[Midnightbsd-cvs] src [7847] trunk/sys/kern/imgact_elf.c: fix several reads beyond the mapped first page of the binary in the ELF parser.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Sep 14 11:46:23 EDT 2016
Revision: 7847
http://svnweb.midnightbsd.org/src/?rev=7847
Author: laffer1
Date: 2016-09-14 11:46:23 -0400 (Wed, 14 Sep 2016)
Log Message:
-----------
fix several reads beyond the mapped first page of the binary in the ELF parser.
Modified Paths:
--------------
trunk/sys/kern/imgact_elf.c
Modified: trunk/sys/kern/imgact_elf.c
===================================================================
--- trunk/sys/kern/imgact_elf.c 2016-09-14 15:41:16 UTC (rev 7846)
+++ trunk/sys/kern/imgact_elf.c 2016-09-14 15:46:23 UTC (rev 7847)
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$MidnightBSD: src/sys/kern/imgact_elf.c,v 1.178.2.2.2.1 2008/01/19 18:15:05 kib Exp $");
+__FBSDID("$MidnightBSD$");
#include "opt_capsicum.h"
#include "opt_compat.h"
@@ -83,7 +83,7 @@
static int __elfN(check_header)(const Elf_Ehdr *hdr);
static Elf_Brandinfo *__elfN(get_brandinfo)(struct image_params *imgp,
- const char *interp, int32_t *osrel);
+ const char *interp, int interp_name_len, int32_t *osrel);
static int __elfN(load_file)(struct proc *p, const char *file, u_long *addr,
u_long *entry, size_t pagesize);
static int __elfN(load_section)(struct vmspace *vmspace, vm_object_t object,
@@ -244,7 +244,7 @@
static Elf_Brandinfo *
__elfN(get_brandinfo)(struct image_params *imgp, const char *interp,
- int32_t *osrel)
+ int interp_name_len, int32_t *osrel)
{
const Elf_Ehdr *hdr = (const Elf_Ehdr *)imgp->image_header;
Elf_Brandinfo *bi;
@@ -290,7 +290,10 @@
if (bi == NULL || bi->flags & BI_BRAND_NOTE_MANDATORY)
continue;
if (hdr->e_machine == bi->machine &&
- strcmp(interp, bi->interp_path) == 0)
+ /* ELF image p_filesz includes terminating zero */
+ strlen(bi->interp_path) + 1 == interp_name_len &&
+ strncmp(interp, bi->interp_path, interp_name_len)
+ == 0)
return (bi);
}
}
@@ -712,7 +715,7 @@
u_long seg_size, seg_addr;
u_long addr, baddr, et_dyn_addr, entry = 0, proghdr = 0;
int32_t osrel = 0;
- int error = 0, i, n;
+ int error = 0, i, n, interp_name_len = 0;
const char *interp = NULL, *newinterp = NULL;
Elf_Brandinfo *brand_info;
char *path;
@@ -753,9 +756,11 @@
case PT_INTERP:
/* Path to interpreter */
if (phdr[i].p_filesz > MAXPATHLEN ||
- phdr[i].p_offset + phdr[i].p_filesz > PAGE_SIZE)
+ phdr[i].p_offset >= PAGE_SIZE ||
+ phdr[i].p_offset + phdr[i].p_filesz >= PAGE_SIZE)
return (ENOEXEC);
interp = imgp->image_header + phdr[i].p_offset;
+ interp_name_len = phdr[i].p_filesz;
break;
case PT_GNU_STACK:
if (__elfN(nxstack))
@@ -765,7 +770,8 @@
}
}
- brand_info = __elfN(get_brandinfo)(imgp, interp, &osrel);
+ brand_info = __elfN(get_brandinfo)(imgp, interp, interp_name_len,
+ &osrel);
if (brand_info == NULL) {
uprintf("ELF binary type \"%u\" not known.\n",
hdr->e_ident[EI_OSABI]);
@@ -1546,6 +1552,7 @@
int i;
if (pnote == NULL || pnote->p_offset >= PAGE_SIZE ||
+ pnote->p_filesz > PAGE_SIZE ||
pnote->p_offset + pnote->p_filesz >= PAGE_SIZE)
return (FALSE);
@@ -1553,7 +1560,8 @@
note_end = (const Elf_Note *)(imgp->image_header +
pnote->p_offset + pnote->p_filesz);
for (i = 0; i < 100 && note >= note0 && note < note_end; i++) {
- if (!aligned(note, Elf32_Addr))
+ if (!aligned(note, Elf32_Addr) || (const char *)note_end -
+ (const char *)note < sizeof(Elf_Note))
return (FALSE);
if (note->n_namesz != checknote->hdr.n_namesz ||
note->n_descsz != checknote->hdr.n_descsz ||
@@ -1560,8 +1568,9 @@
note->n_type != checknote->hdr.n_type)
goto nextnote;
note_name = (const char *)(note + 1);
- if (strncmp(checknote->vendor, note_name,
- checknote->hdr.n_namesz) != 0)
+ if (note_name + checknote->hdr.n_namesz >=
+ (const char *)note_end || strncmp(checknote->vendor,
+ note_name, checknote->hdr.n_namesz) != 0)
goto nextnote;
/*
More information about the Midnightbsd-cvs
mailing list