From owner-svn-src-head@freebsd.org Sun Nov 8 04:24:30 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B51BF2E53D2; Sun, 8 Nov 2020 04:24:30 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CTLcZ4cvVz4kCh; Sun, 8 Nov 2020 04:24:30 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 86F011A28E; Sun, 8 Nov 2020 04:24:30 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0A84OU98021097; Sun, 8 Nov 2020 04:24:30 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0A84OUVm021095; Sun, 8 Nov 2020 04:24:30 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202011080424.0A84OUVm021095@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Sun, 8 Nov 2020 04:24:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367477 - in head/sys: kern sys X-SVN-Group: head X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: in head/sys: kern sys X-SVN-Commit-Revision: 367477 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Nov 2020 04:24:30 -0000 Author: kevans Date: Sun Nov 8 04:24:29 2020 New Revision: 367477 URL: https://svnweb.freebsd.org/changeset/base/367477 Log: imgact_binmisc: limit the extent of match on incoming entries imgact_binmisc matches magic/mask from imgp->image_header, which is only a single page in size mapped from the first page of an image. One can specify an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to 256 bytes past the mapped first page. The limitation is that we cannot specify a magic string that exceeds a single page, and we can't allow offset + size to exceed a single page either. A static assert has been added in case someone finds it useful to try and expand the size, but it does seem a little unlikely. While this looks kind of exploitable at a sideways squinty-glance, there are a couple of mitigating factors: 1.) imgact_binmisc is not enabled by default, 2.) entries may only be added by the superuser, 3.) trying to exploit this information to read what's mapped past the end would be worse than a root canal or some other relatably painful experience, and 4.) there's no way one could pull this off without it being completely obvious. The first page is mapped out of an sf_buf, the implementation of which (or lack thereof) depends on your platform. MFC after: 1 week Modified: head/sys/kern/imgact_binmisc.c head/sys/sys/imgact_binmisc.h Modified: head/sys/kern/imgact_binmisc.c ============================================================================== --- head/sys/kern/imgact_binmisc.c Sun Nov 8 02:50:34 2020 (r367476) +++ head/sys/kern/imgact_binmisc.c Sun Nov 8 04:24:29 2020 (r367477) @@ -236,6 +236,8 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe) if (xbe->xbe_msize > IBE_MAGIC_MAX) return (EINVAL); + if (xbe->xbe_moffset + xbe->xbe_msize > IBE_MATCH_MAX) + return (EINVAL); for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++) if (cnt >= IBE_NAME_MAX || !isascii((int)*p)) Modified: head/sys/sys/imgact_binmisc.h ============================================================================== --- head/sys/sys/imgact_binmisc.h Sun Nov 8 02:50:34 2020 (r367476) +++ head/sys/sys/imgact_binmisc.h Sun Nov 8 04:24:29 2020 (r367477) @@ -47,6 +47,11 @@ #define IBE_INTERP_LEN_MAX (MAXPATHLEN + IBE_ARG_LEN_MAX) #define IBE_MAX_ENTRIES 64 /* Max number of interpreter entries. */ +/* We only map the first page for identification purposes. */ +#define IBE_MATCH_MAX PAGE_SIZE +_Static_assert(IBE_MAGIC_MAX <= IBE_MATCH_MAX, + "Cannot identify binaries past the first page."); + /* * Imgact bin misc interpreter entry flags. */