Date: Mon, 8 Oct 2018 01:46:11 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <20181007224611.GI5335@kib.kiev.ua> In-Reply-To: <86sh1hs81t.fsf@next.des.no> References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua> <86sh1hs81t.fsf@next.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 08, 2018 at 12:31:26AM +0200, Dag-Erling Smørgrav wrote: > Konstantin Belousov <kostikbel@gmail.com> writes: > > <Lena@lena.kiev.ua> writes: > >> Program Headers: > >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 > >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 > >> [Requesting program interpreter: /lib/ld-linux.so.2] > > As you see, the file delcares that file/memory length of the interpreter > > name' segment is 0x11 == 16 decimal. But the string does not end on > > byte 16, which is not NUL. We tighten the checks and do require that > > PT_INTERP string is valid by checking that it is NUL-terminated at the > > offset declared by the size. > > The string isn't just unterminated, though. It's actually longer than > the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, > plus NUL makes 19. The section is supposed to be 17 bytes long. I > don't mind forgiving a missing NUL, but I'm not comfortable with reading > past the end of the section, and it worries me that Linux doesn't care. Apparently it was not Linux. Look at the astro/google-earth/Makefile before r425359.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181007224611.GI5335>