From 2d3bd0809a433edcc687949c42ecdc509f8a4498 Mon Sep 17 00:00:00 2001 From: John Reiser Date: Fri, 9 Jun 2017 14:38:08 -0700 Subject: [PATCH] i386-linux.elf-fold.S avoids mmap() into stack modified: stub/src/i386-linux.elf-fold.S modified: ../.github/travis_testsuite_1.sh modified: stub/i386-linux.elf-fold.h modified: stub/tmp/i386-linux.elf-fold.map --- .github/travis_testsuite_1.sh | 14 ++--- src/stub/i386-linux.elf-fold.h | 56 +++++++++--------- src/stub/src/i386-linux.elf-fold.S | 87 +++++++++++++++------------- src/stub/tmp/i386-linux.elf-fold.map | 2 +- 4 files changed, 83 insertions(+), 76 deletions(-) diff --git a/.github/travis_testsuite_1.sh b/.github/travis_testsuite_1.sh index ea107c86..2e032469 100644 --- a/.github/travis_testsuite_1.sh +++ b/.github/travis_testsuite_1.sh @@ -153,7 +153,7 @@ expected_sha256sums__t110_compress_ucl_nrv2b_3_no_filter="\ c1a6ef9d0b8a26f1d6e3307af6f119bc95411a54421c7da3bd6ade9c4eead187 *arm-wince.pe/upx-3.91.exe 819eb6b8847f3760edadb8b196b50f2558c2f9f842bc4ef4bb8114aed853a4d6 *armeb-linux.elf/upx-3.91 7d5f0fd6f18e4cd16655ef58805f228bcaddd5b035ce998faed446e290aea3d9 *i386-dos32.djgpp2.coff/upx-3.91.exe -bdf8e1c94cb8e4736ab7ff840dff93569e6a1cac28d0675f69d9ecbdd427df02 *i386-linux.elf/upx-3.91 +1675d73911682fcc20a92c4cc6bf80c967d97c3a57c854f74d376ef8d1450f15 *i386-linux.elf/upx-3.91 d3cfb5347758ee54e54cfc92ae502a3e19702cd4fec115d74f84f8a5ab7a9bc2 *i386-win32.pe/upx-3.91.exe c4c8b912a48bcaaef72fd94cd0c307659a03be2ec359bf01a42a2a39307dd964 *m68k-atari.tos/upx-3.91.ttp 889e9e9e3b904e3115a7723e5a8e46504cbcbaf1dcadec58877a27c62963033e *mipsel-linux.elf/upx-3.91 @@ -164,7 +164,7 @@ expected_sha256sums__t120_compress_ucl_nrv2d_3_no_filter="\ 2bb2477bdf4643954b4bb707b1017459238b03f66883303cd20e9e8740764dd7 *arm-wince.pe/upx-3.91.exe c1e4edce4786a94aa12b1ee26aeccba477b5b3b5c7fe82466b1321e93690eb11 *armeb-linux.elf/upx-3.91 c52473f5dbdac560c05d5d173e5342b5e696e604517359baef581672eb25a9e6 *i386-dos32.djgpp2.coff/upx-3.91.exe -fa4bebfad4a95e8ab9ad61190c3309e96063ddd352742e5713508b23a1531847 *i386-linux.elf/upx-3.91 +ca41fe0a1f32b42fdc8264cb5cbaf57dc2d9d6b9343265f6f8210573243c2303 *i386-linux.elf/upx-3.91 5bebadb8455b052580b1f22a949c3eb5a441c8b6ba9c6b50506cb703fc3f65ce *i386-win32.pe/upx-3.91.exe ef94d8b0e02a650c302bec9f2d50462f2accc2fbb8003cc4977bc550d2e5b9f2 *m68k-atari.tos/upx-3.91.ttp 31c028003f28bfe664b9ac31d74327b9f10e69a52f225fe80ed62bb3c1056993 *mipsel-linux.elf/upx-3.91 @@ -175,7 +175,7 @@ expected_sha256sums__t130_compress_ucl_nrv2e_3_no_filter="\ 0915344e0ee8e7c006e6cce71c024f518e097a88820c7ab3ca183ab1c614ce82 *arm-wince.pe/upx-3.91.exe 673d386ad4f284035e9c575e7d5e1dc92d77761f3741c0df3d361e23ca1fd357 *armeb-linux.elf/upx-3.91 5c5ff78652e76834f3f9ab110c42e3a34ef54c748bce212b0e942049f43f5d4d *i386-dos32.djgpp2.coff/upx-3.91.exe -8286e353ab2e8f8c8afbb318932d3df2ea525749caec9cddff96c604e84ce537 *i386-linux.elf/upx-3.91 +6deaa3f0a2a613030cc4185da140becdd4b71f3aabfff3fa6854b971af6cb92f *i386-linux.elf/upx-3.91 ef5e25c79d356e9ed0736f34dc5ee7a8f4c66d0c330b8d16672fac7d829b5a7c *i386-win32.pe/upx-3.91.exe dfc6abff2d3417b9708b1232d5791a9232c6623dcedb9dcb59428b67bbf864e9 *m68k-atari.tos/upx-3.91.ttp 68768e06b4261d749b1e697d1a75e0871e66b21f59d4235e4998d88f98b540ad *mipsel-linux.elf/upx-3.91 @@ -186,7 +186,7 @@ expected_sha256sums__t140_compress_lzma_2_no_filter="\ 3af2a2346a252dfacefb6209725907b2947dc1ccf5e99af139608354f852507c *arm-wince.pe/upx-3.91.exe 11045dca0976b131ec5bfd58160627c72462e8b9d35fdfc64f3f0c6eb9d497ca *armeb-linux.elf/upx-3.91 964fb400b0b4a2b1926ce7076610db8c3a8e41807fe030209af1615d43b6a020 *i386-dos32.djgpp2.coff/upx-3.91.exe -cf4dfd2a9eaf557f1a2d5d9a4aeb2b5ec27d0a8e84ebc8146551c5286386d595 *i386-linux.elf/upx-3.91 +d7a31bf4bc27dae47707731dbf59d7f9bf61038f21c81d6c7ce081285a9bb79d *i386-linux.elf/upx-3.91 171bde9f27a5571b524e9d7cdba6cefa142bb8a0b114c4d5294944ee5781e0bb *i386-win32.pe/upx-3.91.exe 8826c1f910007360ba6cec02c91bd7cdc87bce1ce27804ca728846b92d9086c9 *m68k-atari.tos/upx-3.91.ttp bd9b3d1d7f66bf3b2394d3c96b61613323df15ab48d877621576637feecb445f *mipsel-linux.elf/upx-3.91 @@ -197,7 +197,7 @@ b7ae93def74c119d62ef1a92eb06074b8ce3a4429512ac64de6120097fb48692 *amd64-linux.el dc7323e753ce62e6a1c22112f139953dbaa1e5268530479f8ad48e0c54062295 *arm-wince.pe/upx-3.91.exe 25f2d135e042e417f66e193b801a654990027b2fd584f0ff976fe3e888f639df *armeb-linux.elf/upx-3.91 8614d93ba30def6866b3be92ae5bdd5f294266e0fc4a26c078682917f127656d *i386-dos32.djgpp2.coff/upx-3.91.exe -eee63c54f29698bef0824028002e7a4d7876a54d0a32de7a3c27a84b153d19b2 *i386-linux.elf/upx-3.91 +53797fc3ebaf0a805e2f1db8a39cb90feaa96ecb50255c333eca9aa159645534 *i386-linux.elf/upx-3.91 7c3d7398f63eb9e235992d2d8fd6de9e355f6f21621c45032a6ae6c9009067e6 *i386-win32.pe/upx-3.91.exe 25e9e84bf4e01350b362d088f8107d8228b4576bc47b6b718e9e742f7e4a5205 *m68k-atari.tos/upx-3.91.ttp 3a347f56fff4538bdfd30dab402c7656c4a15d42c390e828b106679f35589b4d *mipsel-linux.elf/upx-3.91 @@ -208,7 +208,7 @@ e091849d471a5eb866a34ebe09ca4ccae014dae5b592b59b013a4a689bd67385 *amd64-linux.el 1c9c618741739404f40d198d2fc77010539589379bf260502af9f10f1ec0d05b *arm-wince.pe/upx-3.91.exe 001e2bd3c30ea0f21ec800c48be8877aa1d1cd97819353bd9713ef15baed7783 *armeb-linux.elf/upx-3.91 863bbf7f3cf41296987b085a4db8acba372e3d65d8d9c656f9a7276f2e7aa4d3 *i386-dos32.djgpp2.coff/upx-3.91.exe -5698900c141c4db6517ae2b1b1679a528234a40510bd8e81fb5d8f76adbc43ae *i386-linux.elf/upx-3.91 +ad88a49ff5251397f20858c3b60aee23e1ad3bca440ff187608781164b263b9a *i386-linux.elf/upx-3.91 4c73a38e81fe12f36dc37e514f8580c12bdf5d8cb92e9a07b7070db291a2f7eb *i386-win32.pe/upx-3.91.exe 0f902defbce3c9a8ea08910ff2ac62b9f06e7ceed0570501cb3b6287bfd6d797 *m68k-atari.tos/upx-3.91.ttp cf18d628feb7720b962a64b5b240dc86268257973cce46e2d98c67de4e4cdf50 *mipsel-linux.elf/upx-3.91 @@ -219,7 +219,7 @@ expected_sha256sums__t170_compress_all_methods_no_lzma_5_no_filter="\ 66653a91c355a1ad1ab7b07c6c20b2d2899d0f42078683d0f4d540df476b1afb *arm-wince.pe/upx-3.91.exe 9563feafae70b78f8bcdb7b831adea7eeb87dba232e660a307e83ceafd5dcfad *armeb-linux.elf/upx-3.91 490a196fbba4a8f21bfb9ac2a3b92a6dc7e287f255a3ab987f7d29d5a75d8db4 *i386-dos32.djgpp2.coff/upx-3.91.exe -81470e7ad913617238e59118c8aac0bbc6be44460c9516733cc598818983d4fc *i386-linux.elf/upx-3.91 +d30326c5acb6d5fd15d69a5d08d7b2eaee05dacfb999581dbc0312cded9a9d26 *i386-linux.elf/upx-3.91 14b192b5419ca0ec2b3f238dc6ed9c17596e82ff2674a299d4b0a76d118a73de *i386-win32.pe/upx-3.91.exe 2eb756cf3c7e4f80fea379a267071c981f3ab1fbb3eaab7057ca18a2b400fb8f *m68k-atari.tos/upx-3.91.ttp 80fa1894a5f3406c1d8e238623cfbaf1fc736e28fb822554d5a2d274ff31d8fd *mipsel-linux.elf/upx-3.91 diff --git a/src/stub/i386-linux.elf-fold.h b/src/stub/i386-linux.elf-fold.h index 822b5dae..a4a48872 100644 --- a/src/stub/i386-linux.elf-fold.h +++ b/src/stub/i386-linux.elf-fold.h @@ -32,8 +32,8 @@ #define STUB_I386_LINUX_ELF_FOLD_SIZE 1834 -#define STUB_I386_LINUX_ELF_FOLD_ADLER32 0x91a11027 -#define STUB_I386_LINUX_ELF_FOLD_CRC32 0x567b6966 +#define STUB_I386_LINUX_ELF_FOLD_ADLER32 0x16aa0b35 +#define STUB_I386_LINUX_ELF_FOLD_CRC32 0xbcea1e58 unsigned char stub_i386_linux_elf_fold[1834] = { /* 0x0000 */ 127, 69, 76, 70, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -44,28 +44,28 @@ unsigned char stub_i386_linux_elf_fold[1834] = { /* 0x0050 */ 0, 16, 0, 0, 1, 0, 0, 0, 42, 7, 0, 0, 0, 0, 0, 0, /* 0x0060 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 0x0070 */ 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -/* 0x0080 */ 88, 90,137,249,137,230,129,236, 0, 48, 0, 0,137,231, 82, 80, -/* 0x0090 */ 81, 83, 85,137,229,173,133,192,171,117,250, 87,171,173,133,192, -/* 0x00a0 */ 171,117,250, 87,173,133,192,171,165,117,249, 64,131,239, 8,185, -/* 0x00b0 */ 10, 0, 0, 0,243,171, 72,171,171, 41,125,248, 87, 86,186,255, -/* 0x00c0 */ 15, 0, 0,137,249,232, 15, 0, 0, 0, 47,112,114,111, 99, 47, -/* 0x00d0 */ 115,101,108,102, 47,101,120,101, 0, 91,184, 85, 0, 0, 0,205, -/* 0x00e0 */ 128,133,192,121, 7,137,217,184, 14, 0, 0, 0,141,116, 1,255, -/* 0x00f0 */ 145,253, 95, 79,176, 0,170,243,164,184, 32, 32, 32, 61,131,239, -/* 0x0100 */ 3,137, 7,139, 69,252,137, 56,193,239, 12, 79,193,231, 12, 87, -/* 0x0110 */ 41,201,184, 5, 0, 0, 0,205,128, 91,185, 0, 16, 0, 0,186, -/* 0x0120 */ 1, 0, 0, 0,190, 18, 0, 0, 0,151, 41,237,184,192, 0, 0, -/* 0x0130 */ 0,205,128,135,223,184, 6, 0, 0, 0,205,128, 94, 90, 1,250, -/* 0x0140 */ 131,239, 4,137,241,131,238, 4, 41,225,193,233, 2,243,165,141, -/* 0x0150 */ 103, 4,137,215,252, 89, 93, 91, 94, 89,129,236, 0, 10, 0, 0, -/* 0x0160 */ 83,139, 83, 72,141,148, 26,255, 31, 0, 0,129,226, 0,240,255, -/* 0x0170 */ 255, 82, 41,192,102,131,123, 16, 3,117, 1,146, 80,141, 4, 25, -/* 0x0180 */ 139, 24,139, 72, 4,131,193, 12,141, 84, 36, 12, 96, 71,232, 79, -/* 0x0190 */ 4, 0, 0,131,196, 36, 89, 91,129,196, 0, 10, 0, 0, 80, 79, -/* 0x01a0 */ 41,192, 60,175,175,117,252, 80, 80, 80, 80, 80, 80, 80, 80, 41, -/* 0x01b0 */ 217,176, 91,255, 39, 85, 83, 86, 87,139, 92, 36, 20,139, 76, 36, -/* 0x01c0 */ 24,139, 84, 36, 28,139,116, 36, 32,139,124, 36, 36,139,108, 36, -/* 0x01d0 */ 40,193,237, 12,184,192, 0, 0, 0,205,128, 95, 94, 91, 93,195, +/* 0x0080 */ 88, 90,137,249,137,230,129,236, 0, 16, 0, 0,137,231, 82, 80, +/* 0x0090 */ 81,106, 0, 83, 85,137,229,173,133,192,171,117,250, 87,171,173, +/* 0x00a0 */ 133,192,171,117,250, 87,173,133,192,171,165,117,249, 64,131,239, +/* 0x00b0 */ 8,185, 10, 0, 0, 0,243,171, 72,171,171, 41,125,248, 87, 86, +/* 0x00c0 */ 186,255, 15, 0, 0,137,249,232, 15, 0, 0, 0, 47,112,114,111, +/* 0x00d0 */ 99, 47,115,101,108,102, 47,101,120,101, 0, 91,184, 85, 0, 0, +/* 0x00e0 */ 0,205,128,133,192,121, 7,137,217,184, 14, 0, 0, 0,141,116, +/* 0x00f0 */ 1,255,145,253, 95, 79,176, 0,170,243,164,184, 32, 32, 32, 61, +/* 0x0100 */ 131,239, 3,137, 7,139, 69,252,137, 56,131,231,252, 41,201,184, +/* 0x0110 */ 5, 0, 0, 0,205,128,137, 69, 8, 94, 90, 1,250,175,137,241, +/* 0x0120 */ 173, 41,225,193,233, 2,243,165,141,103, 4,137,215,252, 89, 93, +/* 0x0130 */ 91, 88, 94, 89,139, 83, 72,141,148, 26, 0, 16, 0, 0, 41,218, +/* 0x0140 */ 82, 83, 80,129,236, 0, 10, 0, 0, 41,192,102,131,123, 16, 3, +/* 0x0150 */ 117, 1,146, 80,141, 4, 25,139, 24,139, 72, 4,131,193, 12,141, +/* 0x0160 */ 84, 36, 12, 96, 71,232,120, 4, 0, 0, 79,129,196, 36, 10, 0, +/* 0x0170 */ 0, 89, 91, 90, 80, 82, 83, 87, 81, 41,237,137,207,190, 2, 0, +/* 0x0180 */ 0, 0,186, 1, 0, 0, 0,185, 0, 16, 0, 0, 41,219,184,192, +/* 0x0190 */ 0, 0, 0,205,128, 91,184, 6, 0, 0, 0,205,128, 95, 41,192, +/* 0x01a0 */ 60,175,175,117,252, 91, 89, 80, 80, 80, 80, 80, 80, 80, 80,176, +/* 0x01b0 */ 91,255, 39, 85, 83, 86, 87,139, 92, 36, 20,139, 76, 36, 24,139, +/* 0x01c0 */ 84, 36, 28,139,116, 36, 32,139,124, 36, 36,139,108, 36, 40,193, +/* 0x01d0 */ 237, 12,184,192, 0, 0, 0,205,128, 95, 94, 91, 93,195, 0, 0, /* 0x01e0 */ 87, 86,137,206, 83,137,195, 57, 8,139,120, 4,115, 10,106,127, /* 0x01f0 */ 91,106, 1, 88,205,128,235,254,133,201,116, 8,138, 7, 71,136, /* 0x0200 */ 2, 66,226,248, 1,115, 4, 41, 51, 91, 94, 95,195, 85,137,229, @@ -94,7 +94,7 @@ unsigned char stub_i386_linux_elf_fold[1834] = { /* 0x0370 */ 215,115, 2,137,215,131,193, 32, 75,117,227,129,230, 0,240,255, /* 0x0380 */ 255, 41,247,137,242,141,159,255, 15, 0, 0,129,227, 0,240,255, /* 0x0390 */ 255,133,192,117, 22,106, 0,131,200, 34,106,255, 80,106, 0, 83, -/* 0x03a0 */ 86,232, 15,254,255,255,131,196, 24,137,194,141, 4, 26, 41,242, +/* 0x03a0 */ 86,232, 13,254,255,255,131,196, 24,137,194,141, 4, 26, 41,242, /* 0x03b0 */ 139,117,224,137, 85,200,137, 69,240,102,131,126, 44, 0,199, 69, /* 0x03c0 */ 196, 0, 0, 0, 0, 15,132,221, 1, 0, 0,131,125,220, 0,116, /* 0x03d0 */ 32,139, 69,204,131, 56, 6,117, 24,139, 77,200,186, 3, 0, 0, @@ -105,11 +105,11 @@ unsigned char stub_i386_linux_elf_fold[1834] = { /* 0x0420 */ 137, 69,236,137, 77,192,139, 78, 20,137,198, 1,193,137, 77,188, /* 0x0430 */ 137,193,129,225,255, 15, 0, 0, 41,206,131,125,220, 0,141, 60, /* 0x0440 */ 10,116, 63,106, 0,139, 69,192,106,255,106, 50,131,200, 2, 80, -/* 0x0450 */ 141, 71, 3, 80, 86,232, 91,253,255,255,131,196, 24, 57,198, 15, +/* 0x0450 */ 141, 71, 3, 80, 86,232, 89,253,255,255,131,196, 24, 57,198, 15, /* 0x0460 */ 133,221, 0, 0, 0,128,227, 4,139, 69,208,117, 2, 49,192, 80, /* 0x0470 */ 139, 69,220,255,117,228,141, 85,232,232,143,253,255,255, 88, 90, /* 0x0480 */ 235, 35,139, 93,204,139, 67, 4, 41,200, 80,255,117,228,106, 18, -/* 0x0490 */ 255,117,192, 87, 86,232, 27,253,255,255,131,196, 24, 57,198, 15, +/* 0x0490 */ 255,117,192, 87, 86,232, 25,253,255,255,131,196, 24, 57,198, 15, /* 0x04a0 */ 133,157, 0, 0, 0,137,248,247,216, 37,255, 15, 0, 0,246, 69, /* 0x04b0 */ 192, 2,137, 69,184,116, 18,131,125,184, 0,141, 4, 62,116, 9, /* 0x04c0 */ 139, 77,184,198, 0, 0, 64,226,250,131,125,220, 0,116,125,139, @@ -122,7 +122,7 @@ unsigned char stub_i386_linux_elf_fold[1834] = { /* 0x0530 */ 255,255,137,243,137,249,139, 85,192,106,125, 88,205,128,133,192, /* 0x0540 */ 116, 10,106,127, 91,106, 1, 88,205,128,235,254,139, 85,184,141, /* 0x0550 */ 4, 23,141, 28, 6, 59, 93,188,115, 30,106, 0,106,255,106, 50, -/* 0x0560 */ 255,117,192, 41, 93,188,255,117,188, 83,232, 70,252,255,255,131, +/* 0x0560 */ 255,117,192, 41, 93,188,255,117,188, 83,232, 68,252,255,255,131, /* 0x0570 */ 196, 24, 57,195,116, 27,235,202,131,125,220, 0,116, 19,141, 79, /* 0x0580 */ 3,129,225,255, 15, 0, 0,131,249, 3,119, 5,106, 91, 88,205, /* 0x0590 */ 128,139, 77,224,255, 69,196, 15,183, 65, 44,131, 69,204, 32, 57, diff --git a/src/stub/src/i386-linux.elf-fold.S b/src/stub/src/i386-linux.elf-fold.S index dd019547..06284aa5 100644 --- a/src/stub/src/i386-linux.elf-fold.S +++ b/src/stub/src/i386-linux.elf-fold.S @@ -76,21 +76,22 @@ fold_begin: mov ecx,edi // total length of compressed data mov esi,esp // argv - sub esp,2*PAGE_SIZE + PATH_MAX + sub esp,PATH_MAX mov edi,esp push edx // argc push eax // O_BINFO push ecx // total length of compressed data + push 0 // space for fd push ebx // &Elf32_Ehdr push ebp // f_exp - mov ebp,esp // frame: f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + mov ebp,esp // frame: f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc 0: lodsd; test %eax,%eax; stosd; jne 0b // argv - push edi // &new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + push edi // &new_env[0]; f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc stosd // space for new_env[0] 0: lodsd; test %eax,%eax; stosd; jne 0b // env - push edi // &old_auxv,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + push edi // &old_auxv,&new_env[0]; f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc 0: lodsd; test %eax,%eax; stosd; movsd; jne 0b // auxv @@ -99,8 +100,8 @@ fold_begin: mov ecx,5*2; rep stosd // 5 extra slots dec eax; stosd; stosd // {AT_IGNORE} sub [-2*4 + ebp],edi // -len_aux - push edi // &new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc - push esi // &strings,&new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + push edi // &new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc + push esi // &strings,&new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc mov edx,-1+ PATH_MAX // buflen mov ecx,edi // buffer @@ -117,37 +118,26 @@ fold_begin: xchg ecx,eax // ecx= byte count std - pop edi; dec edi // abuts old strings; &new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + pop edi; dec edi // abuts old strings; &new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,0,tot_len,O_BINFO,argc mov al,0; stosb // terminate rep movsb // slide up mov eax, 0+ ('='<<24)|(' '<<16)|(' '<<8)|(' '<<0) # env var name sub edi,3; mov [edi],eax mov eax,[-1*4 + ebp]; mov [eax],edi // new_env[0] - shr edi,12; dec edi; shl edi,12 - push edi // &page,&new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + and edi,~3 // word align sub ecx,ecx // O_RDONLY // mov ebx,ebx // name mov eax,__NR_open; int 0x80 + mov [2*4 + ebp],eax // fd for later mmap - pop ebx // &page; &new_aux[N],-len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc - mov ecx,PAGE_SIZE - mov edx,PROT_READ - mov esi,MAP_PRIVATE|MAP_FIXED - xchg eax,edi // fd - sub ebp,ebp // 0 block in file - mov eax,__NR_mmap; int 0x80 - - xchg edi,ebx // ebx= fd; edi= &page - mov eax,__NR_close; int 0x80 - - pop esi // &new_aux[N]; -len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc - pop edx // -len_aux; &new_env[0]; f_exp,&Elf32_Ehdr,tot_len,O_BINFO,argc + pop esi // &new_aux[N]; -len_aux,&new_env[0]; f_exp,&Elf32_Ehdr,fd,tot_len,O_BINFO,argc + pop edx // -len_aux; &new_env[0]; f_exp,&Elf32_Ehdr,fd,tot_len,O_BINFO,argc add edx,edi // edx= &final_aux[0] - sub edi,4 + scasd // edi -= 4 mov ecx,esi - sub esi,4 + lodsd // esi -= 4 sub ecx,esp shr ecx,2 rep movsd @@ -158,23 +148,21 @@ fold_begin: pop ecx // toss &new_env[0] pop ebp // f_exp pop ebx // &Elf32_Ehdr + pop eax // fd pop esi // tot_len pop ecx // O_BINFO // stack is back to original state: argc,argv,0,env,0,aux,0,strings,0 + mov edx, [p_memsz + szElf32_Ehdr + ebx] // phdr[0].p_memsz + lea edx, [ PAGE_SIZE + edx + ebx] // 1 page for unfold + sub edx,ebx; push edx // length + push ebx // start of unmap region (&Elf32_Ehdr of this stub) + push eax // fd + #define OVERHEAD 2048 #define MAX_ELF_HDR 512 - sub esp, MAX_ELF_HDR + OVERHEAD // alloca - push ebx // start of unmap region (&Elf32_Ehdr of this stub) -// Cannot pre-round .p_memsz because kernel requires PF_W to setup .bss, -// but strict SELinux (or PaX, grsecurity) prohibits PF_W with PF_X. - mov edx, [p_memsz + szElf32_Ehdr + ebx] // phdr[0].p_memsz - lea edx, [-1 + 2*PAGE_SIZE + edx + ebx] // 1 page for round, 1 for unfold - and edx, 0-PAGE_SIZE - - push edx // end of unmap region sub eax, eax // 0 cmp word ptr [e_type + ebx], ET_DYN jne L53 @@ -191,13 +179,30 @@ L53: inc edi // swap with above 'pusha' to inhibit auxv_up for PT_INTERP .extern upx_main call upx_main // returns entry address - add esp, (8 +1)*4 // remove 8 params from pusha, also dynbase - pop ecx // end of unmap region - pop ebx // start of unmap region (&Elf32_Ehdr of this stub) - add esp, MAX_ELF_HDR + OVERHEAD // un-alloca - push eax // save entry address + dec edi + add esp, (8 +1)*4 + MAX_ELF_HDR + OVERHEAD // 8 params, dynbase, un-alloca + pop ecx // fd + pop ebx // base to unmap + pop edx // length - dec edi // auxv table + push eax // entry address + push edx // length + push ebx // base to unmap + push edi // auxv + push ecx // fd, auxv, unmap, length, entry + + sub ebp,ebp // 0 block in file + mov edi,ecx // fd + mov esi,MAP_PRIVATE + mov edx,PROT_READ + mov ecx,PAGE_SIZE + sub ebx,ebx // 0 ==> Linux chooses page frame + mov eax,__NR_mmap; int 0x80 + + pop ebx // fd; auxv, base, length, entry + mov eax,__NR_close; int 0x80 + + pop edi // auxv table sub eax,eax // 0, also AT_NULL .byte 0x3c // "cmpb al, byte ..." like "jmp 1+L60" but 1 byte shorter L60: @@ -205,6 +210,8 @@ L60: scasd // a_type jne L60 // not AT_NULL // edi now points at [AT_NULL]a_un.a_ptr which contains result of make_hatch() + pop ebx // base to unmap (&Elf32_Ehdr of this stub) + pop ecx // length push eax push eax @@ -215,7 +222,6 @@ L60: push eax push eax // 32 bytes of zeroes now on stack, ready for 'popa' - sub ecx, ebx // length to unmap mov al, __NR_munmap // eax was 0 from L60 jmp [edi] // unmap ourselves via escape hatch, then goto entry @@ -233,6 +239,7 @@ mmap: .globl mmap // what happened to the ebx->args_on_stack method? shr ebp,12 mov eax,__NR_mmap int 0x80 + pop edi pop esi pop ebx diff --git a/src/stub/tmp/i386-linux.elf-fold.map b/src/stub/tmp/i386-linux.elf-fold.map index d52641a8..c716ce00 100644 --- a/src/stub/tmp/i386-linux.elf-fold.map +++ b/src/stub/tmp/i386-linux.elf-fold.map @@ -12,7 +12,7 @@ TARGET(elf32-i386) .text 0x0000000000c01080 0x6ac *(.text) .text 0x0000000000c01080 0x160 tmp/i386-linux.elf-fold.o - 0x0000000000c011b5 mmap + 0x0000000000c011b3 mmap .text 0x0000000000c011e0 0x54a tmp/i386-linux.elf-main.o 0x0000000000c015e2 upx_main *(.data)