[Midnightbsd-cvs] src [12034] trunk: Insufficient validation was performed in the ELF header parser, and malformed

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Wed Sep 12 09:51:39 EDT 2018 

Revision: 12034
          http://svnweb.midnightbsd.org/src/?rev=12034
Author:   laffer1
Date:     2018-09-12 09:51:38 -0400 (Wed, 12 Sep 2018)
Log Message:
-----------
Insufficient validation was performed in the ELF header parser, and malformed
or otherwise invalid ELF binaries were not rejected as they should be.

Modified Paths:
--------------
    trunk/UPDATING
    trunk/sys/kern/imgact_elf.c
    trunk/sys/kern/vfs_vnops.c

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2018-09-12 02:32:34 UTC (rev 12033)
+++ trunk/UPDATING	2018-09-12 13:51:38 UTC (rev 12034)
@@ -1,5 +1,11 @@
 Updating Information for MidnightBSD users.
 
+20180912:
+	ELF header security issue
+
+	Insufficient validation was performed in the ELF header parser, and malformed
+	or otherwise invalid ELF binaries were not rejected as they should be.
+
 20180911:
 	Add support for Corsair K70 LUX keyboard.
 

Modified: trunk/sys/kern/imgact_elf.c
===================================================================
--- trunk/sys/kern/imgact_elf.c	2018-09-12 02:32:34 UTC (rev 12033)
+++ trunk/sys/kern/imgact_elf.c	2018-09-12 13:51:38 UTC (rev 12034)
@@ -785,7 +785,8 @@
 			break;
 		case PT_INTERP:
 			/* Path to interpreter */
-			if (phdr[i].p_filesz > MAXPATHLEN) {
+			if (phdr[i].p_filesz < 2 ||
+			    phdr[i].p_filesz > MAXPATHLEN) {
 				uprintf("Invalid PT_INTERP\n");
 				error = ENOEXEC;
 				goto ret;
@@ -815,6 +816,11 @@
 			} else {
 				interp = __DECONST(char *, imgp->image_header) +
 				    phdr[i].p_offset;
+				if (interp[interp_name_len - 1] != '\0') {
+					uprintf("Invalid PT_INTERP\n");
+					error = ENOEXEC;
+					goto ret;
+				}
 			}
 			break;
 		case PT_GNU_STACK:

Modified: trunk/sys/kern/vfs_vnops.c
===================================================================
--- trunk/sys/kern/vfs_vnops.c	2018-09-12 02:32:34 UTC (rev 12033)
+++ trunk/sys/kern/vfs_vnops.c	2018-09-12 13:51:38 UTC (rev 12034)
@@ -511,6 +511,8 @@
 	struct vn_io_fault_args args;
 	int error, lock_flags;
 
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
 	auio.uio_iov = &aiov;
 	auio.uio_iovcnt = 1;
 	aiov.iov_base = base;

More information about the Midnightbsd-cvs mailing list