xref: /openbmc/qemu/tests/multiboot/aout_kludge.S (revision 1a7c00bb3aa4cf5501343fe041e93227ec33e66f)
1/*
2 * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to deal
6 * in the Software without restriction, including without limitation the rights
7 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8 * copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
17 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
20 * THE SOFTWARE.
21 */
22
23.section multiboot
24
25#define MB_MAGIC 0x1badb002
26#define MB_FLAGS 0x10000
27#define MB_CHECKSUM -(MB_MAGIC + MB_FLAGS)
28
29.align  4
30.int    MB_MAGIC
31.int    MB_FLAGS
32.int    MB_CHECKSUM
33
34#define LAST_BYTE_VALUE 0xa5
35
36/*
37 * Order of fields in the a.out kludge header fields:
38 *
39 * header_addr
40 * load_addr
41 * load_end_addr
42 * bss_end_addr
43 * entry_addr
44 */
45#if SCENARIO == 1
46/* Well-behaved kernel file with explicit bss_end */
47.int    0x100000
48.int    0x100000
49.int    data_end
50.int    data_end
51.int    _start
52#elif SCENARIO == 2
53/* Well-behaved kernel file with default bss_end */
54.int    0x100000
55.int    0x100000
56.int    data_end
57.int    0
58.int    _start
59#elif SCENARIO == 3
60/* Well-behaved kernel file with default load_end */
61.int    0x100000
62.int    0x100000
63.int    0
64.int    0
65.int    _start
66#elif SCENARIO == 4
67/* Well-behaved kernel file with load_end < data_end and bss > data_end */
68#undef LAST_BYTE_VALUE
69#define LAST_BYTE_VALUE 0
70.int    0x100000
71.int    0x100000
72.int    code_end
73.int    0x140000
74.int    _start
75#elif SCENARIO == 5
76/* header < load */
77.int    0x10000
78.int    0x100000
79.int    data_end
80.int    data_end
81.int    _start
82#elif SCENARIO == 6
83/* load_end < load */
84.int    0x100000
85.int    0x100000
86.int    0x10000
87.int    data_end
88.int    _start
89#elif SCENARIO == 7
90/* header much larger than in reality with default load_end */
91.int    0x80000000
92.int    0x100000
93.int    0
94.int    data_end
95.int    _start
96#elif SCENARIO == 8
97/* bss_end < load_end - load (regression test for CVE-2018-7550) */
98.int    0x100000
99.int    0x100000
100.int    data_end
101.int    code_end
102.int    _start
103#elif SCENARIO == 9
104/* Default load_end_addr, load_addr + kernel_file_size > UINT32_MAX */
105.int    0xfffff000
106.int    0xfffff000
107.int    0
108.int    0xfffff001
109.int    _start
110#else
111#error Invalid SCENARIO
112#endif
113
114.section .text
115.global _start
116_start:
117    xor     %eax, %eax
118
119    cmpb    $LAST_BYTE_VALUE, last_byte
120    je      passed
121    or      $0x1, %eax
122passed:
123
124    /* Test device exit */
125    outl    %eax, $0xf4
126
127    cli
128    hlt
129    jmp .
130code_end:
131
132#if SCENARIO != 8
133.space 8192
134#endif
135
136last_byte:
137.byte 0xa5
138data_end:
139