Lena at lena.kiev.ua
2018-Oct-06 17:35 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
> Insufficient validation was performed in the ELF header parser, and malformed > or otherwise invalid ELF binaries were not rejected as they should be.What is invalid in the /usr/local/share/google-earth/googleearth-bin binary of the port google-earth-7.1.5.1557,3 ? FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view ~ $ googleearth Invalid PT_INTERP exec: ./googleearth-bin: Exec format error ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin Elf file type is EXEC (Executable file) Entry point 0x8048650 There are 8 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x007f4 0x007f4 R E 0x1000 LOAD 0x000e74 0x08049e74 0x08049e74 0x001a0 0x001a8 RW 0x1000 DYNAMIC 0x000e88 0x08049e88 0x08049e88 0x00168 0x00168 RW 0x4 NOTE 0x000148 0x08048148 0x08048148 0x00044 0x00044 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000e74 0x08049e74 0x08049e74 0x0018c 0x0018c R 0x1 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 07 .ctors .dtors .jcr .dynamic .got ~ $ ls -l /usr/local/share/google-earth/googleearth-bin -r-xr-xr-x 1 root wheel 5452 Sep 10 2016 /usr/local/share/google-earth/googleearth-bin ~ $ hd /usr/local/share/google-earth/googleearth-bin | less 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 50 86 04 08 34 00 00 00 |........P?..4...| 00000020 14 11 00 00 00 00 00 00 34 00 20 00 08 00 28 00 |........4. ...(.| 00000030 1b 00 1a 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4?..| 00000040 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 |4?..............| 00000050 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 |........4...4?..| 00000060 34 81 04 08 11 00 00 00 11 00 00 00 04 00 00 00 |4?..............| 00000070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |.............?..| 00000080 00 80 04 08 f4 07 00 00 f4 07 00 00 05 00 00 00 |.?..?...?.......| 00000090 00 10 00 00 01 00 00 00 74 0e 00 00 74 9e 04 08 |........t...t?..| 000000a0 74 9e 04 08 a0 01 00 00 a8 01 00 00 06 00 00 00 |t?..?...?.......| 000000b0 00 10 00 00 02 00 00 00 88 0e 00 00 88 9e 04 08 |........?...??..| 000000c0 88 9e 04 08 68 01 00 00 68 01 00 00 06 00 00 00 |??..h...h.......| 000000d0 04 00 00 00 04 00 00 00 48 01 00 00 48 81 04 08 |........H...H?..| 000000e0 48 81 04 08 44 00 00 00 44 00 00 00 04 00 00 00 |H?..D...D.......| 000000f0 04 00 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 |....Q?td........| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000110 04 00 00 00 52 e5 74 64 74 0e 00 00 74 9e 04 08 |....R?tdt...t?..| 00000120 74 9e 04 08 8c 01 00 00 8c 01 00 00 04 00 00 00 |t?..?...?.......| 00000130 01 00 00 00 2f 6c 69 62 2f 6c 64 2d 6c 69 6e 75 |..../lib/ld-linu| 00000140 78 2e 73 6f 2e 32 00 00 04 00 00 00 10 00 00 00 |x.so.2..........| 00000150 01 00 00 00 47 4e 55 00 00 00 00 00 02 00 00 00 |....GNU.........| 00000160 06 00 00 00 0f 00 00 00 04 00 00 00 14 00 00 00 |................| 00000170 03 00 00 00 47 4e 55 00 ec f1 2d c9 13 9e 39 77 |....GNU.??-?.?9w| 00000180 54 45 91 3d e6 c5 0b ae 90 8a 6d 1a 03 00 00 00 |TE?=??.???m.....| 00000190 0b 00 00 00 09 00 00 00 04 00 00 00 0a 00 00 00 |................| 000001a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000001b0 02 00 00 00 00 00 00 00 05 00 00 00 06 00 00 00 |................| 000001c0 07 00 00 00 08 00 00 00 03 00 00 00 00 00 00 00 |................| The commit: https://lists.freebsd.org/pipermail/svn-src-all/2018-September/170051.html case PT_INTERP: /* Path to interpreter */ - if (phdr[i].p_filesz > MAXPATHLEN) { + if (phdr[i].p_filesz < 2 || + phdr[i].p_filesz > MAXPATHLEN) { uprintf("Invalid PT_INTERP\n"); error = ENOEXEC; interp = __DECONST(char *, imgp->image_header) + phdr[i].p_offset; + if (interp[interp_name_len - 1] != '\0') { + uprintf("Invalid PT_INTERP\n"); + error = ENOEXEC;
Konstantin Belousov
2018-Oct-06 18:21 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena at lena.kiev.ua wrote:> > Insufficient validation was performed in the ELF header parser, and malformed > > or otherwise invalid ELF binaries were not rejected as they should be. > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > binary of the port google-earth-7.1.5.1557,3 ? > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > ~ $ googleearth > Invalid PT_INTERP > exec: ./googleearth-bin: Exec format error > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > Elf file type is EXEC (Executable file) > Entry point 0x8048650 > There are 8 program headers, starting at offset 52 > > Program Headers: > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > [Requesting program interpreter: /lib/ld-linux.so.2]As you see, the file delcares that file/memory length of the interpreter name' segment is 0x11 == 16 decimal. But the string does not end on byte 16, which is not NUL. We tighten the checks and do require that PT_INTERP string is valid by checking that it is NUL-terminated at the offset declared by the size.