KZT, fix: Fixed desired memory protection of the mapping for pages need readable

[xiangzhai]

Hi,

开启KZT，跑find_ld_part的fuzz测试：

export LATX_KZT=1

./build64-dbg/latx-x86_64 -L /your/path/target-gcc_10.5.0-glibc_2.41/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_10.5.0-glibc_2.41.log
#FAIL 
=> ./build64-dbg/latx-x86_64 -L /your/path/target-gcc_13.2.0-glibc_2.42/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_13.2.0-glibc_2.42.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.36/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.36.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.39/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.39.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.42/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.42.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_11.5.0-glibc_2.41/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_11.5.0-glibc_2.41.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_14.2.0-glibc_2.42/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_14.2.0-glibc_2.42.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.37/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.37.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.40/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.40.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_12.2.0-glibc_2.42/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_12.2.0-glibc_2.42.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.35/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.35.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.38/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.38.log
./build64-dbg/latx-x86_64 -L /your/path/target-gcc_15.2.0-glibc_2.41/usr /your/path/box64/tests/test01 2>&1|tee target-gcc_15.2.0-glibc_2.41.log

复现段错误表象： 基址0x5508048003，偏移0xfff，LD访问失败：

...
Thread 1 "latx-x86_64" received signal SIGSEGV, Segmentation fault.
__GI___memmem (ne_len=11, needle=0xffffff55a8, hs_len=<optimized out>, haystack=<optimized out>) at memmem.c:101
...
(gdb) bt
#0  __GI___memmem (ne_len=11, needle=0xffffff55a8, hs_len=<optimized out>, haystack=<optimized out>) at memmem.c:101
#1  __GI___memmem (haystack=<optimized out>, hs_len=<optimized out>, needle=0xffffff55a8, ne_len=11) at memmem.c:53
#2  0x0000007f807daf28 in find_ld_part (start=0x550802fb15 "A\\A]A^A_]\303\307@\020\001", len=265920) at ../target/i386/latx/context/myalign.c:2560
#3  0x0000007f807db530 in find_ld_bridge (info=0x7f834a7190 <info1>) at ../target/i386/latx/context/myalign.c:2651
#4  0x0000007f807db598 in init_tb_callback_bridge (cpu=0xfff5e08010, info=0x7f834a7190 <info1>) at ../target/i386/latx/context/myalign.c:2661
#5  0x0000007f807db720 in kzt_bridge_init () at ../target/i386/latx/context/myalign.c:2680
#6  0x0000007f80880e24 in main (argc=4, argv=0xffffff6ef8, envp=0xffffff6f20) at ../linux-user/main.c:1527
(gdb) x/22i $pc-44
...
=> 0xfff778e678 <__GI___memmem+296>:    ld.bu    $r13,$r23,-1(0xfff)
...
(gdb) i r $r23
r23            0x5508048003        365206732803
(gdb) info proc
process 21731
cmdline = '/home/zhaixiang/repo/lat/build64-dbg/latx-x86_64 -L /mnt/home/zhaixiang/tmp/target/target-gcc_13.2.0-glibc_2.42/usr /home/zhaixiang/repo/box64/tests/test01'
cwd = '/home/zhaixiang/repo/lat'
exe = '/home/zhaixiang/repo/lat/build64-dbg/latx-x86_64'

根因0x5508048000 ~ 0x55080ac000不可读：

00010000-5500000000 ---p 00000000 00:00 0 
5500000000-5500004000 rwxp 00000000 00:00 0 
5500004000-5500008000 rw-p 00000000 00:00 0 
5500008000-5501008000 ---p 00000000 00:00 0 
5501008000-550780c000 ---p 00000000 00:00 0 
550780c000-550800c000 rw-p 00000000 00:00 0 
550800c000-5508010000 r--p 00000000 00:00 0 
5508010000-5508040000 r--p 00004000 08:03 1574844                        /mnt/home/zhaixiang/tmp/target/target-gcc_13.2.0-glibc_2.42/usr/lib64/ld-linux-x86-64.so.2
5508040000-5508048000 rw-p 00000000 00:00 0 
=> 5508048000-55080ac000 ---p 00000000 00:00 0 
                         ^--- 不可读
55080ac000-55080b0000 r--p 00000000 00:00 0 
55080b0000-55080b8000 rw-p 00000000 00:00 0 
55080b8000-7000000000 ---p 00000000 00:00 0 
7f80000000-7f81230000 r-xp 00000000 08:07 3148091                        /home/zhaixiang/repo/lat/build64-dbg/latx-x86_64
7f81234000-7f81290000 r--p 01230000 08:07 3148091                        /home/zhaixiang/repo/lat/build64-dbg/latx-x86_64
7f81290000-7f812f4000 rw-p 0128c000 08:07 3148091                        /home/zhaixiang/repo/lat/build64-dbg/latx-x86_64
7f812f4000-7f83558000 rw-p 00000000 00:00 0                              [heap]
...

请review之。

Thanks,
Leslie Zhai

[LaurenIsACoder]

我觉得可能确认下x86下该段内存的映射过程，再看如何修改合适一些~

[LaurenIsACoder]

建议看下这个map下面的循环for (i = 0; i < ehdr->e_phnum; i++) {
对比x86原生行为看这里面的target_mmap是否映射正确的权限。
是这里没映射还是应设置后被其他地方给破坏了，比如影子页？

[xiangzhai]

Hi @LaurenIsACoder

Sorry for my late response!

debug.patch:

@@ -1911,6 +1912,7 @@ static void zero_bss(abi_ulong elf_bss, abi_ulong last_bss, int prot)
     host_map_start = REAL_HOST_PAGE_ALIGN(host_start);
 
     if (host_map_start < host_end) {
+        printf_log(LOG_DEBUG, "DEBUG: %s:%d host_map_start=0x%lx length=0x%lx elf_prot=%d\n", __func__, __LINE__, host_map_start, host_end - host_map_start, prot);
         void *p = mmap((void *)host_map_start, host_end - host_map_start,
                        prot, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
         if (p == MAP_FAILED) {
@@ -2882,6 +2883,7 @@ static void load_elf_image(const char *image_name, const ImageSource *src,
              */
             if (eppnt->p_filesz != 0) {
                 vaddr_len = TARGET_ELF_PAGELENGTH(eppnt->p_filesz + vaddr_po);
+                printf_log(LOG_DEBUG, "DEBUG: %s:%d vaddr_ps=0x%lx length=0x%lx elf_prot=%d\n", __func__, __LINE__, vaddr_ps, eppnt->p_filesz + vaddr_po, elf_prot);
                 error = imgsrc_mmap(vaddr_ps, eppnt->p_filesz + vaddr_po,
                                     elf_prot, MAP_PRIVATE | MAP_FIXED,
                                     src, eppnt->p_offset - vaddr_po);
@@ -2898,6 +2900,7 @@ static void load_elf_image(const char *image_name, const ImageSource *src,
                 }
             } else if (eppnt->p_memsz != 0) {
                 vaddr_len = TARGET_ELF_PAGELENGTH(eppnt->p_memsz + vaddr_po);
+                printf_log(LOG_DEBUG, "DEBUG: %s:%d vaddr_ps=0x%lx length=0x%lx elf_prot=%d\n", __func__, __LINE__, vaddr_ps, vaddr_len, elf_prot);
                 error = target_mmap(vaddr_ps, vaddr_len, elf_prot,
                                     MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,
                                     -1, 0, 1);

表象遗漏了0x5508048000 ~ 0x55080ac000权限设置：

...
DEBUG: load_elf_image:2886 vaddr_ps=0x5500000000 length=0x610 elf_prot=1
DEBUG: load_elf_image:2886 vaddr_ps=0x5500001000 length=0x18d elf_prot=5
DEBUG: load_elf_image:2886 vaddr_ps=0x5500002000 length=0xdc elf_prot=1
DEBUG: load_elf_image:2886 vaddr_ps=0x5500003000 length=0x1010 elf_prot=3
DEBUG: load_elf_image:2886 vaddr_ps=0x550800c000 length=0xcd8 elf_prot=1
DEBUG: load_elf_image:2886 vaddr_ps=0x550800d000 length=0x2af91 elf_prot=5
DEBUG: load_elf_image:2886 vaddr_ps=0x5508038000 length=0xaeb0 elf_prot=1
=> DEBUG: load_elf_image:2886 vaddr_ps=0x5508043000 length=0x284c elf_prot=3
=> 预期设置0x5508048000 ~ 0x55080ac000可读权限
DEBUG: load_elf_image:2886 vaddr_ps=0x55080ac000 length=0x529 elf_prot=7
...
Thread 1 "latx-x86_64" received signal SIGSEGV, Segmentation fault.
...
=> 0xfff778e678 <__GI___memmem+296>:    ld.bu   $r13,$r23,-1(0xfff)
...
(gdb) i r $r23
r23            0x5508048003        365206732803

Thanks,
Leslie Zhai