Konstantin Belousov
2018-Oct-06 18:21 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena at lena.kiev.ua wrote:> > Insufficient validation was performed in the ELF header parser, and malformed > > or otherwise invalid ELF binaries were not rejected as they should be. > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > binary of the port google-earth-7.1.5.1557,3 ? > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > ~ $ googleearth > Invalid PT_INTERP > exec: ./googleearth-bin: Exec format error > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > Elf file type is EXEC (Executable file) > Entry point 0x8048650 > There are 8 program headers, starting at offset 52 > > Program Headers: > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > [Requesting program interpreter: /lib/ld-linux.so.2]As you see, the file delcares that file/memory length of the interpreter name' segment is 0x11 == 16 decimal. But the string does not end on byte 16, which is not NUL. We tighten the checks and do require that PT_INTERP string is valid by checking that it is NUL-terminated at the offset declared by the size.
Konstantin Belousov
2018-Oct-06 18:46 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
On Sat, Oct 06, 2018 at 09:21:04PM +0300, Konstantin Belousov wrote:> On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena at lena.kiev.ua wrote: > > > Insufficient validation was performed in the ELF header parser, and malformed > > > or otherwise invalid ELF binaries were not rejected as they should be. > > > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > > binary of the port google-earth-7.1.5.1557,3 ? > > > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > > > ~ $ googleearth > > Invalid PT_INTERP > > exec: ./googleearth-bin: Exec format error > > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > > > Elf file type is EXEC (Executable file) > > Entry point 0x8048650 > > There are 8 program headers, starting at offset 52 > > > > Program Headers: > > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > > [Requesting program interpreter: /lib/ld-linux.so.2] > As you see, the file delcares that file/memory length of the interpreter > name' segment is 0x11 == 16 decimal. But the string does not end on > byte 16, which is not NUL. We tighten the checks and do require that > PT_INTERP string is valid by checking that it is NUL-terminated at the > offset declared by the size.As emaste pointed out, I am off by one, i.e. replace 16 by 17 in the text above.
Dag-Erling Smørgrav
2018-Oct-07 22:31 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Konstantin Belousov <kostikbel at gmail.com> writes:> <Lena at lena.kiev.ua> writes: >> Program Headers: >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 >> [Requesting program interpreter: /lib/ld-linux.so.2] > As you see, the file delcares that file/memory length of the interpreter > name' segment is 0x11 == 16 decimal. But the string does not end on > byte 16, which is not NUL. We tighten the checks and do require that > PT_INTERP string is valid by checking that it is NUL-terminated at the > offset declared by the size.The string isn't just unterminated, though. It's actually longer than the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, plus NUL makes 19. The section is supposed to be 17 bytes long. I don't mind forgiving a missing NUL, but I'm not comfortable with reading past the end of the section, and it worries me that Linux doesn't care. DES -- Dag-Erling Sm?rgrav - des at des.no