On Mon, Feb 26, 2018 at 09:49:22AM -0800, Song Liu wrote:
> +/* Parse build ID of ELF file mapped to vma */
> +static int stack_map_get_build_id(struct vm_area_struct *vma,
> + unsigned char *build_id)
> +{
> + Elf32_Ehdr *ehdr = (Elf32_Ehdr *)vma->vm_start;
How does this work? Isn't vma->vm_start a _user_ address?
> +
> + /* we need at least 1 file header and 1 program header */
> + if (vma->vm_end - vma->vm_start <
> + sizeof(Elf32_Ehdr) + sizeof(Elf32_Phdr))
> + return -EINVAL;
> +
> + /* compare magic x7f "ELF" */
> + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0)
> + return -EINVAL;
So how come you can just dereference it here, without
get_user()/copy_from_user() etc.. ?
> +
> + /* only support executable file and shared object file */
> + if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
> + return -EINVAL;
> +
> + if (ehdr->e_ident[EI_CLASS] == 1)
> + return stack_map_get_build_id_32(vma, build_id);
> + else if (ehdr->e_ident[EI_CLASS] == 2)
> + return stack_map_get_build_id_64(vma, build_id);
> + return -EINVAL;
> +}
