date:20231011

Re: debugging "invalid argument" errors when loading elf files

2023-10-11 Thread Philip Guenther

On Tue, Oct 10, 2023 at 11:44 PM Lorenz (xha)  wrote:

> On Mon, Oct 09, 2023 at 01:29:52PM -0700, Philip Guenther wrote:
> > On Mon, Oct 9, 2023 at 11:21 AM Lorenz (xha)  wrote:
> >
> > > hi misc@,
> > >
> > > i'm currently porting the hare programming language to openbsd and i am
> > > having quite a few problems trying to use a linker script. i am always
> > > getting a "/bin/ksh: .bin/hare: Invalid argument" error.
> > >
> > > so far i tried a lot of stuff like comparing a working version without
> a
> > > linker script, looking if any of the programm headers are missing, etc.
> ...
> > Read /usr/src/sys/kern/*exec* and review the logic around the 10
> > occurrences of EINVAL in that code.  Presumably the differences you
> > identified will point to one or more of them
>
> found it: PT_PHDRS is missing. i didn't identify that difference at
> first tho. it's needeed for PIE if i understand correctly.
>

Yeah.

> why is ld not adding a PT_PHDR programm header? as far as i undestand,
> PT_PHDR are the programm headers themselfs?

PT_PHDR is the tag for an entry in the program headers that points to the
program headers themselves.  Some ELF files (for example, core files) have
a program header but don't include a PT_PHDR entry in it.  It's presumably
not added by ld because you supplied a linker script and ld is trying to
give you as much control as possible.  Some of the other arguments you
supplied may have required it to fill in other details, but including a
DT_PHDR entry in the program header is apparently not one of them.

As Theo says, this sort of thing makes linker scripts very subtle, with
arch dependencies**, interactions with RELRO and W^X processing, and plain
ABI weirdness.  Even those of us who have written several of them often
have to start from what 'readelf -lS' shows the default is to put together
a starting point and massage it from there to achieve whatever our goal for
going through this effort is.

** e.g., permissions on and immutability of .plt, .got, etc sections vary.
Some archs have
required some sections to be before or after others due to the CPU treating
a limited range
offset in some instructions as unsigned, so 'before' cannot be reached

this is my linker script

...

> i am moving the init functions in a
> different section so that the hare runtime can execute them and not
> libc.

Well, the first issue with this is that libc doesn't invoke init functions,
so there's some sort of misunderstanding going on.

The .init section of the executable itself is invoked by the entry point
code in crt0 before main is called, not libc.  At a low level, that's done
not via DT_INIT's value or the section name but via a symbol placed in the
section which would presumably be carried along if you renamed the section,
so you can't affect that.

The .init_array section is handled by ld.so in dynamic programs where it's
located via DT_INIT_ARRAY, and by crt0 in static programs where it's
located via *_start and *_end symbols which I _guess_ would be from
whatever ended up with the .init_array section name, so maybe renaming the
section would prevent them from being invoked in that case, but I'm not
sure and that an implementation detail that might change.

(Moving a chunk of the crt0 code into libc would be possible (glibc did it,
for example) and might make some evolution easier, but it hasn't happened.)

...but, backing up...what problem exists with the ordering that currently
happens that makes you believe you need to interpose and have the "hare
runtime" (sorry, I'm not familiar with that) execute them?  How will you
measure success of the change?

Philip Guenther

Re: debugging "invalid argument" errors when loading elf files

2023-10-11 Thread Theo de Raadt

I think the problem here is you are using a linker script.

You are creating a new class of binary, with different layouts and issues,
and since you are doing it on your own, you'll never know what you are
missing until later.

The linker script stuff is fragile, poorly undocumented stuff which changes
constantly between releases, has big variance between clang and gnu toolchains,
and if you don't have to do it you shouldn't.

We only use it for kernels, bootblocks, and ld.so.  And in all those cases,
we need a linker script *PER ARCHITECTURE*.

I think you'll never get it perfect for 1 architecture, and certainly not
for 4 architectures.


Lorenz (xha)  wrote:

> On Mon, Oct 09, 2023 at 01:29:52PM -0700, Philip Guenther wrote:
> > On Mon, Oct 9, 2023 at 11:21 AM Lorenz (xha)  wrote:
> > 
> > > hi misc@,
> > >
> > > i'm currently porting the hare programming language to openbsd and i am
> > > having quite a few problems trying to use a linker script. i am always
> > > getting a "/bin/ksh: .bin/hare: Invalid argument" error.
> > >
> > > so far i tried a lot of stuff like comparing a working version without a
> > > linker script, looking if any of the programm headers are missing, etc.
> > >
> > 
> > So you have a working binary (w/o linker script) and a not-working binary
> > (w/linker script) and you've even done the comparison of the program
> > headers of the two...and you're not going to show those but rather ask
> > what, in general, could be wrong?  Okay.
> 
> i am pretty sure that it woudln't have been helpful since i don't know
> what i am doing (yet). nothing's working
> 
> > Read /usr/src/sys/kern/*exec* and review the logic around the 10
> > occurrences of EINVAL in that code.  Presumably the differences you
> > identified will point to one or more of them
> 
> found it: PT_PHDRS is missing. i didn't identify that difference at
> first tho. it's needeed for PIE if i understand correctly.
> 
> why is ld not adding a PT_PHDR programm header? as far as i undestand,
> PT_PHDR are the programm headers themselfs?
> 
> this is my linker script (kind of mess right now because of debugging).
> it is supposed to link with libc. i am moving the init functions in a
> different section so that the hare runtime can execute them and not
> libc. that should have nothing to do with the problems i am having,
> however. am i missing something?
> 
> ```
> ENTRY(__start)
> SECTIONS {
>   .text : {
>   KEEP (*(.text))
>   *(.text.*)
>   }
> 
>   .data : {
>   KEEP (*(.data))
>   *(.data.*)
>   }
> 
>   .init_array : {
>   PROVIDE_HIDDEN (__init_array_start = .);
>   KEEP (*(.init_array))
>   PROVIDE_HIDDEN (__init_array_end = .);
>   }
> 
>   .fini_array : {
>   PROVIDE_HIDDEN (__fini_array_start = .);
>   KEEP (*(.fini_array))
>   PROVIDE_HIDDEN (__fini_array_end = .);
>   } :data
> 
>   .test_array : {
>   PROVIDE_HIDDEN (__test_array_start = .);
>   KEEP (*(.test_array))
>   PROVIDE_HIDDEN (__test_array_end = .);
>   } :data
> 
>   .note.openbsd.ident : {
>   KEEP (*(.note.openbsd.ident))
>   *(.note.openbsd.*)
>   }
> 
>   .bss : {
>   KEEP (*(.bss))
>   *(.bss.*)
>   }
> }
> ```
> 
> this is the readelf --headers of the programm produced with the linker
> script:
> 
> ```
> Program Headers:
>   Type   Offset VirtAddr   PhysAddr
>  FileSizMemSiz  Flags  Align
>   INTERP 0x1000 0x 0x
>  0x0013 0x0013  R  1
>   [Requesting program interpreter: /usr/libexec/ld.so]
>   LOAD   0x1000 0x 0x
>  0xb47c 0xb47c  R  1000
>   LOAD   0xc480 0xb480 0xb480
>  0x001356d0 0x001356d0E1000
>   LOAD   0x00141b50 0x00140b50 0x00140b50
>  0x000211e8 0x000211e8  RW 1000
>   LOAD   0x00162d38 0x00161d38 0x00161d38
>  0x0018 0x0018  R  1000
>   LOAD   0x00162d50 0x00161d50 0x00161d50
>  0x 0x09b0  RW 1000
>   DYNAMIC0x00162ab0 0x00161ab0 0x00161ab0
>  0x0160 0x0160  RW 8
>   GNU_RELRO  0x00162a40 0x00161a40 0x00161a40
>  0x02f8 0x05c0  R  1
>   GNU_EH_FRAME   0xc390 0xb390 0xb390
>  0x002c 0x002c

Re: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets

2023-10-11 Thread Theo de Raadt

Nan ZoE  wrote:

> In *OpenBSD 7.3,* out of 264 programs, we only
> managed to generate ROP for 134 programs, with a success rate of *50.75%*.

Please provide a list of all programs where you *ESCALATED PRIVILEGE*
via ROP methods.  I ask, because:

1. If you are playing with a setuid static program, you cannot see where
   in memory the binary is mapped, so you do not know the precise
   syscall stub that is permitted for execve(2).

2. If you are playing with a setuid dynamic program, you cannot see
   where in memory libc.so is mapped, so you do not know the precise
   syscall stub that is permitted for execve(2).

3. If you are attacking a daemon, you cannot see where in memory it's
   execve stub (dynamic or static) is mapped, so you do not know the
   precise syscall stub to address which will perform execve(2).

Please explain how you perform the step of determining the execve system
call entrypoint for a memory image which is not readable.

>From innovations.html:

ld.so and crt0 register the location of the execve(2) stub with the
kernel using pinsyscall(2), after which the kernel only accepts an
execve call from that specific location. Theo de Raadt, Feb 2023.

What info leak are you exercising to extract libc.so's location, and
per-boot layout, and then precisely target the specific "syscall"
instruction?

My theory is that you are performing tests which are highly synthetic
(like -- reading a binary, checking it's in-memory layout once it starts
executing), and then you conclude that all the steps to your ROP methodology
are sufficient to plausibly gain *ESCALATED PRIVILEGE*.

So either you have new methodology that allows you to bypass these other
mitigations, or you have jumped to conclusion that the existance of polymorphic
ROP learned from (impossible) runtime inspection gaurantees exploit.

Re: Compulab's Fitlet3: Intel's Elkhart Atom X6425E with MARVELL PHY 88E1512 Ethernet

2023-10-11 Thread Stefan Sperling

On Mon, Sep 18, 2023 at 09:15:48AM +0200, Wolfgang Oelerich wrote:
> ok; thank you for the quick reply. 

The next amd64 -current snapshot should have dwqe(4) attach to at
least one of the Elkhart Lake interfaces of your system, provided
it has PCI product Id 4ba0 in pcidump -vv output.

> > Am 15.09.2023 um 21:54 schrieb Stefan Sperling :
> > On Fri, Sep 15, 2023 at 04:55:42PM +0200, Wolfgang Oelerich wrote:
> >> Hello,
> >> 
> >> recently, I „inherited“ one of Compulab‘s Fitlet3. I received it with 
> >> Linux Mint installed and found all 4 available Ethernet ports working: 
> >> 2 of its extensional FACET card and 2 of Intel‘s Elkhart Lake Atom X6425E 
> >> with MARVELL-type PHY „88E1512" at Atom's PCIe bus (see link below). 
> >> 
> >> Now, I tried a clean install of OpenBSD 7.3/AMD64 which smoothly worked 
> >> out but only the FACET card Ethernet ports have been recognized properly. 
> >> While assuming BIOS is ok since Linux Mint worked I am wondering how far 
> >> the hardware combination of X6425E/MARVELL PHY 88E1512 is already set to 
> >> be working or if there is some driver or other Kernel level code not 
> >> available yet.
> > 
> > Elkhart Lake Ethernet will require PCI attachment code to be written
> > for dwqe(4). There is interest in getting this working but it will take
> > time. Definitely won't be ready for OpenBSD 7.4. Maybe 7.5.
> 
>

Re: openFPGAloader successfully built, but can't flash with ftdi error

2023-10-11 Thread Theo de Raadt

Gregory Edigarov  wrote:

> On Fri, 6 Oct 2023 10:06:15 - (UTC)
> Stuart Henderson  wrote:
> 
> > On 2023-10-06, S V  wrote:
> > >> The software that you're using may need the USB device to be
> > >> attached to ugen rather than uftdi. The simplest way to do this is
> > >> probably to type "boot -c" at the boot loader, "disable uftdi",
> > >> "quit".  
> > >
> > >
> > > Thanks!!! It works!!!  
> > 
> > good, thanks for confirming.
> > 
> > > Last "barrier" in front of openhardware
> > >
> > > more or less falls! :D :D :D  
> > 
> > btw, see bsd.re-config(5) if you want this regularly (but then, you
> > won't be able to connect to a uftdi device as a normal serial port
> > with cu).
> > 
> 
> Just a small bit of side note, perhaps somebody with knowledge of usb
> stack will find it interesting enough to implement.
> I think we need a way to detach a specific usb driver from device on the
> fly, leaving it attached as ugen.
> That "disable [whatever]" way is a problem itself because it is
> possible that there also is a real device that needs to be attached. 

That seems like what you want, but please consider.

Now that you've done that, who is opening that 'raw usb device'?

Or is the regular user?

Who fully audited the USB stack for this use case, to make sure there
are no bugs which can result in escalation or misbehaviour?  What happens
if a usb device is played with directly, while there is a kernel driver
which assumes it has control over it?  What kinds of racy bugs lurk in that
area? We really have no interlock design allowing such sharing.

I can give you the anwers to these questions.  Noone did that audit.
That is why we have been avoiding going down your chosen roadmanp.

When you say "I think we need", you can easily read it as "I think I want"
and it means someone must do the not-small job.

Re: openFPGAloader successfully built, but can't flash with ftdi error

2023-10-11 Thread Gregory Edigarov

On Fri, 6 Oct 2023 10:06:15 - (UTC)
Stuart Henderson  wrote:

> On 2023-10-06, S V  wrote:
> >> The software that you're using may need the USB device to be
> >> attached to ugen rather than uftdi. The simplest way to do this is
> >> probably to type "boot -c" at the boot loader, "disable uftdi",
> >> "quit".  
> >
> >
> > Thanks!!! It works!!!  
> 
> good, thanks for confirming.
> 
> > Last "barrier" in front of openhardware
> >
> > more or less falls! :D :D :D  
> 
> btw, see bsd.re-config(5) if you want this regularly (but then, you
> won't be able to connect to a uftdi device as a normal serial port
> with cu).
> 

Just a small bit of side note, perhaps somebody with knowledge of usb
stack will find it interesting enough to implement.
I think we need a way to detach a specific usb driver from device on the
fly, leaving it attached as ugen.
That "disable [whatever]" way is a problem itself because it is
possible that there also is a real device that needs to be attached. 
--
With best regards,
 Gregory Edigarov

Re: debugging "invalid argument" errors when loading elf files

2023-10-11 Thread Lorenz (xha)

On Mon, Oct 09, 2023 at 01:29:52PM -0700, Philip Guenther wrote:
> On Mon, Oct 9, 2023 at 11:21 AM Lorenz (xha)  wrote:
> 
> > hi misc@,
> >
> > i'm currently porting the hare programming language to openbsd and i am
> > having quite a few problems trying to use a linker script. i am always
> > getting a "/bin/ksh: .bin/hare: Invalid argument" error.
> >
> > so far i tried a lot of stuff like comparing a working version without a
> > linker script, looking if any of the programm headers are missing, etc.
> >
> 
> So you have a working binary (w/o linker script) and a not-working binary
> (w/linker script) and you've even done the comparison of the program
> headers of the two...and you're not going to show those but rather ask
> what, in general, could be wrong?  Okay.

i am pretty sure that it woudln't have been helpful since i don't know
what i am doing (yet). nothing's working

> Read /usr/src/sys/kern/*exec* and review the logic around the 10
> occurrences of EINVAL in that code.  Presumably the differences you
> identified will point to one or more of them

found it: PT_PHDRS is missing. i didn't identify that difference at
first tho. it's needeed for PIE if i understand correctly.

why is ld not adding a PT_PHDR programm header? as far as i undestand,
PT_PHDR are the programm headers themselfs?

this is my linker script (kind of mess right now because of debugging).
it is supposed to link with libc. i am moving the init functions in a
different section so that the hare runtime can execute them and not
libc. that should have nothing to do with the problems i am having,
however. am i missing something?

```
ENTRY(__start)
SECTIONS {
.text : {
KEEP (*(.text))
*(.text.*)
}

.data : {
KEEP (*(.data))
*(.data.*)
}

.init_array : {
PROVIDE_HIDDEN (__init_array_start = .);
KEEP (*(.init_array))
PROVIDE_HIDDEN (__init_array_end = .);
}

.fini_array : {
PROVIDE_HIDDEN (__fini_array_start = .);
KEEP (*(.fini_array))
PROVIDE_HIDDEN (__fini_array_end = .);
} :data

.test_array : {
PROVIDE_HIDDEN (__test_array_start = .);
KEEP (*(.test_array))
PROVIDE_HIDDEN (__test_array_end = .);
} :data

.note.openbsd.ident : {
KEEP (*(.note.openbsd.ident))
*(.note.openbsd.*)
}

.bss : {
KEEP (*(.bss))
*(.bss.*)
}
}
```

this is the readelf --headers of the programm produced with the linker
script:

```
Program Headers:
  Type   Offset VirtAddr   PhysAddr
 FileSizMemSiz  Flags  Align
  INTERP 0x1000 0x 0x
 0x0013 0x0013  R  1
  [Requesting program interpreter: /usr/libexec/ld.so]
  LOAD   0x1000 0x 0x
 0xb47c 0xb47c  R  1000
  LOAD   0xc480 0xb480 0xb480
 0x001356d0 0x001356d0E1000
  LOAD   0x00141b50 0x00140b50 0x00140b50
 0x000211e8 0x000211e8  RW 1000
  LOAD   0x00162d38 0x00161d38 0x00161d38
 0x0018 0x0018  R  1000
  LOAD   0x00162d50 0x00161d50 0x00161d50
 0x 0x09b0  RW 1000
  DYNAMIC0x00162ab0 0x00161ab0 0x00161ab0
 0x0160 0x0160  RW 8
  GNU_RELRO  0x00162a40 0x00161a40 0x00161a40
 0x02f8 0x05c0  R  1
  GNU_EH_FRAME   0xc390 0xb390 0xb390
 0x002c 0x002c  R  4
  OPENBSD_RANDOM 0x00162aa8 0x00161aa8 0x00161aa8
 0x0008 0x0008  RW 8
  GNU_STACK  0x 0x 0x
 0x 0x  RW 0
  OPENBSD_NOBTCF 0x 0x 0x
 0x 0xE0
  NOTE   0x00162d38 0x00161d38 0x00161d38
 0x0018 0x0018  R  4

 Section to Segment mapping:
  Segment Sections...
   00 .interp
   01 .interp .dynsym .gnu.hash .hash .dynstr .rela.dyn .rela.plt .rodata 
.eh_frame_hdr .eh_frame
   02 .text .init .fini .plt
   03 .data .openbsd.randomdata.retguard.1205

Re: debugging "invalid argument" errors when loading elf files

Re: debugging "invalid argument" errors when loading elf files

Re: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets

Re: Compulab's Fitlet3: Intel's Elkhart Atom X6425E with MARVELL PHY 88E1512 Ethernet

Re: openFPGAloader successfully built, but can't flash with ftdi error

Re: openFPGAloader successfully built, but can't flash with ftdi error

Re: debugging "invalid argument" errors when loading elf files

7 matches

Site Navigation

Mail list logo

Footer information