Ensure that reserved/trampoline memory is disjoint

GJDuck · GJDuck · commit 2a2a872e2558 · 2021-09-15T08:03:13.000+08:00
(at the page level).

Previously, trampolines might sometimes be
allocated on writable pages, i.e., when the page
also hosted a writable reservation.
diff --git a/doc/e9patch-programming-guide.md b/doc/e9patch-programming-guide.md
@@ -340,7 +340,12 @@ of the frontend, and E9Patch will simply execute the template "as-is".
 The `"reserve"` message is useful for reserving sections of the
 patched program's virtual address space and (optionally) initializing
 it with data.
-Reserved addresses will not be used to host trampolines.
+The reserved address range will not be used to host trampolines.
+
+Note that the reserved address range will be implicitly rounded to the
+nearest page boundary.
+This means that trampoline and reserved memory will be disjoint at the
+page level.
 
 #### Parameters:
 
diff --git a/src/e9patch/e9api.cpp b/src/e9patch/e9api.cpp
@@ -145,10 +145,7 @@ static void queueFlush(Binary *B, intptr_t cursor)
         {
             // Options entry
             char * const *argv = entry.argv;
-            int argc;
-            for (argc = 0; argv[argc] != nullptr; argc++)
-                ;
-            parseOptions(argc, argv, /*api=*/true);
+            parseOptions(argv, /*api=*/true);
             delete[] argv;
             switch (B->mode)
             {
@@ -619,17 +616,33 @@ static void parseReserve(Binary *B, const Message &msg)
     if (bytes != nullptr)
     {
         bytes->preload = true;
-        const Alloc *A = allocate(B, address, address, bytes, nullptr);
-        if (A == nullptr)
-            error("failed to reserve address space at address "
-                ADDRESS_FORMAT, ADDRESS(address));
         length = getTrampolineSize(B, bytes, nullptr);
-        debug("reserved address space [prot=%c%c%c, size=%zu, bytes="
-            ADDRESS_FORMAT ".." ADDRESS_FORMAT "]",
-            (protection & PROT_READ? 'r': '-'),
-            (protection & PROT_WRITE? 'w': '-'),
-            (protection & PROT_EXEC? 'x': '-'), length, ADDRESS(address),
-            ADDRESS(address + (intptr_t)length));
+        size_t length_lo = address % PAGE_SIZE;
+        size_t length_hi = PAGE_SIZE - (length_lo + length) % PAGE_SIZE;
+        intptr_t address_lo = address - length_lo;
+        intptr_t address_hi = address + length;
+        const unsigned num_trampolines = 3;
+        Trampoline *trampolines[num_trampolines] =
+            {makePadding(length_lo), bytes, makePadding(length_hi)};
+        intptr_t addrs[num_trampolines] =
+            {address_lo, address, address_hi};
+        size_t lens[num_trampolines] = {length_lo, length, length_hi};
+        for (unsigned i = 0; i < num_trampolines; i++)
+        {
+            if (trampolines[i] == nullptr)
+                continue;
+            const Alloc *A = allocate(B, addrs[i], addrs[i], trampolines[i],
+                nullptr);
+            if (A == nullptr)
+                error("failed to reserve address space at address "
+                    ADDRESS_FORMAT, ADDRESS(addrs[i]));
+            debug("reserved address space [prot=%c%c%c, size=%zu, bytes="
+                ADDRESS_FORMAT ".." ADDRESS_FORMAT "]",
+                (protection & PROT_READ? 'r': '-'),
+                (protection & PROT_WRITE? 'w': '-'),
+                (protection & PROT_EXEC? 'x': '-'), lens[i], ADDRESS(addrs[i]),
+                ADDRESS(addrs[i] + (intptr_t)lens[i]));
+        }
     }
     if (have_length)
     {
@@ -713,8 +726,16 @@ static void parseOptions(Binary *B, const Message &msg)
     if (dup)
         error("failed to parse \"options\" message (id=%u); duplicate "
             "parameters detected", msg.id);
-    PatchEntry entry(argv);
-    B->Q.push_front(entry);
+    if (B->cursor == INTPTR_MAX)
+    {
+        parseOptions(argv, /*api=*/true);
+        delete[] argv;
+    }
+    else
+    {
+        PatchEntry entry(argv);
+        B->Q.push_front(entry);
+    }
 }
 
 /*
diff --git a/src/e9patch/e9elf.cpp b/src/e9patch/e9elf.cpp
@@ -337,10 +337,13 @@ size_t emitElf(Binary *B, const MappingSet &mappings, size_t mapping_size)
     }
     std::vector<Bounds> bounds;
     intptr_t ub = INTPTR_MIN;
+    // level 0 == non-trampoline mappings (reserves, refactors), default mmap()
+    // level 1 == trampoline mappings, user mmap() can be used.
     for (unsigned i = 0; i < 2; i++)
     {
-        config->maps[i] = (uint32_t)(size - config_offset);
-        bool preload = (i == 0);
+        unsigned level = i;
+        config->maps[level] = (uint32_t)(size - config_offset);
+        bool preload = (level == 0);
         for (auto *mapping: mappings)
         {
             if (preload)
@@ -361,18 +364,34 @@ size_t emitElf(Binary *B, const MappingSet &mappings, size_t mapping_size)
                     size_t len    = b.ub - b.lb;
                     off_t offset  = offset_0 + b.lb;
 
-                    debug("load trampoline: mmap(addr=" ADDRESS_FORMAT
+                    const char *name = (level == 0? "reserve": "trampoline");
+                    debug("load %s: mmap(addr=" ADDRESS_FORMAT
                         ",size=%zu,offset=+%zu,prot=%c%c%c)",
-                        ADDRESS(base), len, offset_0, (r? 'r': '-'),
+                        name, ADDRESS(base), len, offset_0, (r? 'r': '-'),
                         (w? 'w': '-'), (x? 'x': '-'));
                     stat_num_virtual_bytes += len;
 
                     size += emitLoaderMap(data + size, base, len, offset,
                         r, w, x, &ub);
-                    config->num_maps[i]++;
+                    config->num_maps[level]++;
                 }
             }
         }
+        if (level == 0)
+        {
+            // Emit refactorings at level 0.
+            for (const auto &refactor: refactors)
+            {
+                debug("load refactor: mmap(addr=" ADDRESS_FORMAT
+                    ",size=%zu,offset=+%zd,prot=r-x)",
+                    ADDRESS(refactor.addr), refactor.size,
+                    refactor.patched.offset);
+                size += emitLoaderMap(data + size, refactor.addr,
+                    refactor.size, refactor.patched.offset, /*r=*/true,
+                    /*w=*/false, /*x=*/true, nullptr);
+                config->num_maps[level]++;
+            }
+        }
     }
     if (ub > option_loader_base)
     {
@@ -383,16 +402,6 @@ size_t emitElf(Binary *B, const MappingSet &mappings, size_t mapping_size)
             "exceed maximum mapping address (0x%lx) (see `--mem-ub')",
             option_loader_base, ub);
     }
-    for (const auto &refactor: refactors)
-    {
-        debug("load refactoring: mmap(" ADDRESS_FORMAT ", %zu, "
-            "PROT_READ | PROT_WRITE | 0, MAP_FIXED | MAP_PRIVATE, fd, +%zd)",
-            ADDRESS(refactor.addr), refactor.size, refactor.patched.offset);
-        size += emitLoaderMap(data + size, refactor.addr, refactor.size,
-            refactor.patched.offset, /*r=*/true, /*w=*/false, /*x=*/true,
-            nullptr);
-        config->num_maps[1]++;
-    }
     intptr_t entry = (option_loader_base + (size - config_offset));
     if (option_trap_entry)
         data[size++] = /*int3=*/0xCC;
diff --git a/src/e9patch/e9json.cpp b/src/e9patch/e9json.cpp
@@ -651,6 +651,36 @@ static Entry makeDebugEntry(void)
     return entry;
 }
 
+/*
+ * Create a ZEROES template entry.
+ */
+static Entry makeZeroesEntry(size_t len)
+{
+    Entry entry;
+    entry.kind   = ENTRY_ZEROES;
+    entry.length = (unsigned)len;
+    return entry;
+}
+
+/*
+ * Make padding.
+ */
+Trampoline *makePadding(size_t len)
+{
+    if (len == 0)
+        return nullptr;
+    size_t num_entries = 1;
+    uint8_t *ptr =
+        new uint8_t[sizeof(Trampoline) + num_entries * sizeof(Entry)];
+    Trampoline *T  = (Trampoline *)ptr;
+    T->prot        = PROT_READ | PROT_EXEC;
+    T->num_entries = num_entries;
+    T->preload     = false;
+    T->entries[0]  = makeZeroesEntry(len);
+
+    return T;
+}
+
 /*
  * Convert an integer.
  */
diff --git a/src/e9patch/e9json.h b/src/e9patch/e9json.h
@@ -112,5 +112,6 @@ struct Message
 
 bool getMessage(FILE *stream, size_t lineno, Message &msg);
 const char *getMethodString(Method method);
+Trampoline *makePadding(size_t size);
 
 #endif
diff --git a/src/e9patch/e9mapping.cpp b/src/e9patch/e9mapping.cpp
@@ -157,15 +157,15 @@ static Key calculateKey(const Allocator &allocator, const size_t MAPPING_SIZE,
         if (a->T == nullptr)
             continue;
 
-        size_t preamble   = a->lb - BASE;
+        size_t prologue   = a->lb - BASE;
         size_t postscript = (a->ub >= END? 0: END - a->ub);
 
-        preamble   = preamble / UNIT_SIZE;
+        prologue   = prologue / UNIT_SIZE;
         postscript = postscript / UNIT_SIZE;
-        assert(preamble < KEY_BITS);
+        assert(prologue < KEY_BITS);
         assert(postscript < KEY_BITS);
 
-        Key tmp = (KEY_ONES << preamble);
+        Key tmp = (KEY_ONES << prologue);
         tmp    &= (KEY_ONES >> postscript);
         key    |= tmp;
     }
diff --git a/src/e9patch/e9patch.cpp b/src/e9patch/e9patch.cpp
@@ -371,8 +371,11 @@ enum Option
 /*
  * Parse options.
  */
-void parseOptions(int argc, char * const argv[], bool api)
+void parseOptions(char * const argv[], bool api)
 {
+    int argc;
+    for (argc = 0; argv[argc] != nullptr; argc++)
+        ;
     const int req_arg = required_argument, opt_arg = optional_argument,
               no_arg  = no_argument;
     static const struct option long_options[] =
@@ -619,7 +622,7 @@ int realMain(int argc, char **argv)
     if (getenv("E9PATCH_DEBUG") != nullptr)
         option_debug = true;
 
-    parseOptions(argc, argv);
+    parseOptions(argv);
 
     if (option_input != "-")
     {
diff --git a/src/e9patch/e9patch.h b/src/e9patch/e9patch.h
@@ -542,7 +542,7 @@ extern size_t stat_num_physical_bytes;
 extern size_t stat_input_file_size;
 extern size_t stat_output_file_size;
 
-extern void parseOptions(int argc, char * const argv[], bool api = false);
+extern void parseOptions(char * const argv[], bool api = false);
 extern void NO_RETURN error(const char *msg, ...);
 extern void warning(const char *msg, ...);
 extern void debugImpl(const char *msg, ...);
diff --git a/test/regtest/init_exe.exp b/test/regtest/init_exe.exp
@@ -1,3 +1,2 @@
-mmap() intercepted
 init argv = "./init_exe.exe" 
 PASSED
diff --git a/test/regtest/init_pie.exp b/test/regtest/init_pie.exp
@@ -1,3 +1,2 @@
-mmap() intercepted
 init argv = "./init_pie.exe" 
 PASSED

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`		`-mmap() intercepted`
`2`	`1`	`init argv = "./init_exe.exe"`
`3`	`2`	`PASSED`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`		`-mmap() intercepted`
`2`	`1`	`init argv = "./init_pie.exe"`
`3`	`2`	`PASSED`