Changeset 74656 in vbox

Timestamp:

Oct 7, 2018 6:28:21 PM (7 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

125548

Message:

IPRT/ldr: Working on parsing Mach-O code signing structures... bugref:9232

Location:

trunk

Files:

• include/iprt/err.h (modified) (2 diffs)
• src/VBox/Runtime/common/asn1/asn1-cursor.cpp (modified) (1 diff)
• src/VBox/Runtime/common/ldr/ldrMachO.cpp (modified) (11 diffs)

trunk/include/iprt/err.h

@@ -2340 +2340 @@
 #define VERR_ASN1_CURSOR_BAD_LENGTH_ENCODING        (-22831)
 /** Indefinite length form is against the rules. */
-#define VERR_ASN1_CURSOR_ILLEGAL_IDEFINITE_LENGTH   (-22832)
-/** Indefinite length form is not implemented. */
-#define VERR_ASN1_CURSOR_IDEFINITE_LENGTH_NOT_SUP   (-22833)
+#define VERR_ASN1_CURSOR_ILLEGAL_INDEFINITE_LENGTH  (-22832)
+/** Malformed indefinite length encoding. */
+#define VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH      (-22833)
 /** ASN.1 object length goes beyond the end of the byte stream being decoded. */
 #define VERR_ASN1_CURSOR_BAD_LENGTH                 (-22834)
@@ -2471 +2471 @@
 /** Image hash mismatch. */
 #define VERR_LDRVI_IMAGE_HASH_MISMATCH              (-22929)
+/** Malformed code signing structure. */
+#define VERR_LDRVI_BAD_CERT_FORMAT                  (-22930)
 
 /** Cannot resolve symbol because it's a forwarder. */

trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp

@@ -314 +314 @@
             /* Indefinite form. */
             else if (pCursor->fFlags & RTASN1CURSOR_FLAGS_DER)
-                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_ILLEGAL_IDEFINITE_LENGTH,
+                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_ILLEGAL_INDEFINITE_LENGTH,
                                            "%s: Indefinite length form not allowed in DER mode (uTag=%#x).", pszErrorTag, uTag);
+            else if (pCursor->cbLeft < 2)
+                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH,
+                                           "%s: Too little data left for indefinite BER/CER encoding (uTag=%#x)", pszErrorTag, uTag);
             else
-                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_IDEFINITE_LENGTH_NOT_SUP,
-                                           "%s: Indefinite BER/CER length not supported (uTag=%#x)", pszErrorTag, uTag);
+            {
+                /* Search forward till we find the two terminating zero bytes. */
+                cb = 0;
+                for (;;)
+                {
+                    uint8_t const *pb = (uint8_t const *)memchr(&pCursor->pbCur[cb], 0x00, pCursor->cbLeft - cb - 1);
+                    if (pb && pb[1] == 0x00)
+                    {
+                        cb = &pb[2] - pCursor->pbCur;
+                        break;
+                    }
+                    if (!pb)
+                        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH,
+                                                   "%s: Could not find end of indefinite BER/CER record (uTag=%#x)", pszErrorTag, uTag);
+                    cb = &pb[1] - pCursor->pbCur;
+                }
+            }
         }
 

trunk/src/VBox/Runtime/common/ldr/ldrMachO.cpp

@@ -5 +5 @@
 
 /*
+ * Copyright (C) 2018 Oracle Corporation
+ *
+ * This file is part of VirtualBox Open Source Edition (OSE), as
+ * available from http://www.virtualbox.org. This file is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU
+ * General Public License (GPL) as published by the Free Software
+ * Foundation, in version 2 as it comes in the "COPYING" file of the
+ * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
+ * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
+ * --------------------------------------------------------------------
+ *
+ * This code is based on:
+ *
  * Copyright (c) 2006-2013 Knut St. Osmundsen <[email protected]>
  *
@@ -45 +58 @@
 
 #include <iprt/formats/mach-o.h>
+#include <iprt/crypto/applecodesign.h>
 #include "internal/ldr.h"
 
@@ -201 +215 @@
     uint8_t                 abImageUuid[16];
 
+    /** The code signature offset.   */
+    uint32_t                offCodeSignature;
+    /** The code signature size (0 if not signed). */
+    uint32_t                cbCodeSignature;
+    /** Pointer to the code signature blob if loaded. */
+    union
+    {
+        uint8_t                *pb;
+        PCRTCRAPLCSSUPERBLOB    pSuper;
+    }                       PtrCodeSignature;
+
     /** The RVA of the Global Offset Table. */
     RTLDRADDR               GotRVA;
@@ -228 +253 @@
 
 
-static int  kldrModMachOPreParseLoadCommands(uint8_t *pbLoadCommands, const mach_header_32_t *pHdr, PRTLDRREADER pRdr, RTFOFF   offImage,
+static int  kldrModMachOPreParseLoadCommands(uint8_t *pbLoadCommands, const mach_header_32_t *pHdr, PRTLDRREADER pRdr, RTFOFF offImage,
                                              uint32_t fOpenFlags, uint32_t *pcSegments, uint32_t *pcSections, uint32_t *pcbStringPool,
                                              bool *pfCanLoad, PRTLDRADDR pLinkAddress, uint8_t *puEffFileType, PRTERRINFO pErrInfo);
@@ -467 +492 @@
     pThis->pchStrings = NULL;
     memset(pThis->abImageUuid, 0, sizeof(pThis->abImageUuid));
+    pThis->offCodeSignature = 0;
+    pThis->cbCodeSignature = 0;
+    pThis->PtrCodeSignature.pb = NULL;
     pThis->GotRVA = NIL_RTLDRADDR;
     pThis->JmpStubsRVA = NIL_RTLDRADDR;
@@ -1074 +1102 @@
     union
     {
-        const uint8_t              *pb;
-        const load_command_t       *pLoadCmd;
-        const segment_command_32_t *pSeg32;
-        const segment_command_64_t *pSeg64;
-        const symtab_command_t     *pSymTab;
-        const uuid_command_t       *pUuid;
+        const uint8_t                 *pb;
+        const load_command_t          *pLoadCmd;
+        const segment_command_32_t    *pSeg32;
+        const segment_command_64_t    *pSeg64;
+        const symtab_command_t        *pSymTab;
+        const uuid_command_t          *pUuid;
+        const linkedit_data_command_t *pData;
     } u;
     uint32_t cLeft = pThis->Hdr.ncmds;
@@ -1275 +1304 @@
                 break;
 
+            case LC_CODE_SIGNATURE:
+                pThis->offCodeSignature = u.pData->dataoff;
+                pThis->cbCodeSignature  = u.pData->datasize;
+                break;
+
             default:
                 break;
@@ -1443 +1477 @@
     RTMemFree(pThis->pvaSymbols);
     pThis->pvaSymbols = NULL;
+    RTMemFree(pThis->PtrCodeSignature.pb);
+    pThis->PtrCodeSignature.pb = NULL;
 
     return VINF_SUCCESS;
@@ -3757 +3793 @@
 
 
+/**
+ * Loads the code signing blob if necessary (RTLDRMODMACHO::PtrCodeSignature).
+ *
+ * @returns IPRT status code.
+ * @param   pThis               The mach-o instance.
+ */
+static int rtldrMachO_LoadSignatureBlob(PRTLDRMODMACHO pThis)
+{
+    Assert(pThis->cbCodeSignature > 0);
+    if (pThis->PtrCodeSignature.pb != NULL)
+        return VINF_SUCCESS;
+
+    if (   pThis->cbCodeSignature > sizeof(RTCRAPLCSHDR)
+        && pThis->cbCodeSignature <= _1M)
+    {
+        /* Allocate and read. */
+        void *pv = RTMemAllocZ(RT_ALIGN_Z(pThis->cbCodeSignature, 16));
+        AssertReturn(pv, VERR_NO_MEMORY);
+        int rc = pThis->Core.pReader->pfnRead(pThis->Core.pReader, pv, pThis->cbCodeSignature, pThis->offCodeSignature);
+        if (RT_SUCCESS(rc))
+        {
+            /* Check blob signature. */
+            PCRTCRAPLCSSUPERBLOB pSuper = (PCRTCRAPLCSSUPERBLOB)pv;
+            if (pSuper->Hdr.uMagic == RTCRAPLCS_MAGIC_EMBEDDED_SIGNATURE)
+            {
+                uint32_t cbHdr  = RT_BE2H_U32(pSuper->Hdr.cb);
+                uint32_t cSlots = RT_BE2H_U32(pSuper->cSlots);
+                if (   cbHdr  <= pThis->cbCodeSignature
+                    && cbHdr  >  RT_UOFFSETOF(RTCRAPLCSSUPERBLOB, aSlots)
+                    && cSlots >  0
+                    && cSlots <  128
+                    && RT_UOFFSETOF_DYN(RTCRAPLCSSUPERBLOB, aSlots[cSlots]) <= cbHdr)
+                {
+                    pThis->PtrCodeSignature.pSuper = pSuper;
+                    return VINF_SUCCESS;
+                }
+                rc = VERR_LDRVI_BAD_CERT_HDR_LENGTH;
+            }
+            else
+                rc = VERR_LDRVI_BAD_CERT_HDR_TYPE;
+        }
+        RTMemFree(pv);
+        return rc;
+    }
+    return VERR_LDRVI_INVALID_SECURITY_DIR_ENTRY;
+}
+
+
+/**
+ * Handles a RTLDRPROP_PKCS7_SIGNED_DATA query.
+ */
+static int rtldrMachO_QueryPkcs7SignedData(PRTLDRMODMACHO pThis, void *pvBuf, size_t cbBuf, size_t *pcbRet)
+{
+    int rc = rtldrMachO_LoadSignatureBlob(pThis);
+    if (RT_SUCCESS(rc))
+    {
+        /*
+         * Locate the signature slot.
+         */
+        uint32_t            iSlot = RT_BE2H_U32(pThis->PtrCodeSignature.pSuper->cSlots);
+        PCRTCRAPLCSBLOBSLOT pSlot = &pThis->PtrCodeSignature.pSuper->aSlots[iSlot];
+        while (iSlot-- > 0)
+        {
+            pSlot--;
+            if (pSlot->uType == RTCRAPLCS_SLOT_SIGNATURE)
+            {
+                /*
+                 * Validate the data offset.
+                 */
+                uint32_t offData = RT_BE2H_U32(pSlot->offData);
+                if (   offData < pThis->cbCodeSignature - sizeof(RTCRAPLCSHDR)
+                    || !(offData & 3) )
+                {
+                    /*
+                     * The data is prefixed by a header with magic set to blob wrapper.
+                     * Check that the size is within the bounds of the code signing blob.
+                     */
+                    PCRTCRAPLCSHDR pHdr = (PCRTCRAPLCSHDR)&pThis->PtrCodeSignature.pb[offData];
+                    if (pHdr->uMagic == RTCRAPLCS_MAGIC_BLOBWRAPPER)
+                    {
+                        uint32_t cbData = RT_BE2H_U32(pHdr->cb);
+                        uint32_t cbMax  = pThis->cbCodeSignature - offData ;
+                        if (   cbData <= cbMax
+                            && cbData > sizeof(RTCRAPLCSHDR))
+                        {
+                            /*
+                             * Copy out the requirest data.
+                             */
+                            *pcbRet = cbData;
+                            if (cbData <= cbBuf)
+                            {
+                                memcpy(pvBuf, pHdr + 1, cbData);
+                                return VINF_SUCCESS;
+                            }
+                            memcpy(pvBuf, pHdr + 1, cbBuf);
+                            return VERR_BUFFER_OVERFLOW;
+                        }
+                    }
+                }
+                return VERR_LDRVI_BAD_CERT_FORMAT;
+            }
+        }
+        rc = VERR_NOT_FOUND;
+    }
+    return rc;
+}
+
+
 /** @interface_method_impl{RTLDROPS,pfnQueryProp} */
 static DECLCALLBACK(int) rtldrMachO_QueryProp(PRTLDRMODINTERNAL pMod, RTLDRPROP enmProp, void const *pvBits,
                                               void *pvBuf, size_t cbBuf, size_t *pcbRet)
 {
-    PRTLDRMODMACHO pThis = RT_FROM_MEMBER(pMod, RTLDRMODMACHO, Core);
-    int           rc;
+    PRTLDRMODMACHO  pThis = RT_FROM_MEMBER(pMod, RTLDRMODMACHO, Core);
+    int             rc    = VERR_NOT_FOUND;
     switch (enmProp)
     {
@@ -3771 +3915 @@
                 *pcbRet = sizeof(pThis->abImageUuid);
                 memcpy(pvBuf, pThis->abImageUuid, sizeof(pThis->abImageUuid));
-                rc = VINF_SUCCESS;
+                return VINF_SUCCESS;
             }
+            break;
+
+        case RTLDRPROP_FILE_OFF_HEADER:
+            Assert(cbBuf == sizeof(uint32_t) || cbBuf == sizeof(uint64_t));
+            if (cbBuf == sizeof(uint32_t))
+                *(uint32_t *)pvBuf = pThis->offImage;
             else
-                rc = VERR_NOT_FOUND;
+                *(uint64_t *)pvBuf = pThis->offImage;
+            return VINF_SUCCESS;
+
+        case RTLDRPROP_IS_SIGNED:
+            Assert(cbBuf == sizeof(bool));
+            Assert(*pcbRet == cbBuf);
+            *(bool *)pvBuf = pThis->cbCodeSignature > 0;
+            return VINF_SUCCESS;
+
+        case RTLDRPROP_PKCS7_SIGNED_DATA:
+            if (pThis->cbCodeSignature > 0)
+                return rtldrMachO_QueryPkcs7SignedData(pThis, pvBuf, cbBuf, pcbRet);
             break;
+
 
 #if 0 /** @todo return LC_ID_DYLIB */
@@ -3782 +3944 @@
 
         default:
-            rc = VERR_NOT_FOUND;
             break;
     }