The branch main has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=5d58198ccc2b562098ee5fc4898013622b32b065
commit 5d58198ccc2b562098ee5fc4898013622b32b065 Author: Jessica Clarke <[email protected]> AuthorDate: 2025-12-08 13:01:57 +0000 Commit: Jessica Clarke <[email protected]> CommitDate: 2025-12-08 13:01:57 +0000 imgact_elf: Fix off-by-one in note size check Prior to c86af2cc4cd1 ("imgact_elf: Check note body sizes"), this was note_name + n_namesz >= note_end, which checks that there is at least one byte after the unpadded name (which could be either padding or data), and given our notes always have data with them this was fine. However, once we started checking the padded name (note that "FreeBSD\0" is already a multiple of 4 bytes, so has no padding) and data, this turned into checking that there is at least one byte after the unpadded data, and since our ELF notes already have a multiple of 4 bytes for their data and therefore have no padding, this means that we are now checking that there is at least one byte after the ELF note, which is not going to be the case for the last ELF note. Instead, switch this to a strict greater than, as should be used when comparing one-past-the-end pointers, which both sides of the inequality are. For executables, this was generally not a problem in reality, since the last of our ELF notes is NT_FREEBSD_NOINIT_TAG, which isn't read by the kernel. However, ld-elf.so.1 (and libcompat variants), like shared libraries, only has NT_FREEBSD_ABI_TAG, which meant the kernel did not see this ELF note when directly executing it (e.g. as done by ldd), and on RISC-V this is the only branding present, so doing so would fail with ENOEXEC. This does also mean on non-RISC-V direct exec ld-elf.so.1 runs with the wrong p_osrel, but given it sets kern.proc.osrel.PID to the executable's NT_FREEBSD_ABI_TAG that it loads, this probably doesn't matter in practice. PR: 291446 Reported by: bdragon Tested by: bdragon Fixes: c86af2cc4cd1 ("imgact_elf: Check note body sizes") MFC after: 3 days --- sys/kern/imgact_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 779158b41221..f1d848e95f18 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2840,7 +2840,7 @@ __elfN(parse_notes)(const struct image_params *imgp, const Elf_Note *checknote, goto nextnote; note_name = (const char *)(note + 1); if (note_name + roundup2(note->n_namesz, ELF_NOTE_ROUNDSIZE) + - note->n_descsz >= (const char *)note_end || + note->n_descsz > (const char *)note_end || strncmp(note_vendor, note_name, checknote->n_namesz) != 0) goto nextnote;
