FreeBSD Mail Archives

Date:      Thu, 24 Oct 2013 01:37:51 -0500
From:      Kevin Day <toasty@dragondata.com>
To:        d@delphij.net, Xin Li <delphij@delphij.net>
Cc:        Puppet Master <pmaster@mindslayer.net>, "freebsd-hackers@freebsd.org Hackers" <freebsd-hackers@freebsd.org>
Subject:   Re: FoxPro on FreeBSD
Message-ID:  <8A799DDB-3D5C-4418-B064-A2B7821EE0F2@dragondata.com>
In-Reply-To: <5268B62B.3000104@delphij.net>
References:  <52687ED8.6080309@mindslayer.net> <9B89077C-6BE7-49F1-9F22-19FAD9F6C3ED@dragondata.com> <5268B62B.3000104@delphij.net>


[-- Attachment #1 --]

On Oct 24, 2013, at 12:54 AM, Xin Li <delphij@delphij.net> wrote:

> Signed PGP part
> On 10/23/13, 8:32 PM, Kevin Day wrote:
> > I did some debugging, and watched how the process was getting
> > launched, and I've managed to get it to load!
> > 
> > The problem was that COFF files expect to be mapped into memory at
> > address 0, something that processes are no longer allowed to do.
> > 
> > Run "sysctl security.bsd.map_at_zero=1�  or add
> > �security.bsd.map_at_zero=1� to /etc/sysctl.conf and you should
> > have it working. We probably should either make an exception for
> > COFF files to bypass this the sysctl restriction, or at least print
> > a more helpful error than just letting the process segfault because
> > it didn�t get mapped where it was supposed to go.
> 
> Wow, this is impressive find, indeed!  Do they need to do the map at
> startup only, or do they want to explicitly map something at address 0
> during runtime?

It�s the COFF loader in sys/i386/ibcs2 that�s attempting to do this, with some debug printing enabled on the ibcs2 module, you can see the layout of the binary:

i = 0, s_name = .text, s_vaddr = 000000d0, s_scnptr = 208 s_size = 1f9260
i = 1, s_name = .data, s_vaddr = 00400330, s_scnptr = 2069296 s_size = 10598
i = 2, s_name = .bss, s_vaddr = 004108c8, s_scnptr = 0 s_size = 1ebb0
i = 3, s_name = .comment, s_vaddr = 00000000, s_scnptr = 2136264 s_size = feb4

which maps to these calls:

vm_mmap(&vmspace->vm_map, &0x00000000, 0x1fa000, 0x5, VM_PROT_ALL, MAP_PRIVATE | MAP_FIXED, OBJT_VNODE, vp, 0x0)
vm_mmap(&vmspace->vm_map, &0x00400000, 0x10000, 0x7, VM_PROT_ALL, MAP_PRIVATE | MAP_FIXED, OBJT_VNODE, vp, 0x1f9000)
vm_map_find(&vmspace->vm_map, NULL, 0, &0x00410000,0x20000, VMFS_NO_SPACE, VM_PROT_ALL, VM_PROT_ALL, 0)
vm_map_find(&vmspace->vm_map, NULL, 0, &0x430000, PAGE_SIZE, FALSE, VM_PROT_ALL, VM_PROT_ALL, 0)

Nothing is returning any errors, but the .text session isn�t getting mapped to the desired location (0x0). If map_at_zero is set to 0, the process�s vm_map has min_offset set to PAGE_SIZE instead of 0. 

What�s actually happening is pretty subtle. if MAP_FIXED is set, vm_mmap() uses vm_map_fixed() to create the mapping. Inside vm_map_fixed(), it uses vm_map_insert() which would properly error out that this mapping is impossible (we want 0x0, but the process�s vm_map.min_offset is 0x1000), but vm_map_fixed() calls VM_MAP_RANGE_CHECK first:

        VM_MAP_RANGE_CHECK(map, start, end);
        (void) vm_map_delete(map, start, end);
        result = vm_map_insert(map, object, offset, start, end, prot,

VM_MAP_RANGE_CHECK does:

                if (start < vm_map_min(map))            \
                        start = vm_map_min(map);        \

which looks like the wrong thing to do here. vm_mmap() thinks it�s requesting 0x0 through 0x1fa000, but now the request just silently got changed to 0x1000 through 0x1fa000.

So what the ibcs2 module thinks .text is being loaded at 0, ends up being loaded at 0x1000, and is 0x1000 bytes too small.  It then jumps to the wrong starting address, and the process crashes. 

Also to clarify my original posting, COFF itself isn�t the issue here, just that this specific binary wants its .text section to begin at a virtual address below 0x1000. 

� Kevin



[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��/0��0�Šq���_�M�tq4��0
	*�H��
0{10	UGB10UGreater Manchester10USalford10U
Comodo CA Limited1!0UAAA Certificate Services0
040101000000Z
281231235959Z0��10	UUS10	UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client Authentication and Email0�"0
	*�H��
�0�
��9���}�A;bF7���`u�9e�JG���H�j��M5��B��I�/|�1�N��d�.)բdą��Q5y�Nh�{z������ɤ2��O0�����n�F�x��o�Y^�/���m�/묡�j��.g5�y�i���F͠���v:z����'[=s"�Ha�L�i��.��1 ,������׉C�Z�q�Yں�
�������g���T:�
��w�e���tb��h���~�Ge��MW(t�4�0���b0�,���'0�#0U#0��
#>����)�0��0U��g}ĝ&pK�PH|�=�n}0U�0U�0�0U%0++0U 
00U 0{Ut0r08�6�4�2http://crl.comodoca.com/AAACertificateServices.crl06�4�2�0http://crl.comodo.net/AAACertificateServices.crl0	`�H��B0
	*�H��
����<�~�	����v�9<���O�ૄ]�T�e;�m|7,%T_�!�7����O��TklE`�-��QL�f�<���������J��?V��v�ÂOl�atG��@W��e"�'gOW�dZٍ��/���i����)��J� /�LQ�FĊ7N �	1hǞċ��~�2h��D�*Q`M��t:�C2�9V�:R�A�C���3'�9�N&���9≸�]�)&A곛���wu��ʵ��eJc>D���^�s���0�0��m�Oj3"�"2z�q�0
	*�H��
0��10	UUS10	UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client Authentication and Email0
110428000000Z
200530104838Z0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0�"0
	*�H��
�0�
����[KW��^/���@ȣSX_fe�2N��2}U�xLU�B���'q��i��2��@��'Vb�qi�� ��c^`ʢA�j����HmeC�*.+c8w߱��ڂ��2j�go �\5��T���q
7
PSl�����Y1�	��L�R���@[Hh��J���$:�q_㬿;�%qh=��XF�<h���mz!W�4��2~�J�Rrd&�N����`�ohQ�c����B��}"cө��Ξ��D�\[5������K0�G0U#0���g}ĝ&pK�PH|�=�n}0UzNt[�xcd'�/�[�y�{0U�0U�0�0U 
00U 0XUQ0O0M�K�I�Ghttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+h0f0=+0�1http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0�http://ocsp.usertrust.com0
	*�H��
��־xWUm3DR�B�����
��J���AI�Z�ҭsn>�&|�L��0(���B<�%>
u��=9�fѡ��M�o�(l���tZ�ڱ��uz/���y���Vt�����Cr��`9 G���:eH<�=�%���`�I���?C����
���3_�н`j�;����:<���I3�B)9��3i.��EM�iڀ=�]|G���m���]W�0�KID��~��y8�3��:]&X�aU�!ՙ��C@B0���Ұ��u�n�0�,0���7Ca��`���)��̀0
	*�H��
0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
130616000000Z
140616235959Z0&1$0"	*�H��
	toasty@dragondata.com0�"0
	*�H��
�0�
������-��`��ghX/9+ˈ��e`�?l/�����E^~�T׀��/��q+��5Sz��Sr��Iu��e�r�������t�`:�������"k_s{�&������
0T����
k�ˢb���Wie��K;2��LX�8��w.��Y�pI�!3|�M1�9�Y2�v�G�����r�A������ҽ5y��X^��0
����@J�b�f����B���ќ��`
T�ZO$�mx1}�LN0��R��w����0��0U#0�zNt[�xcd'�/�[�y�{0U�p�=#P}�L:�w񹭸qX0U��0U�00 U%0++�10	`�H��B 0FU ?0=0;+�10+0)+https://secure.comodo.net/CPS0WUP0N0L�J�H�Fhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0��+|0z0R+0�Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$+0�http://ocsp.comodoca.com0 U0�toasty@dragondata.com0
	*�H��
��iq�k�4D��lse-8� �u�y:1:ߩ��(�w��}tR���Ƽ�H�y�T΀�	�4Y�=G�e�Kr�:�/ܜ1n*�t�ښ6ڇ��ڿ�3D.~�f��m5��Q���(��Y�œ!���@'=����v�n��5i뷹�����K^�����#MF0��=�~<�h��������GgһKR}��KrB�ai��1�c���v�qm�3�R�N��S����eE��x�\��G4
=���Fw�ɺ���L4rIU1��0��0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA�7Ca��`���)��̀0	+���0	*�H��
	1	*�H��
0	*�H��
	1
131024063752Z0#	*�H��
	1J�}��e0��H���HE'Zd�U0��	+�71��0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA�7Ca��`���)��̀0��*�H��
	1�����0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA�7Ca��`���)��̀0
	*�H��
�K����>Y��}�G�
[��<�`�tӏ��]�}%O����������l��Lh�,!�P�f_ǖ�cW�ٕh]a��(��ȫ�j������ܮ�X�g���g#>*��+�7�O/�W�u��(�>)�	;W���~!�jq^G�j�6Cmk�]���o�=ۃ��%����d��E��RQ˾��n(Y	 A@�����W�^7���M�̔}���rF�@x6J0�Y��G�֙i%נd�a��(���$-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8A799DDB-3D5C-4418-B064-A2B7821EE0F2>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation