From owner-freebsd-security@freebsd.org Sat Oct 6 17:35:38 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A73910C0C01 for ; Sat, 6 Oct 2018 17:35:38 +0000 (UTC) (envelope-from Lena@lena.kiev.ua) Received: from lena.kiev.ua (lena.kiev.ua [212.109.198.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 083FA7C2BC for ; Sat, 6 Oct 2018 17:35:36 +0000 (UTC) (envelope-from Lena@lena.kiev.ua) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lena.kiev.ua; s=3; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: Mime-Version:References:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MZI/dbOradAtZOX4wzaSkQcrmHzk9w8quMZN0Gg/C3E=; b=InmcNjbqKyqknONO8N/mr0tE5u gobhJEdOQmEvTt+m7slw/EDfBTVipeRmUJHprsiSbTzI06g89FQX1GTpZ4vOOlhJTsPNClOv8Pyqg RGGB52z2YxjQ39Iw/k4IUQHpv91u0xmDVix7rdf9R1n3J90K4I++1WU4HfQP7dNwRcd8=; Received: from ip-1926.rusanovka-net.kiev.ua ([94.244.25.38] helo=bedside.lena.kiev.ua) by lena.kiev.ua with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91 (FreeBSD)) (envelope-from ) id 1g8qUL-000N6l-3h for freebsd-security@freebsd.org; Sat, 06 Oct 2018 20:35:37 +0300 Received: from bedside.lena.kiev.ua (localhost.lena.kiev.ua [127.0.0.1]) by bedside.lena.kiev.ua (8.15.2/8.15.2) with ESMTP id w96HZQSU010861 for ; Sat, 6 Oct 2018 20:35:26 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Received: (from lena@localhost) by bedside.lena.kiev.ua (8.15.2/8.15.2/Submit) id w96HZQ9U010860 for freebsd-security@freebsd.org; Sat, 6 Oct 2018 20:35:26 +0300 (EEST) (envelope-from Lena@lena.kiev.ua) Date: Sat, 6 Oct 2018 20:35:26 +0300 From: Lena@lena.kiev.ua To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181006173525.GC813@lena.kiev> Mail-Followup-To: freebsd-security@freebsd.org References: <20180912054309.61C6B13269@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180912054309.61C6B13269@freefall.freebsd.org> User-Agent: Mutt/1.4.2.3i X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Oct 2018 17:35:38 -0000 > Insufficient validation was performed in the ELF header parser, and malformed > or otherwise invalid ELF binaries were not rejected as they should be. What is invalid in the /usr/local/share/google-earth/googleearth-bin binary of the port google-earth-7.1.5.1557,3 ? FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view ~ $ googleearth Invalid PT_INTERP exec: ./googleearth-bin: Exec format error ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin Elf file type is EXEC (Executable file) Entry point 0x8048650 There are 8 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x007f4 0x007f4 R E 0x1000 LOAD 0x000e74 0x08049e74 0x08049e74 0x001a0 0x001a8 RW 0x1000 DYNAMIC 0x000e88 0x08049e88 0x08049e88 0x00168 0x00168 RW 0x4 NOTE 0x000148 0x08048148 0x08048148 0x00044 0x00044 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000e74 0x08049e74 0x08049e74 0x0018c 0x0018c R 0x1 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 07 .ctors .dtors .jcr .dynamic .got ~ $ ls -l /usr/local/share/google-earth/googleearth-bin -r-xr-xr-x 1 root wheel 5452 Sep 10 2016 /usr/local/share/google-earth/googleearth-bin ~ $ hd /usr/local/share/google-earth/googleearth-bin | less 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 50 86 04 08 34 00 00 00 |........P..4...| 00000020 14 11 00 00 00 00 00 00 34 00 20 00 08 00 28 00 |........4. ...(.| 00000030 1b 00 1a 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4..| 00000040 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 |4..............| 00000050 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 |........4...4..| 00000060 34 81 04 08 11 00 00 00 11 00 00 00 04 00 00 00 |4..............| 00000070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |...............| 00000080 00 80 04 08 f4 07 00 00 f4 07 00 00 05 00 00 00 |.............| 00000090 00 10 00 00 01 00 00 00 74 0e 00 00 74 9e 04 08 |........t...t..| 000000a0 74 9e 04 08 a0 01 00 00 a8 01 00 00 06 00 00 00 |t............| 000000b0 00 10 00 00 02 00 00 00 88 0e 00 00 88 9e 04 08 |.............| 000000c0 88 9e 04 08 68 01 00 00 68 01 00 00 06 00 00 00 |..h...h.......| 000000d0 04 00 00 00 04 00 00 00 48 01 00 00 48 81 04 08 |........H...H..| 000000e0 48 81 04 08 44 00 00 00 44 00 00 00 04 00 00 00 |H..D...D.......| 000000f0 04 00 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 |....Qtd........| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000110 04 00 00 00 52 e5 74 64 74 0e 00 00 74 9e 04 08 |....Rtdt...t..| 00000120 74 9e 04 08 8c 01 00 00 8c 01 00 00 04 00 00 00 |t............| 00000130 01 00 00 00 2f 6c 69 62 2f 6c 64 2d 6c 69 6e 75 |..../lib/ld-linu| 00000140 78 2e 73 6f 2e 32 00 00 04 00 00 00 10 00 00 00 |x.so.2..........| 00000150 01 00 00 00 47 4e 55 00 00 00 00 00 02 00 00 00 |....GNU.........| 00000160 06 00 00 00 0f 00 00 00 04 00 00 00 14 00 00 00 |................| 00000170 03 00 00 00 47 4e 55 00 ec f1 2d c9 13 9e 39 77 |....GNU.-.9w| 00000180 54 45 91 3d e6 c5 0b ae 90 8a 6d 1a 03 00 00 00 |TE=.m.....| 00000190 0b 00 00 00 09 00 00 00 04 00 00 00 0a 00 00 00 |................| 000001a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000001b0 02 00 00 00 00 00 00 00 05 00 00 00 06 00 00 00 |................| 000001c0 07 00 00 00 08 00 00 00 03 00 00 00 00 00 00 00 |................| The commit: https://lists.freebsd.org/pipermail/svn-src-all/2018-September/170051.html case PT_INTERP: /* Path to interpreter */ - if (phdr[i].p_filesz > MAXPATHLEN) { + if (phdr[i].p_filesz < 2 || + phdr[i].p_filesz > MAXPATHLEN) { uprintf("Invalid PT_INTERP\n"); error = ENOEXEC; interp = __DECONST(char *, imgp->image_header) + phdr[i].p_offset; + if (interp[interp_name_len - 1] != '\0') { + uprintf("Invalid PT_INTERP\n"); + error = ENOEXEC; From owner-freebsd-security@freebsd.org Sat Oct 6 18:21:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EBFEB10C21D9 for ; Sat, 6 Oct 2018 18:21:16 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E2907DED6 for ; Sat, 6 Oct 2018 18:21:16 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w96IL42t040435 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 6 Oct 2018 21:21:08 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w96IL42t040435 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w96IL4EV040434 for freebsd-security@freebsd.org; Sat, 6 Oct 2018 21:21:04 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 6 Oct 2018 21:21:04 +0300 From: Konstantin Belousov To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181006182104.GS5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181006173525.GC813@lena.kiev> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Oct 2018 18:21:17 -0000 On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena@lena.kiev.ua wrote: > > Insufficient validation was performed in the ELF header parser, and malformed > > or otherwise invalid ELF binaries were not rejected as they should be. > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > binary of the port google-earth-7.1.5.1557,3 ? > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > ~ $ googleearth > Invalid PT_INTERP > exec: ./googleearth-bin: Exec format error > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > Elf file type is EXEC (Executable file) > Entry point 0x8048650 > There are 8 program headers, starting at offset 52 > > Program Headers: > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > [Requesting program interpreter: /lib/ld-linux.so.2] As you see, the file delcares that file/memory length of the interpreter name' segment is 0x11 == 16 decimal. But the string does not end on byte 16, which is not NUL. We tighten the checks and do require that PT_INTERP string is valid by checking that it is NUL-terminated at the offset declared by the size. From owner-freebsd-security@freebsd.org Sat Oct 6 18:46:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B213810C2E33 for ; Sat, 6 Oct 2018 18:46:47 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 190EB7F05B for ; Sat, 6 Oct 2018 18:46:46 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w96Ikag5046050 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 6 Oct 2018 21:46:39 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w96Ikag5046050 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w96IkaEr046049 for freebsd-security@freebsd.org; Sat, 6 Oct 2018 21:46:36 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 6 Oct 2018 21:46:36 +0300 From: Konstantin Belousov To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181006184636.GT5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181006182104.GS5335@kib.kiev.ua> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Oct 2018 18:46:47 -0000 On Sat, Oct 06, 2018 at 09:21:04PM +0300, Konstantin Belousov wrote: > On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena@lena.kiev.ua wrote: > > > Insufficient validation was performed in the ELF header parser, and malformed > > > or otherwise invalid ELF binaries were not rejected as they should be. > > > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > > binary of the port google-earth-7.1.5.1557,3 ? > > > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > > > ~ $ googleearth > > Invalid PT_INTERP > > exec: ./googleearth-bin: Exec format error > > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > > > Elf file type is EXEC (Executable file) > > Entry point 0x8048650 > > There are 8 program headers, starting at offset 52 > > > > Program Headers: > > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > > [Requesting program interpreter: /lib/ld-linux.so.2] > As you see, the file delcares that file/memory length of the interpreter > name' segment is 0x11 == 16 decimal. But the string does not end on > byte 16, which is not NUL. We tighten the checks and do require that > PT_INTERP string is valid by checking that it is NUL-terminated at the > offset declared by the size. As emaste pointed out, I am off by one, i.e. replace 16 by 17 in the text above. From owner-freebsd-security@freebsd.org Sat Oct 6 21:29:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 802EB10C7475 for ; Sat, 6 Oct 2018 21:29:20 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 08EB285051 for ; Sat, 6 Oct 2018 21:29:19 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w96LT93B083790 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 7 Oct 2018 00:29:12 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w96LT93B083790 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w96LT9hA083789 for freebsd-security@freebsd.org; Sun, 7 Oct 2018 00:29:09 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sun, 7 Oct 2018 00:29:08 +0300 From: Konstantin Belousov To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181006212908.GU5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <20181006184636.GT5335@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181006184636.GT5335@kib.kiev.ua> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Oct 2018 21:29:20 -0000 On Sat, Oct 06, 2018 at 09:46:36PM +0300, Konstantin Belousov wrote: > On Sat, Oct 06, 2018 at 09:21:04PM +0300, Konstantin Belousov wrote: > > On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena@lena.kiev.ua wrote: > > > > Insufficient validation was performed in the ELF header parser, and malformed > > > > or otherwise invalid ELF binaries were not rejected as they should be. > > > > > > What is invalid in the /usr/local/share/google-earth/googleearth-bin > > > binary of the port google-earth-7.1.5.1557,3 ? > > > > > > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: > > > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view > > > > > > ~ $ googleearth > > > Invalid PT_INTERP > > > exec: ./googleearth-bin: Exec format error > > > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin > > > > > > Elf file type is EXEC (Executable file) > > > Entry point 0x8048650 > > > There are 8 program headers, starting at offset 52 > > > > > > Program Headers: > > > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > > > PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > > > INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > > > [Requesting program interpreter: /lib/ld-linux.so.2] > > As you see, the file delcares that file/memory length of the interpreter > > name' segment is 0x11 == 16 decimal. But the string does not end on > > byte 16, which is not NUL. We tighten the checks and do require that > > PT_INTERP string is valid by checking that it is NUL-terminated at the > > offset declared by the size. > As emaste pointed out, I am off by one, i.e. replace 16 by 17 in the text > above. But we might be somewhat nicer in this case. Try the following. diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index f4302d46665..88f8a1ed2fa 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -872,9 +872,23 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) interp = __DECONST(char *, imgp->image_header) + phdr[i].p_offset; if (interp[interp_name_len - 1] != '\0') { - uprintf("Invalid PT_INTERP\n"); - error = ENOEXEC; - goto ret; + /* + * ELF specification requires + * that PT_INTERP contained + * NUL-terminated string. If + * it is not, try to fix the + * path and still execute the + * binary. + */ + VOP_UNLOCK(imgp->vp, 0); + interp_buf = malloc(interp_name_len + 1, + M_TEMP, M_WAITOK); + vn_lock(imgp->vp, LK_EXCLUSIVE | + LK_RETRY); + memcpy(interp_buf, interp, + interp_name_len); + interp_buf[interp_name_len] = '\0'; + interp = interp_buf; } } break;