From owner-freebsd-security@freebsd.org Sun Oct 7 22:46:23 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF3E110AAC9A for ; Sun, 7 Oct 2018 22:46:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 24A5297CAE for ; Sun, 7 Oct 2018 22:46:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id w97MkBHI033560 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Oct 2018 01:46:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua w97MkBHI033560 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id w97MkBo8033559; Mon, 8 Oct 2018 01:46:11 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 8 Oct 2018 01:46:11 +0300 From: Konstantin Belousov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181007224611.GI5335@kib.kiev.ua> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86sh1hs81t.fsf@next.des.no> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2018 22:46:23 -0000 On Mon, Oct 08, 2018 at 12:31:26AM +0200, Dag-Erling Smørgrav wrote: > Konstantin Belousov writes: > > writes: > >> Program Headers: > >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > >> [Requesting program interpreter: /lib/ld-linux.so.2] > > As you see, the file delcares that file/memory length of the interpreter > > name' segment is 0x11 == 16 decimal. But the string does not end on > > byte 16, which is not NUL. We tighten the checks and do require that > > PT_INTERP string is valid by checking that it is NUL-terminated at the > > offset declared by the size. > > The string isn't just unterminated, though. It's actually longer than > the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, > plus NUL makes 19. The section is supposed to be 17 bytes long. I > don't mind forgiving a missing NUL, but I'm not comfortable with reading > past the end of the section, and it worries me that Linux doesn't care. Apparently it was not Linux. Look at the astro/google-earth/Makefile before r425359.