aout_kludge.S (3258B)
1/* 2 * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining a copy 5 * of this software and associated documentation files (the "Software"), to deal 6 * in the Software without restriction, including without limitation the rights 7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 * copies of the Software, and to permit persons to whom the Software is 9 * furnished to do so, subject to the following conditions: 10 * 11 * The above copyright notice and this permission notice shall be included in 12 * all copies or substantial portions of the Software. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 * THE SOFTWARE. 21 */ 22 23.section multiboot 24 25#define MB_MAGIC 0x1badb002 26#define MB_FLAGS 0x10000 27#define MB_CHECKSUM -(MB_MAGIC + MB_FLAGS) 28 29.align 4 30.int MB_MAGIC 31.int MB_FLAGS 32.int MB_CHECKSUM 33 34#define LAST_BYTE_VALUE 0xa5 35 36/* 37 * Order of fields in the a.out kludge header fields: 38 * 39 * header_addr 40 * load_addr 41 * load_end_addr 42 * bss_end_addr 43 * entry_addr 44 */ 45#if SCENARIO == 1 46/* Well-behaved kernel file with explicit bss_end */ 47.int 0x100000 48.int 0x100000 49.int data_end 50.int data_end 51.int _start 52#elif SCENARIO == 2 53/* Well-behaved kernel file with default bss_end */ 54.int 0x100000 55.int 0x100000 56.int data_end 57.int 0 58.int _start 59#elif SCENARIO == 3 60/* Well-behaved kernel file with default load_end */ 61.int 0x100000 62.int 0x100000 63.int 0 64.int 0 65.int _start 66#elif SCENARIO == 4 67/* Well-behaved kernel file with load_end < data_end and bss > data_end */ 68#undef LAST_BYTE_VALUE 69#define LAST_BYTE_VALUE 0 70.int 0x100000 71.int 0x100000 72.int code_end 73.int 0x140000 74.int _start 75#elif SCENARIO == 5 76/* header < load */ 77.int 0x10000 78.int 0x100000 79.int data_end 80.int data_end 81.int _start 82#elif SCENARIO == 6 83/* load_end < load */ 84.int 0x100000 85.int 0x100000 86.int 0x10000 87.int data_end 88.int _start 89#elif SCENARIO == 7 90/* header much larger than in reality with default load_end */ 91.int 0x80000000 92.int 0x100000 93.int 0 94.int data_end 95.int _start 96#elif SCENARIO == 8 97/* bss_end < load_end - load (regression test for CVE-2018-7550) */ 98.int 0x100000 99.int 0x100000 100.int data_end 101.int code_end 102.int _start 103#elif SCENARIO == 9 104/* Default load_end_addr, load_addr + kernel_file_size > UINT32_MAX */ 105.int 0xfffff000 106.int 0xfffff000 107.int 0 108.int 0xfffff001 109.int _start 110#else 111#error Invalid SCENARIO 112#endif 113 114.section .text 115.global _start 116_start: 117 xor %eax, %eax 118 119 cmpb $LAST_BYTE_VALUE, last_byte 120 je passed 121 or $0x1, %eax 122passed: 123 124 /* Test device exit */ 125 outl %eax, $0xf4 126 127 cli 128 hlt 129 jmp . 130code_end: 131 132#if SCENARIO != 8 133.space 8192 134#endif 135 136last_byte: 137.byte 0xa5 138data_end: