Date: Sun, 10 Mar 2024 19:12:34 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277616] ldd uses elf phdr.p_offset without checking Message-ID: <bug-277616-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277616 Bug ID: 277616 Summary: ldd uses elf phdr.p_offset without checking Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249076 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249076&action= =3Dedit an elf file with a huge phdr.p_offset The attached corrupt elf file contains a program header with a huge offset, which causes ldd to dereference a bad pointer. ldd's is_executable() says: case PT_DYNAMIC: dynamic =3D true; if (ehdr.e_type =3D=3D ET_DYN) pie =3D is_pie(fname, elf, &ehdr, phdr.p_of= fset, phdr.p_filesz); and is_pie() says: src.d_buf =3D buf + offset; and calls gelf_xlatetom() with src. There's a similar problem in has_freebsd_abi_tag(), and both functions use len (phdr.p_filesz) without a check. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #19 main-n268743-a58813fd701e: Sat Mar 9 07:18:21 AST 2024=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # ldd ldd1b.exe=20 Bus error (core dumped) Program received signal SIGBUS, Bus error. Object-specific hardware error. _libelf_cvt_DYN64_tom (dst=3D<optimized out>, dsz=3D<optimized out>,=20 src=3D<optimized out>, count=3D<optimized out>, byteswap=3D0) at libelf_convert.c:529 529 READ_SXWORD(s,t.d_tag); (gdb) where #0 _libelf_cvt_DYN64_tom (dst=3D<optimized out>, dsz=3D<optimized out>,=20 src=3D<optimized out>, count=3D<optimized out>, byteswap=3D0) at libelf_convert.c:529 #1 0x00000008010782ac in _libelf_xlate (dst=3D0x7fffffffe8a0,=20 src=3D0x7fffffffe870, encoding=3D<optimized out>, elfclass=3D2, elfmach= ine=3D243,=20 direction=3Ddirection@entry=3D1) at /usr/src/contrib/elftoolchain/libelf/libelf_xlate.c:143 #2 0x00000008010757a2 in gelf_xlatetom (e=3De@entry=3D0x801809000,=20 dst=3D0x80106bef0, dst@entry=3D0x7fffffffe8a0, src=3D0x2,=20 src@entry=3D0x7fffffffe870, encoding=3D384) at /usr/src/contrib/elftoolchain/libelf/gelf_xlate.c:68 #3 0x0000000001023a7c in is_pie (fname=3D0x7fffffffed4a "ldd1b.exe",=20 elf=3D0x801809000, ehdr=3D0x7fffffffe8d0, offset=3D<optimized out>, len= =3D400) at /usr/src/usr.bin/ldd/ldd.c:369 #4 is_executable (fname=3D0x7fffffffed4a "ldd1b.exe", fd=3D3,=20 is_shlib=3D<optimized out>, type=3D<optimized out>) at /usr/src/usr.bin/ldd/ldd.c:447 #5 main (argc=3D1, argv=3D0x7fffffffe9d8) at /usr/src/usr.bin/ldd/ldd.c:174 (gdb) print/x phdr $1 =3D {p_type =3D 0x2, p_flags =3D 0x6, p_offset =3D 0x7fffffffbfa9ae7f,=20 p_vaddr =3D 0x28e0, p_paddr =3D 0x28e0, p_filesz =3D 0x190, p_memsz =3D 0= x190,=20 p_align =3D 0x8} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277616-227>