A specially-crafted binary could easily control a kernel array index.
Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@
This commit is contained in:
parent
532bc286ec
commit
c1cf2f47fb
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: linux_exec_elf32.c,v 1.90 2014/02/23 11:09:42 njoly Exp $ */
|
||||
/* $NetBSD: linux_exec_elf32.c,v 1.91 2014/04/15 17:29:00 maxv Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc.
|
||||
@ -35,7 +35,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.90 2014/02/23 11:09:42 njoly Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.91 2014/04/15 17:29:00 maxv Exp $");
|
||||
|
||||
#ifndef ELFSIZE
|
||||
/* XXX should die */
|
||||
@ -92,50 +92,43 @@ ELFNAME2(linux,atexit_signature)(
|
||||
struct exec_package *epp,
|
||||
Elf_Ehdr *eh)
|
||||
{
|
||||
Elf_Shdr *sh;
|
||||
size_t shsize;
|
||||
int strndx;
|
||||
u_int shstrndx;
|
||||
size_t i;
|
||||
static const char signature[] = "__libc_atexit";
|
||||
char *strtable = NULL;
|
||||
Elf_Shdr *sh;
|
||||
|
||||
const size_t sigsz = sizeof(signature);
|
||||
char tbuf[sizeof(signature)];
|
||||
int error;
|
||||
|
||||
/*
|
||||
* load the section header table
|
||||
*/
|
||||
/* Load the section header table. */
|
||||
shsize = eh->e_shnum * sizeof(Elf_Shdr);
|
||||
sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK);
|
||||
error = exec_read_from(l, epp->ep_vp, eh->e_shoff, sh, shsize);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* Now let's find the string table. If it does not exists, give up.
|
||||
*/
|
||||
strndx = (int)(eh->e_shstrndx);
|
||||
if (strndx == SHN_UNDEF) {
|
||||
/* Now let's find the string table. If it does not exist, give up. */
|
||||
shstrndx = eh->e_shstrndx;
|
||||
if (shstrndx == SHN_UNDEF || shstrndx >= eh->e_shnum) {
|
||||
error = ENOEXEC;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* strndx is the index in section header table of the string table
|
||||
* section get the whole string table in strtable, and then we get access to the names
|
||||
* s->sh_name is the offset of the section name in strtable.
|
||||
*/
|
||||
strtable = malloc(sh[strndx].sh_size, M_TEMP, M_WAITOK);
|
||||
error = exec_read_from(l, epp->ep_vp, sh[strndx].sh_offset, strtable,
|
||||
sh[strndx].sh_size);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/* Check if any section has the name we're looking for. */
|
||||
const off_t stroff = sh[shstrndx].sh_offset;
|
||||
for (i = 0; i < eh->e_shnum; i++) {
|
||||
Elf_Shdr *s = &sh[i];
|
||||
if (!memcmp((void*)(&(strtable[s->sh_name])), signature,
|
||||
sizeof(signature))) {
|
||||
DPRINTF(("linux_atexit_sig=%s\n",
|
||||
&(strtable[s->sh_name])));
|
||||
|
||||
if (s->sh_name + sigsz > sh[shstrndx].sh_size)
|
||||
continue;
|
||||
|
||||
error = exec_read_from(l, epp->ep_vp, stroff + s->sh_name, tbuf,
|
||||
sigsz);
|
||||
if (error)
|
||||
goto out;
|
||||
if (!memcmp(tbuf, signature, sigsz)) {
|
||||
DPRINTF(("linux_atexit_sig=%s\n", tbuf));
|
||||
error = 0;
|
||||
goto out;
|
||||
}
|
||||
@ -144,8 +137,6 @@ ELFNAME2(linux,atexit_signature)(
|
||||
|
||||
out:
|
||||
free(sh, M_TEMP);
|
||||
if (strtable)
|
||||
free(strtable, M_TEMP);
|
||||
return (error);
|
||||
}
|
||||
#endif
|
||||
@ -219,56 +210,48 @@ out:
|
||||
|
||||
#ifdef LINUX_DEBUGLINK_SIGNATURE
|
||||
/*
|
||||
* Look for a .gnu_debuglink, specific to x86_64 interpeter
|
||||
* Look for a .gnu_debuglink, specific to x86_64 interpreter
|
||||
*/
|
||||
int
|
||||
ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh)
|
||||
{
|
||||
Elf_Shdr *sh;
|
||||
size_t shsize;
|
||||
int strndx;
|
||||
u_int shstrndx;
|
||||
size_t i;
|
||||
static const char signature[] = ".gnu_debuglink";
|
||||
char *strtable = NULL;
|
||||
Elf_Shdr *sh;
|
||||
|
||||
const size_t sigsz = sizeof(signature);
|
||||
char tbuf[sizeof(signature)];
|
||||
int error;
|
||||
|
||||
/*
|
||||
* load the section header table
|
||||
*/
|
||||
/* Load the section header table. */
|
||||
shsize = eh->e_shnum * sizeof(Elf_Shdr);
|
||||
sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK);
|
||||
error = exec_read_from(l, epp->ep_vp, eh->e_shoff, sh, shsize);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* Now let's find the string table. If it does not exists, give up.
|
||||
*/
|
||||
strndx = (int)(eh->e_shstrndx);
|
||||
if (strndx == SHN_UNDEF) {
|
||||
/* Now let's find the string table. If it does not exist, give up. */
|
||||
shstrndx = eh->e_shstrndx;
|
||||
if (shstrndx == SHN_UNDEF || shstrndx >= eh->e_shnum) {
|
||||
error = ENOEXEC;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* strndx is the index in section header table of the string table
|
||||
* section get the whole string table in strtable, and then we get access to the names
|
||||
* s->sh_name is the offset of the section name in strtable.
|
||||
*/
|
||||
strtable = malloc(sh[strndx].sh_size, M_TEMP, M_WAITOK);
|
||||
error = exec_read_from(l, epp->ep_vp, sh[strndx].sh_offset, strtable,
|
||||
sh[strndx].sh_size);
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/* Check if any section has the name we're looking for. */
|
||||
const off_t stroff = sh[shstrndx].sh_offset;
|
||||
for (i = 0; i < eh->e_shnum; i++) {
|
||||
Elf_Shdr *s = &sh[i];
|
||||
|
||||
if (!memcmp((void*)(&(strtable[s->sh_name])), signature,
|
||||
sizeof(signature))) {
|
||||
DPRINTF(("linux_debuglink_sig=%s\n",
|
||||
&(strtable[s->sh_name])));
|
||||
if (s->sh_name + sigsz > sh[shstrndx].sh_size)
|
||||
continue;
|
||||
|
||||
error = exec_read_from(l, epp->ep_vp, stroff + s->sh_name, tbuf,
|
||||
sigsz);
|
||||
if (error)
|
||||
goto out;
|
||||
if (!memcmp(tbuf, signature, sigsz)) {
|
||||
DPRINTF(("linux_debuglink_sig=%s\n", tbuf));
|
||||
error = 0;
|
||||
goto out;
|
||||
}
|
||||
@ -277,8 +260,6 @@ ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf
|
||||
|
||||
out:
|
||||
free(sh, M_TEMP);
|
||||
if (strtable)
|
||||
free(strtable, M_TEMP);
|
||||
return (error);
|
||||
}
|
||||
#endif
|
||||
@ -340,7 +321,7 @@ ELFNAME2(linux,signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh,
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Check for certain intepreter names. */
|
||||
/* Check for certain interpreter names. */
|
||||
if (itp) {
|
||||
if (!strncmp(itp, "/lib/ld-linux", 13) ||
|
||||
#if (ELFSIZE == 64)
|
||||
|
Loading…
Reference in New Issue
Block a user