Index: /trunk/include/VBox/sup.h =================================================================== --- /trunk/include/VBox/sup.h (revision 54012) +++ /trunk/include/VBox/sup.h (revision 54013) @@ -1137,4 +1137,16 @@ /** + * Lock down the module loader interface. + * + * This will lock down the module loader interface. No new modules can be + * loaded and all loaded modules can no longer be freed. + * + * @returns VBox status code. + * @param pErrInfo Where to return extended error information. + * Optional. + */ +SUPR3DECL(int) SUPR3LockDownLoader(PRTERRINFO pErrInfo); + +/** * Get the address of a symbol in a ring-0 module. * Index: /trunk/src/VBox/HostDrivers/Support/SUPDrv.c =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPDrv.c (revision 54012) +++ /trunk/src/VBox/HostDrivers/Support/SUPDrv.c (revision 54013) @@ -148,4 +148,5 @@ static int supdrvIOCtl_LdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PSUPLDRLOAD pReq); static int supdrvIOCtl_LdrFree(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PSUPLDRFREE pReq); +static int supdrvIOCtl_LdrLockDown(PSUPDRVDEVEXT pDevExt); static int supdrvIOCtl_LdrGetSymbol(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PSUPLDRGETSYMBOL pReq); static int supdrvIDC_LdrGetSymbol(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PSUPDRVIDCREQGETSYM pReq); @@ -1710,4 +1711,14 @@ } + case SUP_CTL_CODE_NO_SIZE(SUP_IOCTL_LDR_LOCK_DOWN): + { + /* validate */ + REQ_CHECK_SIZES(SUP_IOCTL_LDR_LOCK_DOWN); + + /* execute */ + pReqHdr->rc = supdrvIOCtl_LdrLockDown(pDevExt); + return 0; + } + case SUP_CTL_CODE_NO_SIZE(SUP_IOCTL_LDR_GET_SYMBOL): { @@ -4557,4 +4568,12 @@ /* (not found - add it!) */ + /* If the loader interface is locked down, make userland fail early */ + if (pDevExt->fLdrLockedDown) + { + supdrvLdrUnlock(pDevExt); + Log(("supdrvIOCtl_LdrOpen: Not adding '%s' to image list, loader interface is locked down!\n", pReq->u.In.szName)); + return VERR_PERMISSION_DENIED; + } + /* * Allocate memory. @@ -4722,4 +4741,12 @@ } + /* If the loader interface is locked down, don't load new images */ + if (pDevExt->fLdrLockedDown) + { + supdrvLdrUnlock(pDevExt); + Log(("SUP_IOCTL_LDR_LOAD: Not loading '%s' image bits, loader interface is locked down!\n", pImage->szName)); + return VERR_PERMISSION_DENIED; + } + switch (pReq->u.In.eEPType) { @@ -4984,4 +5011,26 @@ /** + * Lock down the image loader interface. + * + * @returns IPRT status code. + * @param pDevExt Device globals. + */ +static int supdrvIOCtl_LdrLockDown(PSUPDRVDEVEXT pDevExt) +{ + LogFlow(("supdrvIOCtl_LdrLockDown:\n")); + + supdrvLdrLock(pDevExt); + if (!pDevExt->fLdrLockedDown) + { + pDevExt->fLdrLockedDown = true; + Log(("supdrvIOCtl_LdrLockDown: Image loader interface locked down\n")); + } + supdrvLdrUnlock(pDevExt); + + return VINF_SUCCESS; +} + + +/** * Gets the address of a symbol in an open image. * @@ -5252,4 +5301,11 @@ PSUPDRVLDRIMAGE pImagePrev; LogFlow(("supdrvLdrFree: pImage=%p\n", pImage)); + + /* + * Warn if we're releasing images while the image loader interface is + * locked down -- we won't be able to reload them! + */ + if (pDevExt->fLdrLockedDown) + Log(("supdrvLdrFree: Warning: unloading '%s' image, while loader interface is locked down!\n", pImage->szName)); /* find it - arg. should've used doubly linked list. */ Index: /trunk/src/VBox/HostDrivers/Support/SUPDrvIOC.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPDrvIOC.h (revision 54012) +++ /trunk/src/VBox/HostDrivers/Support/SUPDrvIOC.h (revision 54013) @@ -215,5 +215,5 @@ * - (none). */ -#define SUPDRV_IOC_VERSION 0x001d0000 +#define SUPDRV_IOC_VERSION 0x001d0001 /** SUP_IOCTL_COOKIE. */ @@ -480,4 +480,15 @@ +/** @name SUP_IOCTL_LDR_LOCK_DOWN + * Lock down the image loader interface. + * @{ + */ +#define SUP_IOCTL_LDR_LOCK_DOWN SUP_CTL_CODE_SIZE(38, SUP_IOCTL_LDR_LOCK_DOWN_SIZE) +#define SUP_IOCTL_LDR_LOCK_DOWN_SIZE sizeof(SUPREQHDR) +#define SUP_IOCTL_LDR_LOCK_DOWN_SIZE_IN sizeof(SUPREQHDR) +#define SUP_IOCTL_LDR_LOCK_DOWN_SIZE_OUT sizeof(SUPREQHDR) +/** @} */ + + /** @name SUP_IOCTL_LDR_GET_SYMBOL * Get address of a symbol within an image. Index: /trunk/src/VBox/HostDrivers/Support/SUPDrvInternal.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPDrvInternal.h (revision 54012) +++ /trunk/src/VBox/HostDrivers/Support/SUPDrvInternal.h (revision 54013) @@ -610,4 +610,6 @@ /** Linked list of loaded code. */ PSUPDRVLDRIMAGE volatile pLdrImages; + /** Set if the image loading interface got disabled after loading all needed images */ + bool fLdrLockedDown; /** @name These members for detecting whether an API caller is in ModuleInit. Index: /trunk/src/VBox/HostDrivers/Support/SUPLib.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPLib.cpp (revision 54012) +++ /trunk/src/VBox/HostDrivers/Support/SUPLib.cpp (revision 54013) @@ -279,6 +279,6 @@ strcpy(CookieReq.u.In.szMagic, SUPCOOKIE_MAGIC); CookieReq.u.In.u32ReqVersion = SUPDRV_IOC_VERSION; - const uint32_t uMinVersion = (SUPDRV_IOC_VERSION & 0xffff0000) == 0x001c0000 - ? 0x001c0001 + const uint32_t uMinVersion = (SUPDRV_IOC_VERSION & 0xffff0000) == 0x001d0000 + ? 0x001d0001 : SUPDRV_IOC_VERSION & 0xffff0000; CookieReq.u.In.u32MinVersion = uMinVersion; @@ -1038,4 +1038,29 @@ +SUPR3DECL(int) SUPR3LockDownLoader(PRTERRINFO pErrInfo) +{ + /* fake */ + if (RT_UNLIKELY(g_uSupFakeMode)) + return VINF_SUCCESS; + + /* + * Lock down the module loader interface. + */ + SUPREQHDR ReqHdr; + ReqHdr.u32Cookie = g_u32Cookie; + ReqHdr.u32SessionCookie = g_u32SessionCookie; + ReqHdr.cbIn = SUP_IOCTL_LDR_LOCK_DOWN_SIZE_IN; + ReqHdr.cbOut = SUP_IOCTL_LDR_LOCK_DOWN_SIZE_OUT; + ReqHdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + ReqHdr.rc = VERR_INTERNAL_ERROR; + int rc = suplibOsIOCtl(&g_supLibData, SUP_IOCTL_LDR_LOCK_DOWN, &ReqHdr, SUP_IOCTL_LDR_LOCK_DOWN_SIZE); + if (RT_FAILURE(rc)) + return RTErrInfoSetF(pErrInfo, rc, + "SUPR3LockDownLoader: SUP_IOCTL_LDR_LOCK_DOWN ioctl returned %Rrc", rc); + + return ReqHdr.rc; +} + + /** * Fallback for SUPR3PageAllocEx on systems where RTR0MemObjPhysAllocNC isn't Index: /trunk/src/VBox/VMM/tools/VBoxVMMPreload.cpp =================================================================== --- /trunk/src/VBox/VMM/tools/VBoxVMMPreload.cpp (revision 54012) +++ /trunk/src/VBox/VMM/tools/VBoxVMMPreload.cpp (revision 54013) @@ -52,4 +52,5 @@ static uint32_t g_cVerbose = 1; +static bool g_fLockDown = false; @@ -71,4 +72,5 @@ { "--only", 'o', RTGETOPT_REQ_STRING }, { "--quiet", 'q', RTGETOPT_REQ_NOTHING }, + { "--lock" , 'l', RTGETOPT_REQ_NOTHING }, { "--verbose", 'v', RTGETOPT_REQ_NOTHING }, }; @@ -115,4 +117,8 @@ break; + case 'l': + g_fLockDown = true; + break; + case 'h': RTPrintf(VBOX_PRODUCT " VMM ring-0 Module Preloader Version " VBOX_VERSION_STRING @@ -120,5 +126,5 @@ "All rights reserved.\n" "\n" - "Usage: VBoxVMMPreload [-hqvV] [-o|--only ]\n" + "Usage: VBoxVMMPreload [-hlqvV] [-o|--only ]\n" "\n"); *pfExit = true; @@ -145,4 +151,6 @@ static RTEXITCODE LoadModules(void) { + RTERRINFOSTATIC ErrInfo; + for (uint32_t i = 0; i < RT_ELEMENTS(g_aModules); i++) { @@ -156,5 +164,4 @@ return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTPathAppPrivateArch or RTPathAppend returned %Rrc", rc); - RTERRINFOSTATIC ErrInfo; RTErrInfoInitStatic(&ErrInfo); rc = SUPR3LoadModule(szPath, g_aModules[i].pszName, &g_aModules[i].pvImageBase, &ErrInfo.Core); @@ -167,4 +174,15 @@ } + if (g_fLockDown) + { + RTErrInfoInitStatic(&ErrInfo); + int rc = SUPR3LockDownLoader(&ErrInfo.Core); + if (RT_FAILURE(rc)) + return RTMsgErrorExit(RTEXITCODE_FAILURE, "SUPR3LockDownLoader failed: %s (rc=%Rrc)", + ErrInfo.Core.pszMsg, rc); + if (g_cVerbose >= 1) + RTMsgInfo("Locked down module loader interface!\n"); + } + RTStrmFlush(g_pStdOut); return RTEXITCODE_SUCCESS;