Date: Mon, 15 Dec 2025 14:54:36 +0000 From: Jessica Clarke <jrtc27@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: e0f70ea729c5 - stable/15 - imgact_elf: Fix off-by-one in note size check Message-ID: <6940212c.38875.1139fdba@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=e0f70ea729c58720f565c85690de5b39a83e640d commit e0f70ea729c58720f565c85690de5b39a83e640d Author: Jessica Clarke <jrtc27@FreeBSD.org> AuthorDate: 2025-12-08 13:01:57 +0000 Commit: Jessica Clarke <jrtc27@FreeBSD.org> CommitDate: 2025-12-15 14:54:23 +0000 imgact_elf: Fix off-by-one in note size check Prior to c86af2cc4cd1 ("imgact_elf: Check note body sizes"), this was note_name + n_namesz >= note_end, which checks that there is at least one byte after the unpadded name (which could be either padding or data), and given our notes always have data with them this was fine. However, once we started checking the padded name (note that "FreeBSD\0" is already a multiple of 4 bytes, so has no padding) and data, this turned into checking that there is at least one byte after the unpadded data, and since our ELF notes already have a multiple of 4 bytes for their data and therefore have no padding, this means that we are now checking that there is at least one byte after the ELF note, which is not going to be the case for the last ELF note. Instead, switch this to a strict greater than, as should be used when comparing one-past-the-end pointers, which both sides of the inequality are. For executables, this was generally not a problem in reality, since the last of our ELF notes is NT_FREEBSD_NOINIT_TAG, which isn't read by the kernel. However, ld-elf.so.1 (and libcompat variants), like shared libraries, only has NT_FREEBSD_ABI_TAG, which meant the kernel did not see this ELF note when directly executing it (e.g. as done by ldd), and on RISC-V this is the only branding present, so doing so would fail with ENOEXEC. This does also mean on non-RISC-V direct exec ld-elf.so.1 runs with the wrong p_osrel, but given it sets kern.proc.osrel.PID to the executable's NT_FREEBSD_ABI_TAG that it loads, this probably doesn't matter in practice. PR: 291446 Reported by: bdragon Tested by: bdragon Fixes: c86af2cc4cd1 ("imgact_elf: Check note body sizes") MFC after: 3 days (cherry picked from commit 5d58198ccc2b562098ee5fc4898013622b32b065) --- sys/kern/imgact_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index bc4fcad6c61b..e12c299172a4 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2840,7 +2840,7 @@ __elfN(parse_notes)(const struct image_params *imgp, const Elf_Note *checknote, goto nextnote; note_name = (const char *)(note + 1); if (note_name + roundup2(note->n_namesz, ELF_NOTE_ROUNDSIZE) + - note->n_descsz >= (const char *)note_end || + note->n_descsz > (const char *)note_end || strncmp(note_vendor, note_name, checknote->n_namesz) != 0) goto nextnote;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6940212c.38875.1139fdba>