[Bug 277616] ldd uses elf phdr.p_offset without checking

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277616] ldd uses elf phdr.p_offset without checking"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 10 Mar 2024 19:12:34 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277616

            Bug ID: 277616
           Summary: ldd uses elf phdr.p_offset without checking
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 249076
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=249076&action=edit
an elf file with a huge phdr.p_offset

The attached corrupt elf file contains a program header with a huge
offset, which causes ldd to dereference a bad pointer. ldd's
is_executable() says:

                case PT_DYNAMIC:
                        dynamic = true;
                        if (ehdr.e_type == ET_DYN)
                                pie = is_pie(fname, elf, &ehdr, phdr.p_offset,
                                    phdr.p_filesz);

and is_pie() says:

        src.d_buf = buf + offset;

and calls gelf_xlatetom() with src.

There's a similar problem in has_freebsd_abi_tag(), and both functions
use len (phdr.p_filesz) without a check.

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #19
main-n268743-a58813fd701e: Sat Mar  9 07:18:21 AST 2024    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# ldd ldd1b.exe 
Bus error (core dumped)

Program received signal SIGBUS, Bus error.
Object-specific hardware error.
_libelf_cvt_DYN64_tom (dst=<optimized out>, dsz=<optimized out>, 
    src=<optimized out>, count=<optimized out>, byteswap=0)
    at libelf_convert.c:529
529                     READ_SXWORD(s,t.d_tag);
(gdb) where
#0  _libelf_cvt_DYN64_tom (dst=<optimized out>, dsz=<optimized out>, 
    src=<optimized out>, count=<optimized out>, byteswap=0)
    at libelf_convert.c:529
#1  0x00000008010782ac in _libelf_xlate (dst=0x7fffffffe8a0, 
    src=0x7fffffffe870, encoding=<optimized out>, elfclass=2, elfmachine=243, 
    direction=direction@entry=1)
    at /usr/src/contrib/elftoolchain/libelf/libelf_xlate.c:143
#2  0x00000008010757a2 in gelf_xlatetom (e=e@entry=0x801809000, 
    dst=0x80106bef0, dst@entry=0x7fffffffe8a0, src=0x2, 
    src@entry=0x7fffffffe870, encoding=384)
    at /usr/src/contrib/elftoolchain/libelf/gelf_xlate.c:68
#3  0x0000000001023a7c in is_pie (fname=0x7fffffffed4a "ldd1b.exe", 
    elf=0x801809000, ehdr=0x7fffffffe8d0, offset=<optimized out>, len=400)
    at /usr/src/usr.bin/ldd/ldd.c:369
#4  is_executable (fname=0x7fffffffed4a "ldd1b.exe", fd=3, 
    is_shlib=<optimized out>, type=<optimized out>)
    at /usr/src/usr.bin/ldd/ldd.c:447
#5  main (argc=1, argv=0x7fffffffe9d8) at /usr/src/usr.bin/ldd/ldd.c:174
(gdb) print/x phdr
$1 = {p_type = 0x2, p_flags = 0x6, p_offset = 0x7fffffffbfa9ae7f, 
  p_vaddr = 0x28e0, p_paddr = 0x28e0, p_filesz = 0x190, p_memsz = 0x190, 
  p_align = 0x8}

-- 
You are receiving this mail because:
You are the assignee for the bug.