Date: Tue, 07 Mar 2017 12:49:04 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217610] ELF loader should have a special case for program headers with p_filesz == 0 Message-ID: <bug-217610-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217610 Bug ID: 217610 Summary: ELF loader should have a special case for program headers with p_filesz == 0 Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: fuz@fuz.su The ELF loader in imgact_elf.c contains the following code to verify a program header before loading it: /* * It's necessary to fail if the filsz + offset taken from the * header is greater than the actual file pager object's size. * If we were to allow this, then the vm_map_find() below would * walk right off the end of the file object and into the ether. * * While I'm here, might as well check for something else that * is invalid: filsz cannot be greater than memsz. */ if ((off_t)filsz + offset > imgp->attr->va_size || filsz > memsz) { uprintf("elf_load_section: truncated ELF file\n"); return (ENOEXEC); } However, this code is incorrect. If a program header corresponds to sections that are all marked NOBITS, GNU ld generates a program header with p_filesz == 0 and p_offset at the next aligned offset just past the end of the file. This is fine as no bytes are actually ever read from the binary. However, FreeBSD refuses to load such a valid ELF binary. I request to amend this verification procedure to add a special case for program headers with p_filesz == 0: if (filesz > memsz || filesz > 0 && (off_t)filesz + offset > imgp->attr->va_size) -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217610-8>