From owner-freebsd-bugs@freebsd.org Tue Feb 28 19:46:51 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A4E9CF1D89 for ; Tue, 28 Feb 2017 19:46:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 502E1F7 for ; Tue, 28 Feb 2017 19:46:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v1SJkps5054181 for ; Tue, 28 Feb 2017 19:46:51 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217432] kernel's elf_load_file function can read out of bounds and crash the kernel Date: Tue, 28 Feb 2017 19:46:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: tim.newsham@nccgroup.trust X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 19:46:51 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217432 Bug ID: 217432 Summary: kernel's elf_load_file function can read out of bounds and crash the kernel Product: Base System Version: 10.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: tim.newsham@nccgroup.trust The link_elf_load_file function in sys/kern/link_elf.c performs bounds chec= king on the program header element in the elf header with this code: if (!((hdr->e_phentsize =3D=3D sizeof(Elf_Phdr)) && (hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <=3D PAGE_SIZE) && (hdr->e_phoff + hdr->e_phnum*sizeof(Elf_Phdr) <=3D nbytes))) link_elf_error(filename, "Unreadable program headers"); however, it does not terminate processing at this point and will continue executing with an out-of-bounds e_phoff. Any offset larger than (PAGE_SIZE-sizeof Elf_Phdr) will cause out of bounds reads, since only one = page is allocated for the elf object. This will later result in out-of-bounds r= eads and potentially a panic. For example if e_phoff is very large, then execut= ion will crash at the switch statement: phdr =3D (Elf_Phdr *) (firstpage + hdr->e_phoff); phlimit =3D phdr + hdr->e_phnum; nsegs =3D 0; phdyn =3D NULL; phphdr =3D NULL; while (phdr < phlimit) { switch (phdr->p_type) { <---- crash This issue is not very severe since it requires PRIV_KLD_LOAD to trigger, a= nd users that have this privilege can force crashes through loading malicious = code into the kernel. The fix is simple -- terminate further processing of the elf file when link_elf_error is reported. --=20 You are receiving this mail because: You are the assignee for the bug.=