arm-linux.shlib escape hatch: munmap temporary pages
This commit is contained in:
John Reiser
parent
d8ed259bce
commit
4e1c342e55
@ -1671,6 +1671,9 @@ void PackLinuxElf32::pack1(OutputFile */*fo*/, Filter &/*ft*/)
|
|||||||
while (x>>=1) {
|
while (x>>=1) {
|
||||||
++lg2_page;
|
++lg2_page;
|
||||||
}
|
}
|
||||||
|
if (hatch_off < 16 && Elf32_Ehdr::EM_ARM==e_machine) {
|
||||||
|
hatch_off = get_te32(&phdr->p_offset) + get_te32(&phdr->p_memsz);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
page_size = 1u<<lg2_page;
|
page_size = 1u<<lg2_page;
|
||||||
@ -2269,10 +2272,10 @@ void PackLinuxElf32::pack4(OutputFile *fo, Filter &ft)
|
|||||||
|
|
||||||
fo->seek(0, SEEK_SET);
|
fo->seek(0, SEEK_SET);
|
||||||
if (0!=xct_off) { // shared library
|
if (0!=xct_off) { // shared library
|
||||||
ehdri.e_ident[0+hatch_off] = 0xcd; // INT 0x80 (syscall [munmap])
|
ehdri.e_ident[12] = 0xcd; // INT 0x80 (syscall [munmap])
|
||||||
ehdri.e_ident[1+hatch_off] = 0x80;
|
ehdri.e_ident[13] = 0x80;
|
||||||
ehdri.e_ident[2+hatch_off] = 0x61; // POPA
|
ehdri.e_ident[14] = 0x61; // POPA
|
||||||
ehdri.e_ident[3+hatch_off] = 0xc3; // RET
|
ehdri.e_ident[15] = 0xc3; // RET
|
||||||
fo->rewrite(&ehdri, sizeof(ehdri));
|
fo->rewrite(&ehdri, sizeof(ehdri));
|
||||||
fo->rewrite(phdri, e_phnum * sizeof(*phdri));
|
fo->rewrite(phdri, e_phnum * sizeof(*phdri));
|
||||||
}
|
}
|
||||||
@ -2328,11 +2331,11 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
|
|||||||
|
|
||||||
fo->seek(0, SEEK_SET);
|
fo->seek(0, SEEK_SET);
|
||||||
if (0!=xct_off) { // shared library
|
if (0!=xct_off) { // shared library
|
||||||
ehdri.e_ident[0+hatch_off] = 0x0f; // syscall [munmap]
|
ehdri.e_ident[11] = 0x0f; // syscall [munmap]
|
||||||
ehdri.e_ident[1+hatch_off] = 0x05;
|
ehdri.e_ident[12] = 0x05;
|
||||||
ehdri.e_ident[2+hatch_off] = 0x5f; // pop %rdi (arg1)
|
ehdri.e_ident[13] = 0x5f; // pop %rdi (arg1)
|
||||||
ehdri.e_ident[3+hatch_off] = 0x5e; // pop %rsi (arg2)
|
ehdri.e_ident[14] = 0x5e; // pop %rsi (arg2)
|
||||||
ehdri.e_ident[4+hatch_off] = 0xc3; // RET
|
ehdri.e_ident[15] = 0xc3; // RET
|
||||||
fo->rewrite(&ehdri, sizeof(ehdri));
|
fo->rewrite(&ehdri, sizeof(ehdri));
|
||||||
fo->rewrite(phdri, e_phnum * sizeof(*phdri));
|
fo->rewrite(phdri, e_phnum * sizeof(*phdri));
|
||||||
}
|
}
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -86,12 +86,10 @@ __ARM_NR_cacheflush = 2 + __ARM_NR_BASE
|
|||||||
|
|
||||||
_start: .globl _start
|
_start: .globl _start
|
||||||
|
|
||||||
stmdb sp!,{arg1,arg2,arg3, eax,ecx,r6,r7, fp,ip,lr}
|
stmdb sp!,{arg1,arg2,arg3, eax,ecx,r6,r7, fp,lr,pc}
|
||||||
o_uinit= (3+4+1)*4 // ip
|
|
||||||
|
|
||||||
mov fp,sp
|
mov fp,sp
|
||||||
sub sp,sp,#4
|
o_uinit= (3+4+2)*4 // pc
|
||||||
o_hatch= -1*4
|
|
||||||
bl main // push &f_decompress
|
bl main // push &f_decompress
|
||||||
f_decompress:
|
f_decompress:
|
||||||
#define LINUX_ARM_CACHEFLUSH 1
|
#define LINUX_ARM_CACHEFLUSH 1
|
||||||
@ -177,7 +175,8 @@ main:
|
|||||||
mov ecx,esi
|
mov ecx,esi
|
||||||
lodsl; sub ecx,ecx,eax; //str ecx,[fp,#o_reloc]
|
lodsl; sub ecx,ecx,eax; //str ecx,[fp,#o_reloc]
|
||||||
lodsl; add eax,ecx,eax; str eax,[fp,#o_uinit] // reloc DT_INIT for step 12
|
lodsl; add eax,ecx,eax; str eax,[fp,#o_uinit] // reloc DT_INIT for step 12
|
||||||
lodsl; add eax,ecx,eax; str eax,[fp,#o_hatch] // reloc &hatch for step 10
|
lodsl; add eax,ecx,eax; push eax // reloc &hatch for step 10
|
||||||
|
o_hatch= -1*4
|
||||||
lodsl; add edi,ecx,eax // &p_info; also destination for decompress
|
lodsl; add edi,ecx,eax // &p_info; also destination for decompress
|
||||||
add esi,edi,#sz_p_info // &b_info
|
add esi,edi,#sz_p_info // &b_info
|
||||||
|
|
||||||
@ -289,6 +288,17 @@ supervise:
|
|||||||
ldmia sp!,{arg1,arg2,arg3,arg4, eax}
|
ldmia sp!,{arg1,arg2,arg3,arg4, eax}
|
||||||
blx eax // decompress
|
blx eax // decompress
|
||||||
add sp,sp,#4 // toss arg5
|
add sp,sp,#4 // toss arg5
|
||||||
|
|
||||||
|
bl L620
|
||||||
|
//hatch:
|
||||||
|
do_sys7t __NR_munmap
|
||||||
|
ldmia sp!,{arg1,arg2,arg3, eax,ecx,r6,r7, fp,lr,pc}
|
||||||
|
|
||||||
|
L620: // Implant escape hatch at end of .text
|
||||||
|
ldr eax,[fp,#o_hatch]
|
||||||
|
ldmia lr,{arg1,arg2,arg3}
|
||||||
|
stmia eax,{arg1,arg2,arg3}
|
||||||
|
|
||||||
//p_unflt
|
//p_unflt
|
||||||
ldmia sp!,{arg1,arg2,arg3,arg4, eax}
|
ldmia sp!,{arg1,arg2,arg3,arg4, eax}
|
||||||
tst arg4,arg4; beq 0f // 0==ftid ==> no filter
|
tst arg4,arg4; beq 0f // 0==ftid ==> no filter
|
||||||
@ -300,6 +310,7 @@ supervise:
|
|||||||
ldr arg2,[sp,#1*4] // len
|
ldr arg2,[sp,#1*4] // len
|
||||||
mov arg3,#0
|
mov arg3,#0
|
||||||
add arg2,arg2,arg1 // hi(dst)
|
add arg2,arg2,arg1 // hi(dst)
|
||||||
|
add arg2,arg2,#3*4 // len(hatch)
|
||||||
do_sys7t2 __ARM_NR_cacheflush
|
do_sys7t2 __ARM_NR_cacheflush
|
||||||
|
|
||||||
ldmia sp!,{arg1,arg2}
|
ldmia sp!,{arg1,arg2}
|
||||||
@ -308,12 +319,7 @@ supervise:
|
|||||||
|
|
||||||
//p_unmap
|
//p_unmap
|
||||||
ldmia sp!,{arg1,arg2, r3} // r3= &hatch
|
ldmia sp!,{arg1,arg2, r3} // r3= &hatch
|
||||||
// Eventually:
|
bx r3
|
||||||
// bx r3
|
|
||||||
//hatch:
|
|
||||||
// do_sys7t __NR_munmap
|
|
||||||
ldmia sp!,{arg1,arg2,arg3, eax,ecx,r6,r7, fp,ip,lr}
|
|
||||||
bx ip // allows thumb interworking
|
|
||||||
|
|
||||||
movsl_subr:
|
movsl_subr:
|
||||||
ldr ecx,[esi,#-4] // 'bl <over>' instruction word
|
ldr ecx,[esi,#-4] // 'bl <over>' instruction word
|
||||||
|
|||||||
@ -2,18 +2,18 @@ file format elf32-littlearm
|
|||||||
|
|
||||||
Sections:
|
Sections:
|
||||||
Idx Name Size VMA LMA File off Algn Flags
|
Idx Name Size VMA LMA File off Algn Flags
|
||||||
0 ELFMAINX 00000010 00000000 00000000 00000034 2**0 CONTENTS, RELOC, READONLY
|
0 ELFMAINX 0000000c 00000000 00000000 00000034 2**0 CONTENTS, RELOC, READONLY
|
||||||
1 NRV_HEAD 00000000 00000000 00000000 00000044 2**0 CONTENTS, READONLY
|
1 NRV_HEAD 00000000 00000000 00000000 00000040 2**0 CONTENTS, READONLY
|
||||||
2 NRV_TAIL 00000000 00000000 00000000 00000044 2**0 CONTENTS, READONLY
|
2 NRV_TAIL 00000000 00000000 00000000 00000040 2**0 CONTENTS, READONLY
|
||||||
3 NRV2E 0000012c 00000000 00000000 00000044 2**0 CONTENTS, RELOC, READONLY
|
3 NRV2E 0000012c 00000000 00000000 00000040 2**0 CONTENTS, RELOC, READONLY
|
||||||
4 NRV2D 00000118 00000000 00000000 00000170 2**0 CONTENTS, RELOC, READONLY
|
4 NRV2D 00000118 00000000 00000000 0000016c 2**0 CONTENTS, RELOC, READONLY
|
||||||
5 NRV2B 000000dc 00000000 00000000 00000288 2**0 CONTENTS, RELOC, READONLY
|
5 NRV2B 000000dc 00000000 00000000 00000284 2**0 CONTENTS, RELOC, READONLY
|
||||||
6 LZMA_ELF00 000000a8 00000000 00000000 00000364 2**0 CONTENTS, RELOC, READONLY
|
6 LZMA_ELF00 000000a8 00000000 00000000 00000360 2**0 CONTENTS, RELOC, READONLY
|
||||||
7 LZMA_DEC20 00000938 00000000 00000000 0000040c 2**0 CONTENTS, RELOC, READONLY
|
7 LZMA_DEC20 00000938 00000000 00000000 00000408 2**0 CONTENTS, RELOC, READONLY
|
||||||
8 LZMA_DEC10 00000478 00000000 00000000 00000d44 2**0 CONTENTS, RELOC, READONLY
|
8 LZMA_DEC10 00000478 00000000 00000000 00000d40 2**0 CONTENTS, RELOC, READONLY
|
||||||
9 LZMA_DEC30 00000000 00000000 00000000 000011bc 2**0 CONTENTS, READONLY
|
9 LZMA_DEC30 00000000 00000000 00000000 000011b8 2**0 CONTENTS, READONLY
|
||||||
10 ELFMAINY 00000036 00000000 00000000 000011bc 2**0 CONTENTS, READONLY
|
10 ELFMAINY 00000036 00000000 00000000 000011b8 2**0 CONTENTS, READONLY
|
||||||
11 ELFMAINZ 000002a8 00000000 00000000 000011f2 2**0 CONTENTS, RELOC, READONLY
|
11 ELFMAINZ 000002c0 00000000 00000000 000011ee 2**0 CONTENTS, RELOC, READONLY
|
||||||
SYMBOL TABLE:
|
SYMBOL TABLE:
|
||||||
00000000 l d NRV2E 00000000 NRV2E
|
00000000 l d NRV2E 00000000 NRV2E
|
||||||
00000000 l d NRV2D 00000000 NRV2D
|
00000000 l d NRV2D 00000000 NRV2D
|
||||||
@ -36,7 +36,7 @@ SYMBOL TABLE:
|
|||||||
|
|
||||||
RELOCATION RECORDS FOR [ELFMAINX]:
|
RELOCATION RECORDS FOR [ELFMAINX]:
|
||||||
OFFSET TYPE VALUE
|
OFFSET TYPE VALUE
|
||||||
0000000c R_ARM_PC24 ELFMAINZ
|
00000008 R_ARM_PC24 ELFMAINZ
|
||||||
|
|
||||||
RELOCATION RECORDS FOR [NRV2E]:
|
RELOCATION RECORDS FOR [NRV2E]:
|
||||||
OFFSET TYPE VALUE
|
OFFSET TYPE VALUE
|
||||||
@ -256,12 +256,13 @@ OFFSET TYPE VALUE
|
|||||||
00000128 R_ARM_PC24 ELFMAINZ
|
00000128 R_ARM_PC24 ELFMAINZ
|
||||||
0000014c R_ARM_PC24 ELFMAINZ
|
0000014c R_ARM_PC24 ELFMAINZ
|
||||||
0000015c R_ARM_PC24 ELFMAINZ
|
0000015c R_ARM_PC24 ELFMAINZ
|
||||||
00000174 R_ARM_PC24 ELFMAINZ
|
0000016c R_ARM_PC24 ELFMAINZ
|
||||||
000001c4 R_ARM_PC24 ELFMAINZ
|
0000018c R_ARM_PC24 ELFMAINZ
|
||||||
000001d4 R_ARM_PC24 ELFMAINZ
|
000001dc R_ARM_PC24 ELFMAINZ
|
||||||
000001f8 R_ARM_PC24 ELFMAINZ
|
000001ec R_ARM_PC24 ELFMAINZ
|
||||||
0000020c R_ARM_PC24 ELFMAINZ
|
00000210 R_ARM_PC24 ELFMAINZ
|
||||||
00000234 R_ARM_PC24 ELFMAINZ
|
00000224 R_ARM_PC24 ELFMAINZ
|
||||||
00000244 R_ARM_PC24 ELFMAINZ
|
0000024c R_ARM_PC24 ELFMAINZ
|
||||||
00000250 R_ARM_PC24 ELFMAINZ
|
|
||||||
0000025c R_ARM_PC24 ELFMAINZ
|
0000025c R_ARM_PC24 ELFMAINZ
|
||||||
|
00000268 R_ARM_PC24 ELFMAINZ
|
||||||
|
00000274 R_ARM_PC24 ELFMAINZ
|
||||||
|
|||||||
@ -2,18 +2,18 @@ file format elf32-littlearm
|
|||||||
|
|
||||||
Sections:
|
Sections:
|
||||||
Idx Name Size VMA LMA File off Algn Flags
|
Idx Name Size VMA LMA File off Algn Flags
|
||||||
0 ELFMAINX 00000010 00000000 00000000 00000034 2**0 CONTENTS, RELOC, READONLY
|
0 ELFMAINX 0000000c 00000000 00000000 00000034 2**0 CONTENTS, RELOC, READONLY
|
||||||
1 NRV_HEAD 00000000 00000000 00000000 00000044 2**0 CONTENTS, READONLY
|
1 NRV_HEAD 00000000 00000000 00000000 00000040 2**0 CONTENTS, READONLY
|
||||||
2 NRV_TAIL 00000000 00000000 00000000 00000044 2**0 CONTENTS, READONLY
|
2 NRV_TAIL 00000000 00000000 00000000 00000040 2**0 CONTENTS, READONLY
|
||||||
3 NRV2E 0000013c 00000000 00000000 00000044 2**0 CONTENTS, RELOC, READONLY
|
3 NRV2E 0000013c 00000000 00000000 00000040 2**0 CONTENTS, RELOC, READONLY
|
||||||
4 NRV2D 00000128 00000000 00000000 00000180 2**0 CONTENTS, RELOC, READONLY
|
4 NRV2D 00000128 00000000 00000000 0000017c 2**0 CONTENTS, RELOC, READONLY
|
||||||
5 NRV2B 000000ec 00000000 00000000 000002a8 2**0 CONTENTS, RELOC, READONLY
|
5 NRV2B 000000ec 00000000 00000000 000002a4 2**0 CONTENTS, RELOC, READONLY
|
||||||
6 LZMA_ELF00 000000b8 00000000 00000000 00000394 2**0 CONTENTS, RELOC, READONLY
|
6 LZMA_ELF00 000000b8 00000000 00000000 00000390 2**0 CONTENTS, RELOC, READONLY
|
||||||
7 LZMA_DEC20 00000938 00000000 00000000 0000044c 2**0 CONTENTS, RELOC, READONLY
|
7 LZMA_DEC20 00000938 00000000 00000000 00000448 2**0 CONTENTS, RELOC, READONLY
|
||||||
8 LZMA_DEC10 00000478 00000000 00000000 00000d84 2**0 CONTENTS, RELOC, READONLY
|
8 LZMA_DEC10 00000478 00000000 00000000 00000d80 2**0 CONTENTS, RELOC, READONLY
|
||||||
9 LZMA_DEC30 00000000 00000000 00000000 000011fc 2**0 CONTENTS, READONLY
|
9 LZMA_DEC30 00000000 00000000 00000000 000011f8 2**0 CONTENTS, READONLY
|
||||||
10 ELFMAINY 0000003e 00000000 00000000 000011fc 2**0 CONTENTS, READONLY
|
10 ELFMAINY 0000003e 00000000 00000000 000011f8 2**0 CONTENTS, READONLY
|
||||||
11 ELFMAINZ 000002c4 00000000 00000000 0000123a 2**0 CONTENTS, RELOC, READONLY
|
11 ELFMAINZ 000002e0 00000000 00000000 00001236 2**0 CONTENTS, RELOC, READONLY
|
||||||
SYMBOL TABLE:
|
SYMBOL TABLE:
|
||||||
00000000 l d NRV2E 00000000 NRV2E
|
00000000 l d NRV2E 00000000 NRV2E
|
||||||
00000000 l d NRV2D 00000000 NRV2D
|
00000000 l d NRV2D 00000000 NRV2D
|
||||||
@ -36,7 +36,7 @@ SYMBOL TABLE:
|
|||||||
|
|
||||||
RELOCATION RECORDS FOR [ELFMAINX]:
|
RELOCATION RECORDS FOR [ELFMAINX]:
|
||||||
OFFSET TYPE VALUE
|
OFFSET TYPE VALUE
|
||||||
0000000c R_ARM_PC24 ELFMAINZ
|
00000008 R_ARM_PC24 ELFMAINZ
|
||||||
|
|
||||||
RELOCATION RECORDS FOR [NRV2E]:
|
RELOCATION RECORDS FOR [NRV2E]:
|
||||||
OFFSET TYPE VALUE
|
OFFSET TYPE VALUE
|
||||||
@ -256,12 +256,13 @@ OFFSET TYPE VALUE
|
|||||||
00000128 R_ARM_PC24 ELFMAINZ
|
00000128 R_ARM_PC24 ELFMAINZ
|
||||||
00000150 R_ARM_PC24 ELFMAINZ
|
00000150 R_ARM_PC24 ELFMAINZ
|
||||||
00000160 R_ARM_PC24 ELFMAINZ
|
00000160 R_ARM_PC24 ELFMAINZ
|
||||||
00000178 R_ARM_PC24 ELFMAINZ
|
00000170 R_ARM_PC24 ELFMAINZ
|
||||||
000001d4 R_ARM_PC24 ELFMAINZ
|
00000194 R_ARM_PC24 ELFMAINZ
|
||||||
000001e4 R_ARM_PC24 ELFMAINZ
|
000001f0 R_ARM_PC24 ELFMAINZ
|
||||||
0000020c R_ARM_PC24 ELFMAINZ
|
00000200 R_ARM_PC24 ELFMAINZ
|
||||||
00000220 R_ARM_PC24 ELFMAINZ
|
00000228 R_ARM_PC24 ELFMAINZ
|
||||||
00000248 R_ARM_PC24 ELFMAINZ
|
0000023c R_ARM_PC24 ELFMAINZ
|
||||||
00000258 R_ARM_PC24 ELFMAINZ
|
|
||||||
00000264 R_ARM_PC24 ELFMAINZ
|
00000264 R_ARM_PC24 ELFMAINZ
|
||||||
00000270 R_ARM_PC24 ELFMAINZ
|
00000274 R_ARM_PC24 ELFMAINZ
|
||||||
|
00000280 R_ARM_PC24 ELFMAINZ
|
||||||
|
0000028c R_ARM_PC24 ELFMAINZ
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user