Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Feb 2017 19:46:51 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 217432] kernel's elf_load_file function can read out of bounds and crash the kernel
Message-ID:  <bug-217432-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217432

            Bug ID: 217432
           Summary: kernel's elf_load_file function can read out of bounds
                    and crash the kernel
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tim.newsham@nccgroup.trust

The link_elf_load_file function in sys/kern/link_elf.c performs bounds chec=
king
on the program header element in the elf header with this code:

    if (!((hdr->e_phentsize =3D=3D sizeof(Elf_Phdr)) &&
          (hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <=3D PAGE_SIZE) &&
          (hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <=3D nbytes)))
        link_elf_error(filename, "Unreadable program headers");

however, it does not terminate processing at this point and will continue
executing with an out-of-bounds e_phoff.  Any offset larger than
(PAGE_SIZE-sizeof Elf_Phdr) will cause out of bounds reads, since only one =
page
is allocated for the elf object.  This will later result in out-of-bounds r=
eads
and potentially a panic.  For example if e_phoff is very large, then execut=
ion
will crash at the switch statement:

    phdr =3D (Elf_Phdr *) (firstpage + hdr->e_phoff);
    phlimit =3D phdr + hdr->e_phnum;
    nsegs =3D 0;
    phdyn =3D NULL;
    phphdr =3D NULL;
    while (phdr < phlimit) {
        switch (phdr->p_type) {  <---- crash

This issue is not very severe since it requires PRIV_KLD_LOAD to trigger, a=
nd
users that have this privilege can force crashes through loading malicious =
code
into the kernel.

The fix is simple -- terminate further processing of the elf file when
link_elf_error is reported.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217432-8>