From owner-freebsd-security@freebsd.org  Sun Oct  7 22:31:33 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E7A510AA4D5
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sun,  7 Oct 2018 22:31:33 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id E33409730E
 for <freebsd-security@freebsd.org>; Sun,  7 Oct 2018 22:31:32 +0000 (UTC)
 (envelope-from des@des.no)
Received: from next.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id E9777871E;
 Sun,  7 Oct 2018 22:31:25 +0000 (UTC)
Received: by next.des.no (Postfix, from userid 1001)
 id 9C88EB6A6; Mon,  8 Oct 2018 00:31:26 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-security@freebsd.org
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
In-Reply-To: <20181006182104.GS5335@kib.kiev.ua> (Konstantin Belousov's
 message of "Sat, 6 Oct 2018 21:21:04 +0300")
References: <20180912054309.61C6B13269@freefall.freebsd.org>
 <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix)
Date: Mon, 08 Oct 2018 00:31:26 +0200
Message-ID: <86sh1hs81t.fsf@next.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Oct 2018 22:31:33 -0000

Konstantin Belousov <kostikbel@gmail.com> writes:
> <Lena@lena.kiev.ua> writes:
>> Program Headers:
>>   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
>>   PHDR           0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
>>   INTERP         0x000134 0x08048134 0x08048134 0x00011 0x00011 R   0x1
>>       [Requesting program interpreter: /lib/ld-linux.so.2]
> As you see, the file delcares that file/memory length of the interpreter
> name' segment is 0x11 =3D=3D 16 decimal. But the string does not end on
> byte 16, which is not NUL.  We tighten the checks and do require that
> PT_INTERP string is valid by checking that it is NUL-terminated at the
> offset declared by the size.

The string isn't just unterminated, though.  It's actually longer than
the section.  To be precise, "/lib/ld-linux.so.2" is 18 characters long,
plus NUL makes 19.  The section is supposed to be 17 bytes long.  I
don't mind forgiving a missing NUL, but I'm not comfortable with reading
past the end of the section, and it worries me that Linux doesn't care.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no