https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217432
Bug ID: 217432
Summary: kernel's elf_load_file function can read out of bounds
and crash the kernel
Product: Base System
Version: 10.3-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: tim.newsham@nccgroup.trust
The link_elf_load_file function in sys/kern/link_elf.c performs bounds checking
on the program header element in the elf header with this code:
if (!((hdr->e_phentsize == sizeof(Elf_Phdr)) &&
(hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <= PAGE_SIZE) &&
(hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <= nbytes)))
link_elf_error(filename, "Unreadable program headers");
however, it does not terminate processing at this point and will continue
executing with an out-of-bounds e_phoff. Any offset larger than
(PAGE_SIZE-sizeof Elf_Phdr) will cause out of bounds reads, since only one page
is allocated for the elf object. This will later result in out-of-bounds reads
and potentially a panic. For example if e_phoff is very large, then execution
will crash at the switch statement:
phdr = (Elf_Phdr *) (firstpage + hdr->e_phoff);
phlimit = phdr + hdr->e_phnum;
nsegs = 0;
phdyn = NULL;
phphdr = NULL;
while (phdr < phlimit) {
switch (phdr->p_type) { <---- crash
This issue is not very severe since it requires PRIV_KLD_LOAD to trigger, and
users that have this privilege can force crashes through loading malicious code
into the kernel.
The fix is simple -- terminate further processing of the elf file when
link_elf_error is reported.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
