Attachment 472320 Details for Bug 616238 – diff_5.1.22_dlopen_fix

[patch] diff_5.1.22_dlopen_fix

diff_5.1.22_dlopen_fix.patch (text/plain), 7.01 KB, created by Mike Greene on 2017-05-11 11:02:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mike Greene

Created: 2017-05-11 11:02:03 UTC

Size: 7.01 KB

patch

obsolete

>Index: VirtualBox-5.1.22/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp
>===================================================================
>--- VirtualBox-5.1.22/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp	(revision 115126)
>+++ VirtualBox-5.1.22/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp	(revision 115307)
>@@ -341,6 +341,7 @@
>      * Patch 64-bit hosts.
>      */
>     uint32_t cRipRelMovs = 0;
>+    uint32_t cRelCalls = 0;
> 
>     /* Just use the disassembler to skip 12 bytes or more, we might need to
>        rewrite mov instructions using RIP relative addressing. */
>@@ -349,7 +350,8 @@
>         cbInstr = 1;
>         int rc = DISInstr(pbTarget + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
>         if (   RT_FAILURE(rc)
>-            || (Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
>+            || (   Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW
>+                && Dis.pCurInstr->uOpcode != OP_CALL)
>             || (   Dis.ModRM.Bits.Mod == 0
>                 && Dis.ModRM.Bits.Rm  == 5 /* wrt RIP */
>                 && Dis.pCurInstr->uOpcode != OP_MOV))
>@@ -357,15 +359,23 @@
> 
>         if (Dis.ModRM.Bits.Mod == 0 && Dis.ModRM.Bits.Rm == 5 /* wrt RIP */)
>             cRipRelMovs++;
>+        if (   Dis.pCurInstr->uOpcode == OP_CALL
>+            && (Dis.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
>+            cRelCalls++;
> 
>         offJmpBack += cbInstr;
>         cbPatchMem += cbInstr;
>     }
> 
>+    /*
>+     * Each relative call requires extra bytes as it is converted to a pushq imm32
>+     * + mov [RSP+4], imm32 + a jmp qword [$+8 wrt RIP] to avoid clobbering registers.
>+     */
>+    cbPatchMem += cRelCalls * RT_ALIGN_32(13 + 6 + 8, 8);
>     cbPatchMem += 14; /* jmp qword [$+8 wrt RIP] + 8 byte address to jump to. */
>     cbPatchMem = RT_ALIGN_32(cbPatchMem, 8);
> 
>-    /* Allocate suitable exectuable memory available. */
>+    /* Allocate suitable executable memory available. */
>     bool fConvRipRelMovs = false;
>     uint8_t *pbPatchMem = supR3HardenedMainPosixExecMemAlloc(cbPatchMem, pbTarget, cRipRelMovs > 0);
>     if (!pbPatchMem)
>@@ -396,7 +406,8 @@
>         cbInstr = 1;
>         int rc = DISInstr(pbTarget + offInsn, DISCPUMODE_64BIT, &Dis, &cbInstr);
>         if (   RT_FAILURE(rc)
>-            || (Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW))
>+            || (   Dis.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW
>+                && Dis.pCurInstr->uOpcode != OP_CALL))
>             return VERR_SUPLIB_UNEXPECTED_INSTRUCTION;
> 
>         if (   Dis.ModRM.Bits.Mod == 0
>@@ -439,6 +450,34 @@
>                 pbPatchMem   += sizeof(int32_t);
>             }
>         }
>+        else if (   Dis.pCurInstr->uOpcode == OP_CALL
>+                 && (Dis.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
>+        {
>+            /* Convert to absolute jump. */
>+            uintptr_t uAddr = (uintptr_t)&pbTarget[offInsn + cbInstr] + (intptr_t)Dis.Param1.uValue;
>+
>+            /* Skip the push instructions till the return address is known. */
>+            uint8_t *pbPatchMemPush = pbPatchMem;
>+            pbPatchMem += 13;
>+
>+            *pbPatchMem++ = 0xff; /* jmp qword [$+8 wrt RIP] */
>+            *pbPatchMem++ = 0x25;
>+            *(uint32_t *)pbPatchMem = (uint32_t)(RT_ALIGN_PT(pbPatchMem + 4, 8, uint8_t *) - (pbPatchMem + 4));
>+            pbPatchMem = RT_ALIGN_PT(pbPatchMem + 4, 8, uint8_t *);
>+            *(uint64_t *)pbPatchMem = uAddr;
>+            pbPatchMem += sizeof(uint64_t);
>+
>+            /* Push the return address onto stack. Difficult on amd64 without clobbering registers... */
>+            uintptr_t uAddrReturn = (uintptr_t)pbPatchMem;
>+            *pbPatchMemPush++ = 0x68; /* push imm32 sign-extended as 64-bit*/
>+            *(uint32_t *)pbPatchMemPush = RT_LO_U32(uAddrReturn);
>+            pbPatchMemPush += sizeof(uint32_t);
>+            *pbPatchMemPush++ = 0xc7;
>+            *pbPatchMemPush++ = 0x44;
>+            *pbPatchMemPush++ = 0x24;
>+            *pbPatchMemPush++ = 0x04; /* movl [RSP+4], imm32 */
>+            *(uint32_t *)pbPatchMemPush = RT_HI_U32(uAddrReturn);
>+        }
>         else
>         {
>             memcpy(pbPatchMem, pbTarget + offInsn, cbInstr);
>Index: VirtualBox-5.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
>===================================================================
>--- VirtualBox-5.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp	(revision 115126)
>+++ VirtualBox-5.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp	(revision 115307)
>@@ -86,6 +86,9 @@
> /** The max path length acceptable for a trusted path. */
> #define SUPR3HARDENED_MAX_PATH      260U
> 
>+/** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
>+#define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
>+
> #ifdef RT_OS_SOLARIS
> # define dirfd(d) ((d)->d_fd)
> #endif
>@@ -1091,7 +1094,8 @@
> #endif
> 
> 
>-#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
>+#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
>+# if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
> /**
>  * Copies the error message to the error buffer and returns @a rc.
>  *
>@@ -1104,6 +1108,7 @@
> {
>     return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
> }
>+# endif
> #endif
> 
> 
>@@ -1893,7 +1898,9 @@
>     /*
>      * Verify each component from the root up.
>      */
>+#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
>     uint32_t                iLoops = 0;
>+#endif
>     SUPR3HARDENEDFSOBJSTATE FsObjState;
>     uint32_t                iComponent = 0;
>     while (iComponent < Info.cComponents)
>@@ -1915,6 +1922,24 @@
>             if (   RT_SUCCESS(rc)
>                 && S_ISLNK(FsObjState.Stat.st_mode))
>             {
>+#if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
>+                char *pszFilenameResolved = realpath(pszFilename, NULL);
>+                if (pszFilenameResolved)
>+                {
>+                    rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
>+                    free(pszFilenameResolved);
>+                    return rc;
>+                }
>+                else
>+                {
>+                    int iErr = errno;
>+                    supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
>+                                       "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
>+                                       pszFilename, strerror(iErr), iErr);
>+                    return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
>+                                                  "realpath failed for '", pszFilename, "': ", strerror(iErr));
>+                }
>+#else
>                 /* Don't loop forever. */
>                 iLoops++;
>                 if (iLoops < 8)
>@@ -1989,6 +2014,7 @@
>                 else
>                     return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
>                                                   "Too many symbolic links: '", pszFilename, "'");
>+#endif
>             }
>         }
>         if (RT_FAILURE(rc))

Actions: View | Diff

Attachments on bug 616238: 472320