Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 6 Oct 2018 20:35:26 +0300
From:      Lena@lena.kiev.ua
To:        freebsd-security@freebsd.org
Subject:   Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Message-ID:  <20181006173525.GC813@lena.kiev>
In-Reply-To: <20180912054309.61C6B13269@freefall.freebsd.org>
References:  <20180912054309.61C6B13269@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Insufficient validation was performed in the ELF header parser, and malformed
> or otherwise invalid ELF binaries were not rejected as they should be.

What is invalid in the /usr/local/share/google-earth/googleearth-bin
binary of the port google-earth-7.1.5.1557,3 ?

FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary:
https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view

~ $ googleearth
Invalid PT_INTERP
exec: ./googleearth-bin: Exec format error
~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin

Elf file type is EXEC (Executable file)
Entry point 0x8048650
There are 8 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
  INTERP         0x000134 0x08048134 0x08048134 0x00011 0x00011 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x007f4 0x007f4 R E 0x1000
  LOAD           0x000e74 0x08049e74 0x08049e74 0x001a0 0x001a8 RW  0x1000
  DYNAMIC        0x000e88 0x08049e88 0x08049e88 0x00168 0x00168 RW  0x4
  NOTE           0x000148 0x08048148 0x08048148 0x00044 0x00044 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  GNU_RELRO      0x000e74 0x08049e74 0x08049e74 0x0018c 0x0018c R   0x1

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .note.gnu.build-id .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
   04     .dynamic
   05     .note.ABI-tag .note.gnu.build-id
   06
   07     .ctors .dtors .jcr .dynamic .got
~ $ ls -l /usr/local/share/google-earth/googleearth-bin
-r-xr-xr-x  1 root  wheel  5452 Sep 10  2016 /usr/local/share/google-earth/googleearth-bin
~ $ hd /usr/local/share/google-earth/googleearth-bin | less
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 03 00 01 00 00 00  50 86 04 08 34 00 00 00  |........P..4...|
00000020  14 11 00 00 00 00 00 00  34 00 20 00 08 00 28 00  |........4. ...(.|
00000030  1b 00 1a 00 06 00 00 00  34 00 00 00 34 80 04 08  |........4...4..|
00000040  34 80 04 08 00 01 00 00  00 01 00 00 05 00 00 00  |4..............|
00000050  04 00 00 00 03 00 00 00  34 01 00 00 34 81 04 08  |........4...4..|
00000060  34 81 04 08 11 00 00 00  11 00 00 00 04 00 00 00  |4..............|
00000070  01 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |...............|
00000080  00 80 04 08 f4 07 00 00  f4 07 00 00 05 00 00 00  |.............|
00000090  00 10 00 00 01 00 00 00  74 0e 00 00 74 9e 04 08  |........t...t..|
000000a0  74 9e 04 08 a0 01 00 00  a8 01 00 00 06 00 00 00  |t............|
000000b0  00 10 00 00 02 00 00 00  88 0e 00 00 88 9e 04 08  |.............|
000000c0  88 9e 04 08 68 01 00 00  68 01 00 00 06 00 00 00  |..h...h.......|
000000d0  04 00 00 00 04 00 00 00  48 01 00 00 48 81 04 08  |........H...H..|
000000e0  48 81 04 08 44 00 00 00  44 00 00 00 04 00 00 00  |H..D...D.......|
000000f0  04 00 00 00 51 e5 74 64  00 00 00 00 00 00 00 00  |....Qtd........|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 06 00 00 00  |................|
00000110  04 00 00 00 52 e5 74 64  74 0e 00 00 74 9e 04 08  |....Rtdt...t..|
00000120  74 9e 04 08 8c 01 00 00  8c 01 00 00 04 00 00 00  |t............|
00000130  01 00 00 00 2f 6c 69 62  2f 6c 64 2d 6c 69 6e 75  |..../lib/ld-linu|
00000140  78 2e 73 6f 2e 32 00 00  04 00 00 00 10 00 00 00  |x.so.2..........|
00000150  01 00 00 00 47 4e 55 00  00 00 00 00 02 00 00 00  |....GNU.........|
00000160  06 00 00 00 0f 00 00 00  04 00 00 00 14 00 00 00  |................|
00000170  03 00 00 00 47 4e 55 00  ec f1 2d c9 13 9e 39 77  |....GNU.-.9w|
00000180  54 45 91 3d e6 c5 0b ae  90 8a 6d 1a 03 00 00 00  |TE=.m.....|
00000190  0b 00 00 00 09 00 00 00  04 00 00 00 0a 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000001b0  02 00 00 00 00 00 00 00  05 00 00 00 06 00 00 00  |................|
000001c0  07 00 00 00 08 00 00 00  03 00 00 00 00 00 00 00  |................|

The commit:
https://lists.freebsd.org/pipermail/svn-src-all/2018-September/170051.html

 		case PT_INTERP:
 			/* Path to interpreter */
-			if (phdr[i].p_filesz > MAXPATHLEN) {
+			if (phdr[i].p_filesz < 2 ||
+			    phdr[i].p_filesz > MAXPATHLEN) {
 				uprintf("Invalid PT_INTERP\n");
 				error = ENOEXEC;


 				interp = __DECONST(char *, imgp->image_header) +
 				    phdr[i].p_offset;
+				if (interp[interp_name_len - 1] != '\0') {
+					uprintf("Invalid PT_INTERP\n");
+					error = ENOEXEC;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181006173525.GC813>