qemu/tests/multiboot/aout_kludge.S
<<
>>
Prefs
   1/*
   2 * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com>
   3 *
   4 * Permission is hereby granted, free of charge, to any person obtaining a copy
   5 * of this software and associated documentation files (the "Software"), to deal
   6 * in the Software without restriction, including without limitation the rights
   7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
   8 * copies of the Software, and to permit persons to whom the Software is
   9 * furnished to do so, subject to the following conditions:
  10 *
  11 * The above copyright notice and this permission notice shall be included in
  12 * all copies or substantial portions of the Software.
  13 *
  14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  17 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  20 * THE SOFTWARE.
  21 */
  22
  23.section multiboot
  24
  25#define MB_MAGIC 0x1badb002
  26#define MB_FLAGS 0x10000
  27#define MB_CHECKSUM -(MB_MAGIC + MB_FLAGS)
  28
  29.align  4
  30.int    MB_MAGIC
  31.int    MB_FLAGS
  32.int    MB_CHECKSUM
  33
  34#define LAST_BYTE_VALUE 0xa5
  35
  36/*
  37 * Order of fields in the a.out kludge header fields:
  38 *
  39 * header_addr
  40 * load_addr
  41 * load_end_addr
  42 * bss_end_addr
  43 * entry_addr
  44 */
  45#if SCENARIO == 1
  46/* Well-behaved kernel file with explicit bss_end */
  47.int    0x100000
  48.int    0x100000
  49.int    data_end
  50.int    data_end
  51.int    _start
  52#elif SCENARIO == 2
  53/* Well-behaved kernel file with default bss_end */
  54.int    0x100000
  55.int    0x100000
  56.int    data_end
  57.int    0
  58.int    _start
  59#elif SCENARIO == 3
  60/* Well-behaved kernel file with default load_end */
  61.int    0x100000
  62.int    0x100000
  63.int    0
  64.int    0
  65.int    _start
  66#elif SCENARIO == 4
  67/* Well-behaved kernel file with load_end < data_end and bss > data_end */
  68#undef LAST_BYTE_VALUE
  69#define LAST_BYTE_VALUE 0
  70.int    0x100000
  71.int    0x100000
  72.int    code_end
  73.int    0x140000
  74.int    _start
  75#elif SCENARIO == 5
  76/* header < load */
  77.int    0x10000
  78.int    0x100000
  79.int    data_end
  80.int    data_end
  81.int    _start
  82#elif SCENARIO == 6
  83/* load_end < load */
  84.int    0x100000
  85.int    0x100000
  86.int    0x10000
  87.int    data_end
  88.int    _start
  89#elif SCENARIO == 7
  90/* header much larger than in reality with default load_end */
  91.int    0x80000000
  92.int    0x100000
  93.int    0
  94.int    data_end
  95.int    _start
  96#elif SCENARIO == 8
  97/* bss_end < load_end - load (regression test for CVE-2018-7550) */
  98.int    0x100000
  99.int    0x100000
 100.int    data_end
 101.int    code_end
 102.int    _start
 103#elif SCENARIO == 9
 104/* Default load_end_addr, load_addr + kernel_file_size > UINT32_MAX */
 105.int    0xfffff000
 106.int    0xfffff000
 107.int    0
 108.int    0xfffff001
 109.int    _start
 110#else
 111#error Invalid SCENARIO
 112#endif
 113
 114.section .text
 115.global _start
 116_start:
 117    xor     %eax, %eax
 118
 119    cmpb    $LAST_BYTE_VALUE, last_byte
 120    je      passed
 121    or      $0x1, %eax
 122passed:
 123
 124    /* Test device exit */
 125    outl    %eax, $0xf4
 126
 127    cli
 128    hlt
 129    jmp .
 130code_end:
 131
 132#if SCENARIO != 8
 133.space 8192
 134#endif
 135
 136last_byte:
 137.byte 0xa5
 138data_end:
 139