Skip to content

Fix bug in BSD usermode which leads to memory overwriting #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: qemu-cheri-bsd-user
Choose a base branch
from
Open

Fix bug in BSD usermode which leads to memory overwriting #285

wants to merge 1 commit into from
+11 −2

Conversation

@RoundofThree
Copy link
Member

@RoundofThree RoundofThree commented Aug 5, 2025

load_elf_sections() mmaps at a fixed address indicated by et_dyn_addr. When emulating big executables, this becomes an issue because it tries to mmap memory regions that overlap with adjacent valid memory mappings due to the size. For example, qemu-morello is mapped at 0x200000; and then the emulated V8 mksnapshot is mapped from 0x0000000000100000 to 0x0000000001848000, overwriting the qemu-morello mapping.

Before load_elf_sections():

gef>  vm
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000200000 0x0000000000513000 0x0000000000000000 r-- /home/zyj20/cheri/output/bsd-user-sdk/bin/qemu-morello
0x0000000000513000 0x00000000009e9000 0x0000000000312000 r-x /home/zyj20/cheri/output/bsd-user-sdk/bin/qemu-morello
[...]

After:

gef>  vm
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000100000 0x0000000001848000 0x0000000000000000 r-- /home/zyj20/v8-work/v8/out/cheri-uncompressed-cross/mksnapshot
0x0000000001848000 0x0000000001849000 0x0000000000000000 r--
[...]

@RoundofThree
Fix bug in BSD usermode which leads to memory overwriting
e0c2d28 
load_elf_sections() mmaps at a fixed address indicated by et_dyn_addr.
When emulating big executables, this becomes an issue because it tries
to mmap memory regions that overlap with adjacent valid memory mappings
due to the size. For example, qemu-morello is mapped at 0x200000; and
then the emulated V8 mksnapshot is mapped from 0x0000000000100000 to
0x0000000001848000, overwriting the qemu-morello mapping.

Before:
gef>  vm
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000200000 0x0000000000513000 0x0000000000000000 r-- /home/zyj20/cheri/output/bsd-user-sdk/bin/qemu-morello
0x0000000000513000 0x00000000009e9000 0x0000000000312000 r-x /home/zyj20/cheri/output/bsd-user-sdk/bin/qemu-morello
[...]

After:
gef>  vm
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000100000 0x0000000001848000 0x0000000000000000 r-- /home/zyj20/v8-work/v8/out/cheri-uncompressed-cross/mksnapshot
0x0000000001848000 0x0000000001849000 0x0000000000000000 r--
[...]
@RoundofThree RoundofThree force-pushed the fix-qemu-cheri-bsd-user-overwrite branch from 73c449b to e0c2d28 Compare August 5, 2025 18:31
@kwitaszczyk
Copy link
Member

kwitaszczyk commented Aug 7, 2025

Thanks for working on this!

Whilst this resolves the issue of overlaps between ELF sections of the emulated binary and mappings of the user mode binary, it does not resolve the issue of potential conflicts between mmap() calls of an emulated process and mappings of the user mode binary.

I remember that @jrtc27 worked on a change qemu-bsd-user/qemu-bsd-user#51 in upstream (we consider the blitz branch of qemu-bsd-user as upstream for the BSD user mode) to automatically compute guest_base (the -B flag), which shifts the address space of an emulated process, based on the mappings of the user mode. I guess in the long term we would anticipate that change to land in our user mode.

I talked with @RoundofThree that using -B resolves the issue with mksnapshot short term. I think we should discuss with @jrtc27 if Jessica's change is ready to be tested with an experimental run of package building for CheriBSD. If it works without issues, we could land qemu-bsd-user/qemu-bsd-user#51 in our branch even if it is not accepted in upstream.

@kwitaszczyk
Copy link
Member

kwitaszczyk commented Aug 7, 2025

As a temporary workaround, I committed 1cebec9 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwitaszczyk kwitaszczyk Awaiting requested review from kwitaszczyk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RoundofThree @kwitaszczyk