vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Verify modules on build-time rather than failing in runtime.

Browse source
This commit is contained in:
Vladimir Serbinenko 2015-12-31 13:09:15 +01:00
parent 5919626c90
commit a7cf8b1e23
7 changed files with 468 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
grub-core/Makefile.am
View file

@ -39,6 +39,10 @@ gentrigtables$(BUILD_EXEEXT): gentrigtables.c
$(BUILD_CC) -o $@ -I$(top_srcdir)/include $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $(BUILD_LDFLAGS) $< $(BUILD_LIBM) $(BUILD_CC) -o $@ -I$(top_srcdir)/include $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $(BUILD_LDFLAGS) $< $(BUILD_LIBM)
CLEANFILES += gentrigtables$(BUILD_EXEEXT) CLEANFILES += gentrigtables$(BUILD_EXEEXT)
build-grub-module-verifier$(BUILD_EXEEXT): $(top_srcdir)/util/grub-module-verifier.c $(top_srcdir)/util/grub-module-verifier32.c $(top_srcdir)/util/grub-module-verifier64.c $(top_srcdir)/grub-core/kern/emu/misc.c $(top_srcdir)/util/misc.c
$(BUILD_CC) -o $@ -I$(top_srcdir)/include $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $(BUILD_LDFLAGS) -DGRUB_BUILD=1 -DGRUB_UTIL=1 -DGRUB_BUILD_PROGRAM_NAME=\"build-grub-module-verifier\" $^
CLEANFILES += build-grub-module-verifier$(BUILD_EXEEXT)
# trigtables.c # trigtables.c
trigtables.c: gentrigtables$(BUILD_EXEEXT) gentrigtables.c $(top_srcdir)/configure.ac trigtables.c: gentrigtables$(BUILD_EXEEXT) gentrigtables.c $(top_srcdir)/configure.ac
./gentrigtables$(BUILD_EXEEXT) > $@ ./gentrigtables$(BUILD_EXEEXT) > $@
@ -390,7 +394,7 @@ moddep.lst: syminfo.lst genmoddep.awk video.lst
platform_DATA += moddep.lst platform_DATA += moddep.lst
CLEANFILES += config.log syminfo.lst moddep.lst CLEANFILES += config.log syminfo.lst moddep.lst
$(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) $(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) build-grub-module-verifier
TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@ TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@
platform_DATA += $(MOD_FILES) platform_DATA += $(MOD_FILES)
platform_DATA += modinfo.sh platform_DATA += modinfo.sh

5
grub-core/genmod.sh.in
View file

@ -15,12 +15,12 @@ set -e
# #
# Example: # Example:
# #
# genmod.sh moddep.lst normal.module normal.mod # genmod.sh moddep.lst normal.module build-grub-module-verifier normal.mod
# #
moddep=$1 moddep=$1
infile=$2 infile=$2
outfile=$3 outfile=$4
tmpfile=${outfile}.tmp tmpfile=${outfile}.tmp
modname=`echo $infile | sed -e 's@\.module.*$@@'` modname=`echo $infile | sed -e 's@\.module.*$@@'`
@ -93,4 +93,5 @@ else
-wd1106 -nu -nd $tmpfile.bin $tmpfile || exit 1 -wd1106 -nu -nd $tmpfile.bin $tmpfile || exit 1
rm -f $name.bin rm -f $name.bin
fi fi
./build-grub-module-verifier $tmpfile @target_cpu@
mv $tmpfile $outfile mv $tmpfile $outfile

19
include/grub/module_verifier.h Normal file
View file

@ -0,0 +1,19 @@
#include <stdint.h>
#include <stdlib.h>
#include <grub/types.h>
#define GRUB_MODULE_VERIFY_SUPPORTS_REL 1
#define GRUB_MODULE_VERIFY_SUPPORTS_RELA 2
struct grub_module_verifier_arch {
const char *name;
int voidp_sizeof;
int bigendian;
int machine;
int flags;
const int *supported_relocations;
};
void grub_module_verify64(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch);
void grub_module_verify32(void *module_img, size_t module_size, const struct grub_module_verifier_arch *arch);

122
util/grub-module-verifier.c Normal file
View file

@ -0,0 +1,122 @@
#include <stdio.h>
#include <string.h>
#include <grub/elf.h>
#include <grub/module_verifier.h>
#include <grub/misc.h>
#include <grub/util/misc.h>
struct grub_module_verifier_arch archs[] = {
{ "i386", 4, 0, EM_386, GRUB_MODULE_VERIFY_SUPPORTS_REL, (int[]){
R_386_32,
R_386_PC32,
-1
} },
{ "x86_64", 8, 0, EM_X86_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_X86_64_64,
R_X86_64_PC64,
/* R_X86_64_32, R_X86_64_32S, R_X86_64_PC32 are supported but shouldn't be used because of their limited range. */
-1
} },
{ "powerpc", 4, 1, EM_PPC, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
GRUB_ELF_R_PPC_ADDR16_LO,
GRUB_ELF_R_PPC_REL24, /* It has limited range but GRUB adds trampolines when necessarry. */
GRUB_ELF_R_PPC_ADDR16_HA,
GRUB_ELF_R_PPC_ADDR32,
GRUB_ELF_R_PPC_REL32,
-1
} },
{ "sparc64", 8, 1, EM_SPARCV9, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_SPARC_WDISP30, /* It has limited range but GRUB adds trampolines when necessarry. */
R_SPARC_HH22,
R_SPARC_HM10,
R_SPARC_LM22,
R_SPARC_LO10,
R_SPARC_64,
R_SPARC_OLO10,
/* R_SPARC_32, R_SPARC_HI22 are supported but shouldn't be used because of their limited range. */
-1
} },
{ "ia64", 8, 0, EM_IA_64, GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_IA64_PCREL21B, /* We should verify that it's pointing either
to a function or to a section in the same module. */
R_IA64_SEGREL64LSB,
R_IA64_FPTR64LSB,
R_IA64_DIR64LSB,
R_IA64_PCREL64LSB,
R_IA64_GPREL22, /* We should verify that it's pointing to a section in the same module. */
R_IA64_LTOFF22X,
R_IA64_LTOFF22,
R_IA64_LTOFF_FPTR22,
R_IA64_LDXMOV,
-1
} },
{ "mipsel", 4, 0, EM_MIPS, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_MIPS_HI16,
R_MIPS_LO16,
R_MIPS_32,
R_MIPS_GPREL32,
R_MIPS_26,
R_MIPS_GOT16,
R_MIPS_CALL16,
R_MIPS_JALR,
-1
} },
{ "mips", 4, 1, EM_MIPS, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_MIPS_HI16,
R_MIPS_LO16,
R_MIPS_32,
R_MIPS_GPREL32,
R_MIPS_26,
R_MIPS_GOT16,
R_MIPS_CALL16,
R_MIPS_JALR,
-1
} },
{ "arm", 4, 0, EM_ARM, GRUB_MODULE_VERIFY_SUPPORTS_REL, (int[]){
/* Some relocations are range-limited but trampolines are added when necessarry. */
R_ARM_ABS32,
R_ARM_CALL,
R_ARM_JUMP24,
R_ARM_THM_CALL,
R_ARM_THM_JUMP24,
R_ARM_V4BX,
R_ARM_THM_MOVW_ABS_NC,
R_ARM_THM_MOVT_ABS,
R_ARM_THM_JUMP19,
-1
} },
{ "arm64", 8, 0, EM_AARCH64, GRUB_MODULE_VERIFY_SUPPORTS_REL | GRUB_MODULE_VERIFY_SUPPORTS_RELA, (int[]){
R_AARCH64_ABS64,
R_AARCH64_CALL26,
R_AARCH64_JUMP26,
-1
} },
};
int
main (int argc, char **argv)
{
size_t module_size;
unsigned arch;
char *module_img;
if (argc != 3) {
fprintf (stderr, "usage: %s FILE ARCH\n", argv[0]);
return 1;
}
for (arch = 0; arch < ARRAY_SIZE(archs); arch++)
if (strcmp(archs[arch].name, argv[2]) == 0)
break;
if (arch == ARRAY_SIZE(archs))
grub_util_error("unknown arch: %s", argv[2]);
module_size = grub_util_get_image_size (argv[1]);
module_img = grub_util_read_image (argv[1]);
if (archs[arch].voidp_sizeof == 8)
grub_module_verify64(module_img, module_size, &archs[arch]);
else
grub_module_verify32(module_img, module_size, &archs[arch]);
return 0;
}

2
util/grub-module-verifier32.c Normal file
View file

@ -0,0 +1,2 @@
#define MODULEVERIFIER_ELF32 1
#include "grub-module-verifierXX.c"

2
util/grub-module-verifier64.c Normal file
View file

@ -0,0 +1,2 @@
#define MODULEVERIFIER_ELF64 1
#include "grub-module-verifierXX.c"

315
util/grub-module-verifierXX.c Normal file
View file

@ -0,0 +1,315 @@
#include <string.h>
#include <grub/elf.h>
#include <grub/module_verifier.h>
#include <grub/util/misc.h>
#if defined(MODULEVERIFIER_ELF32)
# define SUFFIX(x) x ## 32
# define ELFCLASSXX ELFCLASS32
# define Elf_Ehdr Elf32_Ehdr
# define Elf_Phdr Elf32_Phdr
# define Elf_Nhdr Elf32_Nhdr
# define Elf_Addr Elf32_Addr
# define Elf_Sym Elf32_Sym
# define Elf_Off Elf32_Off
# define Elf_Shdr Elf32_Shdr
# define Elf_Rela Elf32_Rela
# define Elf_Rel Elf32_Rel
# define Elf_Word Elf32_Word
# define Elf_Half Elf32_Half
# define Elf_Section Elf32_Section
# define ELF_R_SYM(val) ELF32_R_SYM(val)
# define ELF_R_TYPE(val) ELF32_R_TYPE(val)
# define ELF_ST_TYPE(val) ELF32_ST_TYPE(val)
#elif defined(MODULEVERIFIER_ELF64)
# define SUFFIX(x) x ## 64
# define ELFCLASSXX ELFCLASS64
# define Elf_Ehdr Elf64_Ehdr
# define Elf_Phdr Elf64_Phdr
# define Elf_Nhdr Elf64_Nhdr
# define Elf_Addr Elf64_Addr
# define Elf_Sym Elf64_Sym
# define Elf_Off Elf64_Off
# define Elf_Shdr Elf64_Shdr
# define Elf_Rela Elf64_Rela
# define Elf_Rel Elf64_Rel
# define Elf_Word Elf64_Word
# define Elf_Half Elf64_Half
# define Elf_Section Elf64_Section
# define ELF_R_SYM(val) ELF64_R_SYM(val)
# define ELF_R_TYPE(val) ELF64_R_TYPE(val)
# define ELF_ST_TYPE(val) ELF64_ST_TYPE(val)
#else
#error "I'm confused"
#endif
#define grub_target_to_host32(x) (grub_target_to_host32_real (arch, (x)))
#define grub_host_to_target32(x) (grub_host_to_target32_real (arch, (x)))
#define grub_target_to_host64(x) (grub_target_to_host64_real (arch, (x)))
#define grub_host_to_target64(x) (grub_host_to_target64_real (arch, (x)))
#define grub_host_to_target_addr(x) (grub_host_to_target_addr_real (arch, (x)))
#define grub_target_to_host16(x) (grub_target_to_host16_real (arch, (x)))
#define grub_host_to_target16(x) (grub_host_to_target16_real (arch, (x)))
#define grub_target_to_host(val) grub_target_to_host_real(arch, (val))
static inline grub_uint32_t
grub_target_to_host32_real (const struct grub_module_verifier_arch *arch,
grub_uint32_t in)
{
if (arch->bigendian)
return grub_be_to_cpu32 (in);
else
return grub_le_to_cpu32 (in);
}
static inline grub_uint64_t
grub_target_to_host64_real (const struct grub_module_verifier_arch *arch,
grub_uint64_t in)
{
if (arch->bigendian)
return grub_be_to_cpu64 (in);
else
return grub_le_to_cpu64 (in);
}
static inline grub_uint64_t
grub_host_to_target64_real (const struct grub_module_verifier_arch *arch,
grub_uint64_t in)
{
if (arch->bigendian)
return grub_cpu_to_be64 (in);
else
return grub_cpu_to_le64 (in);
}
static inline grub_uint32_t
grub_host_to_target32_real (const struct grub_module_verifier_arch *arch,
grub_uint32_t in)
{
if (arch->bigendian)
return grub_cpu_to_be32 (in);
else
return grub_cpu_to_le32 (in);
}
static inline grub_uint16_t
grub_target_to_host16_real (const struct grub_module_verifier_arch *arch,
grub_uint16_t in)
{
if (arch->bigendian)
return grub_be_to_cpu16 (in);
else
return grub_le_to_cpu16 (in);
}
static inline grub_uint16_t
grub_host_to_target16_real (const struct grub_module_verifier_arch *arch,
grub_uint16_t in)
{
if (arch->bigendian)
return grub_cpu_to_be16 (in);
else
return grub_cpu_to_le16 (in);
}
static inline grub_uint64_t
grub_host_to_target_addr_real (const struct grub_module_verifier_arch *arch, grub_uint64_t in)
{
if (arch->voidp_sizeof == 8)
return grub_host_to_target64_real (arch, in);
else
return grub_host_to_target32_real (arch, in);
}
static inline grub_uint64_t
grub_target_to_host_real (const struct grub_module_verifier_arch *arch, grub_uint64_t in)
{
if (arch->voidp_sizeof == 8)
return grub_target_to_host64_real (arch, in);
else
return grub_target_to_host32_real (arch, in);
}
static Elf_Shdr *
find_section (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e, const char *name)
{
Elf_Shdr *s;
const char *str;
unsigned i;
s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff) + grub_target_to_host16 (e->e_shstrndx) * grub_target_to_host16 (e->e_shentsize));
str = (char *) e + grub_target_to_host (s->sh_offset);
for (i = 0, s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff));
i < grub_target_to_host16 (e->e_shnum);
i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize)))
if (strcmp (str + grub_target_to_host32 (s->sh_name), name) == 0)
return s;
return NULL;
}
static void
check_license (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
{
Elf_Shdr *s = find_section (arch, e, ".module_license");
if (s && (strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3") == 0
|| strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3+") == 0
|| strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0))
return;
grub_util_error ("incompatible license");
}
static void
check_symbols (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
{
unsigned i;
Elf_Shdr *s, *sections;
Elf_Sym *sym;
const char *str;
Elf_Word size, entsize;
sections = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff));
for (i = 0, s = sections;
i < grub_target_to_host16 (e->e_shnum);
i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize)))
if (grub_target_to_host32 (s->sh_type) == SHT_SYMTAB)
break;
if (i == grub_target_to_host16 (e->e_shnum))
grub_util_error ("no symbol table");
sym = (Elf_Sym *) ((char *) e + grub_target_to_host (s->sh_offset));
size = grub_target_to_host (s->sh_size);
entsize = grub_target_to_host (s->sh_entsize);
s = (Elf_Shdr *) ((char *) sections + grub_target_to_host16 (e->e_shentsize) * grub_target_to_host32 (s->sh_link));
str = (char *) e + grub_target_to_host (s->sh_offset);
for (i = 0;
i < size / entsize;
i++, sym = (Elf_Sym *) ((char *) sym + entsize))
{
unsigned char type = ELF_ST_TYPE (sym->st_info);
switch (type)
{
case STT_NOTYPE:
case STT_OBJECT:
case STT_FUNC:
case STT_SECTION:
case STT_FILE:
break;
default:
return grub_util_error ("unknown symbol type `%d'", (int) type);
}
}
}
/* Relocate symbols. */
static void
section_check_relocations (const struct grub_module_verifier_arch *arch, void *ehdr,
Elf_Shdr *s, size_t target_seg_size)
{
Elf_Rel *rel, *max;
for (rel = (Elf_Rel *) ((char *) ehdr + grub_target_to_host (s->sh_offset)),
max = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_size));
rel < max;
rel = (Elf_Rel *) ((char *) rel + grub_target_to_host (s->sh_entsize)))
{
Elf_Word *addr;
Elf_Sym *sym;
unsigned i;
if (target_seg_size < grub_target_to_host (rel->r_offset))
grub_util_error ("reloc offset is out of the segment");
grub_uint32_t type = ELF_R_TYPE (grub_target_to_host (rel->r_info));
if (arch->machine == EM_SPARCV9)
type &= 0xff;
for (i = 0; arch->supported_relocations[i] != -1; i++)
if (type == arch->supported_relocations[i])
break;
if (arch->supported_relocations[i] == -1)
grub_util_error ("unsupported relocation 0x%x", type);
}
}
static void
check_relocations (const struct grub_module_verifier_arch *arch, Elf_Ehdr *e)
{
Elf_Shdr *s;
unsigned i;
for (i = 0, s = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff));
i < grub_target_to_host16 (e->e_shnum);
i++, s = (Elf_Shdr *) ((char *) s + grub_target_to_host16 (e->e_shentsize)))
if (grub_target_to_host32 (s->sh_type) == SHT_REL || grub_target_to_host32 (s->sh_type) == SHT_RELA)
{
Elf_Shdr *ts;
if (grub_target_to_host32 (s->sh_type) == SHT_REL && !(arch->flags & GRUB_MODULE_VERIFY_SUPPORTS_REL))
grub_util_error ("unsupported SHT_REL");
if (grub_target_to_host32 (s->sh_type) == SHT_RELA && !(arch->flags & GRUB_MODULE_VERIFY_SUPPORTS_RELA))
grub_util_error ("unsupported SHT_RELA");
/* Find the target segment. */
if (grub_target_to_host32 (s->sh_info) >= grub_target_to_host16 (e->e_shnum))
grub_util_error ("orphaned reloc section");
ts = (Elf_Shdr *) ((char *) e + grub_target_to_host (e->e_shoff) + grub_target_to_host32 (s->sh_info) * grub_target_to_host16 (e->e_shentsize));
section_check_relocations (arch, e, s, grub_target_to_host (ts->sh_size));
}
}
void
SUFFIX(grub_module_verify) (void *module_img, size_t size, const struct grub_module_verifier_arch *arch)
{
Elf_Ehdr *e = module_img;
/* Check the header size. */
if (size < sizeof (Elf_Ehdr))
grub_util_error ("ELF header smaller than expected");
/* Check the magic numbers. */
if (e->e_ident[EI_MAG0] != ELFMAG0
|| e->e_ident[EI_MAG1] != ELFMAG1
|| e->e_ident[EI_MAG2] != ELFMAG2
|| e->e_ident[EI_MAG3] != ELFMAG3
|| e->e_ident[EI_VERSION] != EV_CURRENT
|| grub_target_to_host32 (e->e_version) != EV_CURRENT)
grub_util_error ("invalid arch-independent ELF magic");
if (e->e_ident[EI_CLASS] != ELFCLASSXX
|| e->e_ident[EI_DATA] != (arch->bigendian ? ELFDATA2MSB : ELFDATA2LSB)
|| grub_target_to_host16 (e->e_machine) != arch->machine)
grub_util_error ("invalid arch-dependent ELF magic");
if (grub_target_to_host16 (e->e_type) != ET_REL)
{
grub_util_error ("this ELF file is not of the right type");
}
/* Make sure that every section is within the core. */
if (size < grub_target_to_host (e->e_shoff)
+ grub_target_to_host16 (e->e_shentsize) * grub_target_to_host16(e->e_shnum))
{
grub_util_error ("ELF sections outside core");
}
check_license (arch, e);
Elf_Shdr *s;
s = find_section (arch, e, ".modname");
if (!s)
grub_util_error ("no module name found");
check_symbols(arch, e);
check_relocations(arch, e);
}