Date: Mon, 08 Oct 2018 00:31:26 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Konstantin Belousov <kostikbel@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf Message-ID: <86sh1hs81t.fsf@next.des.no> In-Reply-To: <20181006182104.GS5335@kib.kiev.ua> (Konstantin Belousov's message of "Sat, 6 Oct 2018 21:21:04 %2B0300") References: <20180912054309.61C6B13269@freefall.freebsd.org> <20181006173525.GC813@lena.kiev> <20181006182104.GS5335@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Konstantin Belousov <kostikbel@gmail.com> writes: > <Lena@lena.kiev.ua> writes: >> Program Headers: >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 >> [Requesting program interpreter: /lib/ld-linux.so.2] > As you see, the file delcares that file/memory length of the interpreter > name' segment is 0x11 =3D=3D 16 decimal. But the string does not end on > byte 16, which is not NUL. We tighten the checks and do require that > PT_INTERP string is valid by checking that it is NUL-terminated at the > offset declared by the size. The string isn't just unterminated, though. It's actually longer than the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long, plus NUL makes 19. The section is supposed to be 17 bytes long. I don't mind forgiving a missing NUL, but I'm not comfortable with reading past the end of the section, and it worries me that Linux doesn't care. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86sh1hs81t.fsf>