elf: align_up usage susceptible to data loss
#70
Conversation
iulianbarbu
force-pushed
the
fix_truncate_address
branch
2 times, most recently
from
18760a4 to
f5fe183
Compare
src/loader/x86_64/elf/mod.rs
Outdated
| let descsz_aligned = align_up(u64::from(nhdr.n_descsz), n_align)?; | ||
| // How to compute next notes fields can be found in this man page: | ||
| // https://man7.org/linux/man-pages/man5/elf.5.html. | ||
| let namesz_aligned = align_up(u64::from(nhdr.n_namesz), 4)?; |
There was a problem hiding this comment.
I'm not sure we should discard n_align here. The man page linked doesn't specifically call out the alignment being 4 (it's 4 in the example snippet but not in the definition) -
Note sections contain a series of notes (see the struct
definitions below). Each note is followed by the name field
(whose length is defined in n_namesz) and then by the descriptor
field (whose length is defined in n_descsz) and whose starting
address has a 4 byte alignment.
However, the alignment used throughout the file (and which should be consistent with the one in memory) is in this case n_align, read from the program header -
p_align
This member holds the value to which the segments are
aligned in memory and in the file.
There was a problem hiding this comment.
I've done some research and my understanding is that p_align refers to segments alignment rather than name or desc notes fields alignment. There are also other resources that point to 4-byte alignment [1], [2], [3], [4]. [1] mentions about an alignment dependent on the arch reg size (4 bytes vs 8 bytes), so I think we lack this sort of logic as well. [3] is an old mail thread regarding how should notes be aligned on 64bit systems and the overall idea was that most applications (gdb, gcc and other binutils tools) and the linux kernel expect 4 bytes alignment even on 64bit systems.
I suggest having only the alignment adjustment in this PR, letting arch dependent implementation arise as a requirement, if needed (it is unlikely, low priority at the moment and it is also dependent on the gABI implementation of the build toolchain used).
[1] https://refspecs.linuxbase.org/elf/gabi4+/ch5.pheader.html#note_section - LSB details on ELF notes
[2] http://www.sco.com/developers/devspecs/gabi41.pdf - Generic ABI, page 81
[3] http://lkml.iu.edu/hypermail/linux/kernel/0611.1/0538.html - discussion around modifying note alignment on 64 bit platforms.
[4] linux kernel elf core dumper notesize - https://elixir.bootlin.com/linux/latest/source/fs/binfmt_elf.c#L1429
src/loader/x86_64/elf/mod.rs
Outdated
| let descsz_aligned = align_up(u64::from(nhdr.n_descsz), 4)?; | ||
|
|
||
| // `namesz` and `descsz` are both `u32`s. They refer also to 4 byte sized and aligned memory | ||
| // area. We need to also verify for overflow, to be sure we do not loose information. |
There was a problem hiding this comment.
nit:typo: s/loose/lose. Similar typos in the commit title (s/loos/loss) and in a few comments below
iulianbarbu
changed the title
align_up usage susceptible to data loosalign_up usage susceptible to data loss
iulianbarbu
force-pushed
the
fix_truncate_address
branch
3 times, most recently
from
bae4fb3 to
43d873e
Compare
src/loader/x86_64/elf/mod.rs
Outdated
| let namesz_aligned = align_up(u64::from(nhdr.n_namesz), phdr.p_align)?; | ||
| let descsz_aligned = align_up(u64::from(nhdr.n_descsz), phdr.p_align)?; | ||
|
|
||
| // `namesz` and `descsz` are both `u32`s. They refer also to 4 byte sized and aligned memory |
There was a problem hiding this comment.
The commnet also needs to be updated as it is not 4-bytes.
iulianbarbu
force-pushed
the
fix_truncate_address
branch
from
43d873e to
00530e7
Compare
* While using `aling_up` we're converting the function result to other data types. The conversions were double checked and comments were added to clarify why they are safe. Signed-off-by: Iulian Barbu <iul@amazon.com>
iulianbarbu
force-pushed
the
fix_truncate_address
branch
from
00530e7 to
91ea159
Compare
3 participants
In response to #66.
aling_upwe're converting the function resultto other data types. The conversions were double checked and
comments were added to clarify why they are safe.