int done;
++
++  va_start (ap, format);
++  done = vfprintf (fp, format, ap);
++  va_end (ap);
++
++  return done;
++}
++
+diff -Naur newlib-1.16.0/newlib/libc/stdio/Makefile.am
newlib-1.16.0/newlib/libc/stdio/Makefile.am
+--- ./newlib-1.16.0/newlib/libc/stdio/Makefile.am	2007-08-02 16:23:06.000000000
-0400
++++ ./newlib-1.16.0/newlib/libc/stdio/Makefile.am	2009-02-26 18:14:53.000000000
-0500
+@@ -20,6 +20,7 @@
+ 	flags.c			\
+ 	fopen.c			\
+ 	fprintf.c			\
++	fprintf_chk.c		\
+ 	fputc.c			\
+ 	fputs.c			\
+ 	fread.c			\
+@@ -65,6 +66,7 @@
+ 	sniprintf.c			\
+ 	snprintf.c			\
+ 	sprintf.c			\
++	sprintf_chk.c			\
+ 	sscanf.c			\
+ 	stdio.c			\
+ 	tmpfile.c			\
+diff -Naur newlib-1.16.0/newlib/libc/stdio/Makefile.in
newlib-1.16.0/newlib/libc/stdio/Makefile.in
+--- newlib-1.16.0/newlib/libc/stdio/Makefile.in	2007-12-19 17:36:38.000000000
-0500
++++ newlib-1.16.0/newlib/libc/stdio/Makefile.in	2009-02-26 18:43:52.000000000
-0500
+@@ -63,7 +63,8 @@
+ 	lib_a-fgets.$(OBJEXT) lib_a-fileno.$(OBJEXT) \
+ 	lib_a-findfp.$(OBJEXT) lib_a-fiprintf.$(OBJEXT) \
+ 	lib_a-flags.$(OBJEXT) lib_a-fopen.$(OBJEXT) \
+-	lib_a-fprintf.$(OBJEXT) lib_a-fputc.$(OBJEXT) \
++	lib_a-fprintf.$(OBJEXT) lib_a-fprintf_chk.$(OBJEXT) \
++	lib_a-fputc.$(OBJEXT) \
+ 	lib_a-fputs.$(OBJEXT) lib_a-fread.$(OBJEXT) \
+ 	lib_a-freopen.$(OBJEXT) lib_a-fscanf.$(OBJEXT) \
+ 	lib_a-fiscanf.$(OBJEXT) lib_a-fseek.$(OBJEXT) \
+@@ -86,6 +87,7 @@
+ 	lib_a-setvbuf.$(OBJEXT) lib_a-siprintf.$(OBJEXT) \
+ 	lib_a-siscanf.$(OBJEXT) lib_a-sniprintf.$(OBJEXT) \
+ 	lib_a-snprintf.$(OBJEXT) lib_a-sprintf.$(OBJEXT) \
++	lib_a-sprintf_chk.$(OBJEXT) \
+ 	lib_a-sscanf.$(OBJEXT) lib_a-stdio.$(OBJEXT) \
+ 	lib_a-tmpfile.$(OBJEXT) lib_a-tmpnam.$(OBJEXT) \
+ 	lib_a-ungetc.$(OBJEXT) lib_a-vdiprintf.$(OBJEXT) \
+@@ -122,15 +124,15 @@
+ LTLIBRARIES = $(noinst_LTLIBRARIES)
+ am__objects_4 = clearerr.lo fclose.lo fdopen.lo feof.lo ferror.lo \
+ 	fflush.lo fgetc.lo fgetpos.lo fgets.lo fileno.lo findfp.lo \
+-	fiprintf.lo flags.lo fopen.lo fprintf.lo fputc.lo fputs.lo \
+-	fread.lo freopen.lo fscanf.lo fiscanf.lo fseek.lo fsetpos.lo \
++	fiprintf.lo flags.lo fopen.lo fprintf.lo fprintf_chk.lo fputc.lo \
++	fputs.lo fread.lo freopen.lo fscanf.lo fiscanf.lo fseek.lo fsetpos.lo \
+ 	ftell.lo fvwrite.lo fwalk.lo fwrite.lo getc.lo getchar.lo \
+ 	getc_u.lo getchar_u.lo getdelim.lo getline.lo gets.lo \
+ 	iprintf.lo iscanf.lo makebuf.lo perror.lo printf.lo putc.lo \
+ 	putchar.lo putc_u.lo putchar_u.lo puts.lo refill.lo remove.lo \
+ 	rename.lo rewind.lo rget.lo scanf.lo sccl.lo setbuf.lo \
+ 	setbuffer.lo setlinebuf.lo setvbuf.lo siprintf.lo siscanf.lo \
+-	sniprintf.lo snprintf.lo sprintf.lo sscanf.lo stdio.lo \
++	sniprintf.lo snprintf.lo sprintf.lo sprintf_chk.lo sscanf.lo stdio.lo \
+ 	tmpfile.lo tmpnam.lo ungetc.lo vdiprintf.lo vdprintf.lo \
+ 	viprintf.lo viscanf.lo vprintf.lo vscanf.lo vsiprintf.lo \
+ 	vsiscanf.lo vsnprintf.lo vsniprintf.lo vsprintf.lo vsscanf.lo \
+@@ -344,6 +346,7 @@
+ 	flags.c			\
+ 	fopen.c			\
+ 	fprintf.c			\
++	fprintf_chk.c			\
+ 	fputc.c			\
+ 	fputs.c			\
+ 	fread.c			\
+@@ -389,6 +392,7 @@
+ 	sniprintf.c			\
+ 	snprintf.c			\
+ 	sprintf.c			\
++	sprintf_chk.c			\
+ 	sscanf.c			\
+ 	stdio.c			\
+ 	tmpfile.c			\
+@@ -508,6 +512,7 @@
+ 	siprintf.def		\
+ 	siscanf.def		\
+ 	sprintf.def		\
++	sprintf_chk.def		\
+ 	sscanf.def		\
+ 	tmpfile.def		\
+ 	tmpnam.def		\
+@@ -678,6 +683,12 @@
+ lib_a-fprintf.obj: fprintf.c
+ 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf.obj `if test -f
''fprintf.c''; then $(CYGPATH_W) ''fprintf.c'';
else $(CYGPATH_W) ''$(srcdir)/fprintf.c''; fi`
+ 
++lib_a-fprintf_chk.o: fprintf_chk.c
++	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf_chk.o `test -f
''fprintf_chk.c'' || echo
''$(srcdir)/''`fprintf_chk.c
++
++lib_a-fprintf_chk.obj: fprintf_chk.c
++	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fprintf_chk.obj `if test -f
''fprintf_chk.c''; then $(CYGPATH_W)
''fprintf_chk.c''; else $(CYGPATH_W)
''$(srcdir)/fprintf_chk.c''; fi`
++
+ lib_a-fputc.o: fputc.c
+ 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-fputc.o `test -f
''fputc.c'' || echo ''$(srcdir)/''`fputc.c
+ 
+@@ -948,6 +959,12 @@
+ lib_a-sprintf.obj: sprintf.c
+ 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf.obj `if test -f
''sprintf.c''; then $(CYGPATH_W) ''sprintf.c'';
else $(CYGPATH_W) ''$(srcdir)/sprintf.c''; fi`
+ 
++lib_a-sprintf_chk.o: sprintf_chk.c
++	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf_chk.o `test -f
''sprintf_chk.c'' || echo
''$(srcdir)/''`sprintf_chk.c
++
++lib_a-sprintf_chk.obj: sprintf_chk.c
++	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sprintf_chk.obj `if test -f
''sprintf_chk.c''; then $(CYGPATH_W)
''sprintf_chk.c''; else $(CYGPATH_W)
''$(srcdir)/sprintf_chk.c''; fi`
++
+ lib_a-sscanf.o: sscanf.c
+ 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
$(lib_a_CFLAGS) $(CFLAGS) -c -o lib_a-sscanf.o `test -f
''sscanf.c'' || echo ''$(srcdir)/''`sscanf.c
+ 
+diff -Naur ./newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c
../newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c
+--- newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c	1969-12-31 19:00:00.000000000
-0500
++++ newlib-1.16.0/newlib/libc/stdio/sprintf_chk.c	2009-02-26 19:02:26.000000000
-0500
+@@ -0,0 +1,21 @@
++#include <stdarg.h>
++#include <stdio.h>
++
++/*
++ * Stub implementation of __sprintf_chk adapted from glibc 2.7.  This 
++ * doesn''t actually implement any buffer overflow protection.  It
just makes
++ * the linker happy :)
++*/
++int
++__sprintf_chk (char *s, int flags, size_t slen, const char *format, ...)
++{
++  va_list arg;
++  int done;
++
++  va_start (arg, format);
++  done = vsprintf (s, format, arg);
++  va_end (arg);
++
++  return done;
++}
++

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel