aout_kludge.S (3258B)
1 /* 2 * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining a copy 5 * of this software and associated documentation files (the "Software"), to deal 6 * in the Software without restriction, including without limitation the rights 7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 * copies of the Software, and to permit persons to whom the Software is 9 * furnished to do so, subject to the following conditions: 10 * 11 * The above copyright notice and this permission notice shall be included in 12 * all copies or substantial portions of the Software. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 * THE SOFTWARE. 21 */ 22 23 .section multiboot 24 25 #define MB_MAGIC 0x1badb002 26 #define MB_FLAGS 0x10000 27 #define MB_CHECKSUM -(MB_MAGIC + MB_FLAGS) 28 29 .align 4 30 .int MB_MAGIC 31 .int MB_FLAGS 32 .int MB_CHECKSUM 33 34 #define LAST_BYTE_VALUE 0xa5 35 36 /* 37 * Order of fields in the a.out kludge header fields: 38 * 39 * header_addr 40 * load_addr 41 * load_end_addr 42 * bss_end_addr 43 * entry_addr 44 */ 45 #if SCENARIO == 1 46 /* Well-behaved kernel file with explicit bss_end */ 47 .int 0x100000 48 .int 0x100000 49 .int data_end 50 .int data_end 51 .int _start 52 #elif SCENARIO == 2 53 /* Well-behaved kernel file with default bss_end */ 54 .int 0x100000 55 .int 0x100000 56 .int data_end 57 .int 0 58 .int _start 59 #elif SCENARIO == 3 60 /* Well-behaved kernel file with default load_end */ 61 .int 0x100000 62 .int 0x100000 63 .int 0 64 .int 0 65 .int _start 66 #elif SCENARIO == 4 67 /* Well-behaved kernel file with load_end < data_end and bss > data_end */ 68 #undef LAST_BYTE_VALUE 69 #define LAST_BYTE_VALUE 0 70 .int 0x100000 71 .int 0x100000 72 .int code_end 73 .int 0x140000 74 .int _start 75 #elif SCENARIO == 5 76 /* header < load */ 77 .int 0x10000 78 .int 0x100000 79 .int data_end 80 .int data_end 81 .int _start 82 #elif SCENARIO == 6 83 /* load_end < load */ 84 .int 0x100000 85 .int 0x100000 86 .int 0x10000 87 .int data_end 88 .int _start 89 #elif SCENARIO == 7 90 /* header much larger than in reality with default load_end */ 91 .int 0x80000000 92 .int 0x100000 93 .int 0 94 .int data_end 95 .int _start 96 #elif SCENARIO == 8 97 /* bss_end < load_end - load (regression test for CVE-2018-7550) */ 98 .int 0x100000 99 .int 0x100000 100 .int data_end 101 .int code_end 102 .int _start 103 #elif SCENARIO == 9 104 /* Default load_end_addr, load_addr + kernel_file_size > UINT32_MAX */ 105 .int 0xfffff000 106 .int 0xfffff000 107 .int 0 108 .int 0xfffff001 109 .int _start 110 #else 111 #error Invalid SCENARIO 112 #endif 113 114 .section .text 115 .global _start 116 _start: 117 xor %eax, %eax 118 119 cmpb $LAST_BYTE_VALUE, last_byte 120 je passed 121 or $0x1, %eax 122 passed: 123 124 /* Test device exit */ 125 outl %eax, $0xf4 126 127 cli 128 hlt 129 jmp . 130 code_end: 131 132 #if SCENARIO != 8 133 .space 8192 134 #endif 135 136 last_byte: 137 .byte 0xa5 138 data_end: