3party/crashpad
0
0
Fork 0
mirror of https://github.com/chromium/crashpad.git synced 2025-03-20 18:53:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
crashpad/snapshot/elf/elf_image_reader_fuzzer.cc
Joshua Peraza 95e97a32eb Use a relative address in .note.crashpad.info 
The desc value in the note is now the offset of CRASHPAD_INFO_SYMBOL
from desc.

Making this note writable can trigger a linker error resulting in
the binary embedding .note.crashpad.info to be rejected by the
kernel during program loading.

The error was observed with:
GNU ld (GNU Binutils for Debian) 2.30
clang version 4.0.1-10 (tags/RELEASE_401/final)
Debian 4.17.17-1rodete2

When the note is made writable, crashpad_snapshot_test contains two
PT_LOAD segments which map to the same page.

LOAD         0x0000000000000000 0x0000000000000000 0x0000000000000000
             0x0000000000000258 0x0000000000000258  R      0x200000
LOAD         0x0000000000000258 0x0000000000000258 0x0000000000000258
             0x00000000002b84d8 0x00000000002b8950  RWE    0x200000

Executing this binary with the execv system call triggers a segfault
during program loading (an error can't be returned because the original
process vm has already been discarded).

I suspect (I haven't set up a debuggable kernel) the failure occurs
while attempting to map the second load segment because its virtual
address, 0x258, is in the same page as the first load segment.
https://elixir.bootlin.com/linux/v4.17.17/source/fs/binfmt_elf.c#L380

The linker normally produces consecutive load segments where the second
segment is loaded 0x200000 bytes after the first, which I think is the
maximum expected page size. Modifying the test executable to load the
second segment at 0x1258 (4096 byte page size) allows program loading
to succeed (but of course crashes after control is given to it).

Bug: crashpad:260
Change-Id: I2b9f1e66e98919138baef3da991a9710bd970dc4
Reviewed-on: https://chromium-review.googlesource.com/c/1292232
Reviewed-by: Scott Graham <scottmg@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Joshua Peraza <jperaza@chromium.org>
2018-10-31 23:35:50 +00:00

78 lines
2.4 KiB
C++
Raw Blame History

// Copyright 2018 The Crashpad Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <inttypes.h>
#include "base/logging.h"
#include "snapshot/elf/elf_image_reader.h"
#include "util/process/process_memory.h"
using namespace crashpad;
class FakeProcessMemory : public ProcessMemory {
public:
FakeProcessMemory(const uint8_t* data, size_t size, VMAddress fake_base)
: data_(data), size_(size), fake_base_(fake_base) {}
ssize_t ReadUpTo(VMAddress address,
size_t size,
void* buffer) const override {
VMAddress offset_in_data = address - fake_base_;
if (offset_in_data > size_)
return -1;
ssize_t read_size = std::min(size_ - offset_in_data, size);
memcpy(buffer, &data_[offset_in_data], read_size);
return read_size;
}
private:
const uint8_t* data_;
size_t size_;
VMAddress fake_base_;
};
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
// Swallow all logs to avoid spam.
logging::SetLogMessageHandler(
[](logging::LogSeverity, const char*, int, size_t, const std::string&) {
return true;
});
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
constexpr size_t kBase = 0x10000;
FakeProcessMemory process_memory(data, size, kBase);
ProcessMemoryRange process_memory_range;
process_memory_range.Initialize(&process_memory, true, kBase, size);
ElfImageReader reader;
if (!reader.Initialize(process_memory_range, kBase))
return 0;
ElfImageReader::NoteReader::Result result;
std::string note_name;
std::string note_desc;
ElfImageReader::NoteReader::NoteType note_type;
VMAddress desc_addr;
auto notes = reader.Notes(-1);
while ((result = notes->NextNote(
&note_name, &note_type, &note_desc, &desc_addr)) ==
ElfImageReader::NoteReader::Result::kSuccess) {
LOG(ERROR) << note_name << note_type << note_desc;
}
return 0;
}
Reference in New Issue View Git Blame Copy Permalink