Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 6 Oct 2018 21:46:36 +0300
From:      Konstantin Belousov <kostikbel@gmail.com>
To:        freebsd-security@freebsd.org
Subject:   Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Message-ID:  <20181006184636.GT5335@kib.kiev.ua>
In-Reply-To: <20181006182104.GS5335@kib.kiev.ua>
References:  <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 06, 2018 at 09:21:04PM +0300, Konstantin Belousov wrote:
> On Sat, Oct 06, 2018 at 08:35:26PM +0300, Lena@lena.kiev.ua wrote:
> > > Insufficient validation was performed in the ELF header parser, and malformed
> > > or otherwise invalid ELF binaries were not rejected as they should be.
> > 
> > What is invalid in the /usr/local/share/google-earth/googleearth-bin
> > binary of the port google-earth-7.1.5.1557,3 ?
> > 
> > FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary:
> > https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view
> > 
> > ~ $ googleearth
> > Invalid PT_INTERP
> > exec: ./googleearth-bin: Exec format error
> > ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin
> > 
> > Elf file type is EXEC (Executable file)
> > Entry point 0x8048650
> > There are 8 program headers, starting at offset 52
> > 
> > Program Headers:
> >   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
> >   PHDR           0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
> >   INTERP         0x000134 0x08048134 0x08048134 0x00011 0x00011 R   0x1
> >       [Requesting program interpreter: /lib/ld-linux.so.2]
> As you see, the file delcares that file/memory length of the interpreter
> name' segment is 0x11 == 16 decimal. But the string does not end on
> byte 16, which is not NUL.  We tighten the checks and do require that
> PT_INTERP string is valid by checking that it is NUL-terminated at the
> offset declared by the size.
As emaste pointed out, I am off by one, i.e. replace 16 by 17 in the text
above.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181006184636.GT5335>