From owner-freebsd-security@freebsd.org  Mon Oct  8 11:20:45 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C8BF10BB6C1
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon,  8 Oct 2018 11:20:45 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 28287859EF
 for <freebsd-security@freebsd.org>; Mon,  8 Oct 2018 11:20:45 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w98BKW6p004643
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Mon, 8 Oct 2018 14:20:35 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w98BKW6p004643
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id w98BKWdm004641;
 Mon, 8 Oct 2018 14:20:32 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Mon, 8 Oct 2018 14:20:32 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no>
Cc: freebsd-security@freebsd.org
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Message-ID: <20181008112032.GJ5335@kib.kiev.ua>
References: <20180912054309.61C6B13269@freefall.freebsd.org>
 <20181006173525.GC813@lena.kiev>
 <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no>
 <20181007224611.GI5335@kib.kiev.ua> <86pnwkhhzm.fsf@next.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <86pnwkhhzm.fsf@next.des.no>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
 NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2018 11:20:45 -0000

On Mon, Oct 08, 2018 at 12:04:29PM +0200, Dag-Erling Smørgrav wrote:
> Konstantin Belousov <kostikbel@gmail.com> writes:
> > Dag-Erling Smørgrav <des@des.no> writes:
> > > The string isn't just unterminated, though.  It's actually longer than
> > > the section.  To be precise, "/lib/ld-linux.so.2" is 18 characters long,
> > > plus NUL makes 19.  The section is supposed to be 17 bytes long.  I
> > > don't mind forgiving a missing NUL, but I'm not comfortable with reading
> > > past the end of the section, and it worries me that Linux doesn't care.
> > Apparently it was not Linux.  Look at the astro/google-earth/Makefile
> > before r425359.
> 
> Ah, I see.  The port used sed to edit the file in-place instead of using
> a tool that understands Elf and would have adjusted the section length.
Really this cannot be done, as well as overriding the interpreter name
with the longer string, since other segments are not movable.

> But it doesn't any more, probably because the linux_base ports install
> ld-lsb.so.3, so what's the issue?  And regardless, your patch wouldn't
> have helped in this case, since it would only have copied the first 17
> characters ("/lib/ld-linux.so.", missing the final 2) to the new buffer.
> So what is the rationale for the patch?
The mailed patch was based on some mis-calculations on my part,
I did off-by-one twice apparently.

Below is the the latest version which I did before I discovered the ports'
Makefile hack.  After I did, I abandoned the intent to commit it.

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index f4302d46665..1ef6028005e 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -872,9 +872,26 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 				interp = __DECONST(char *, imgp->image_header) +
 				    phdr[i].p_offset;
 				if (interp[interp_name_len - 1] != '\0') {
-					uprintf("Invalid PT_INTERP\n");
-					error = ENOEXEC;
-					goto ret;
+					/*
+					 * ELF specification requires
+					 * that PT_INTERP contained
+					 * NUL-terminated string.  If
+					 * it is not, try to find the
+					 * end of line and still
+					 * execute the binary.
+					 */
+					for (; interp_name_len <=
+					    PAGE_SIZE - phdr[i].p_offset &&
+					    interp[interp_name_len - 1] != '\0';
+					    interp_name_len++)
+						;
+					if (interp[interp_name_len - 1] !=
+					    '\0') {
+						uprintf("Invalid PT_INTERP: "
+						    "no NUL termination\n");
+						error = ENOEXEC;
+						goto ret;
+					}
 				}
 			}
 			break;