[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf

Lena at lena.kiev.ua Lena at lena.kiev.ua
Sat Oct 6 17:35:38 UTC 2018 

> Insufficient validation was performed in the ELF header parser, and malformed
> or otherwise invalid ELF binaries were not rejected as they should be.

What is invalid in the /usr/local/share/google-earth/googleearth-bin
binary of the port google-earth-7.1.5.1557,3 ?

FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary:
https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view

~ $ googleearth
Invalid PT_INTERP
exec: ./googleearth-bin: Exec format error
~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin

Elf file type is EXEC (Executable file)
Entry point 0x8048650
There are 8 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
  INTERP         0x000134 0x08048134 0x08048134 0x00011 0x00011 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x007f4 0x007f4 R E 0x1000
  LOAD           0x000e74 0x08049e74 0x08049e74 0x001a0 0x001a8 RW  0x1000
  DYNAMIC        0x000e88 0x08049e88 0x08049e88 0x00168 0x00168 RW  0x4
  NOTE           0x000148 0x08048148 0x08048148 0x00044 0x00044 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  GNU_RELRO      0x000e74 0x08049e74 0x08049e74 0x0018c 0x0018c R   0x1

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .note.gnu.build-id .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
   04     .dynamic
   05     .note.ABI-tag .note.gnu.build-id
   06
   07     .ctors .dtors .jcr .dynamic .got
~ $ ls -l /usr/local/share/google-earth/googleearth-bin
-r-xr-xr-x  1 root  wheel  5452 Sep 10  2016 /usr/local/share/google-earth/googleearth-bin
~ $ hd /usr/local/share/google-earth/googleearth-bin | less
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 03 00 01 00 00 00  50 86 04 08 34 00 00 00  |........P├..4...|
00000020  14 11 00 00 00 00 00 00  34 00 20 00 08 00 28 00  |........4. ...(.|
00000030  1b 00 1a 00 06 00 00 00  34 00 00 00 34 80 04 08  |........4...4─..|
00000040  34 80 04 08 00 01 00 00  00 01 00 00 05 00 00 00  |4─..............|
00000050  04 00 00 00 03 00 00 00  34 01 00 00 34 81 04 08  |........4...4│..|
00000060  34 81 04 08 11 00 00 00  11 00 00 00 04 00 00 00  |4│..............|
00000070  01 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |.............─..|
00000080  00 80 04 08 f4 07 00 00  f4 07 00 00 05 00 00 00  |.─..Т...Т.......|
00000090  00 10 00 00 01 00 00 00  74 0e 00 00 74 9e 04 08  |........t...t·..|
000000a0  74 9e 04 08 a0 01 00 00  a8 01 00 00 06 00 00 00  |t·..═...╗.......|
000000b0  00 10 00 00 02 00 00 00  88 0e 00 00 88 9e 04 08  |........┬...┬·..|
000000c0  88 9e 04 08 68 01 00 00  68 01 00 00 06 00 00 00  |┬·..h...h.......|
000000d0  04 00 00 00 04 00 00 00  48 01 00 00 48 81 04 08  |........H...H│..|
000000e0  48 81 04 08 44 00 00 00  44 00 00 00 04 00 00 00  |H│..D...D.......|
000000f0  04 00 00 00 51 e5 74 64  00 00 00 00 00 00 00 00  |....QЕtd........|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 06 00 00 00  |................|
00000110  04 00 00 00 52 e5 74 64  74 0e 00 00 74 9e 04 08  |....RЕtdt...t·..|
00000120  74 9e 04 08 8c 01 00 00  8c 01 00 00 04 00 00 00  |t·..▄...▄.......|
00000130  01 00 00 00 2f 6c 69 62  2f 6c 64 2d 6c 69 6e 75  |..../lib/ld-linu|
00000140  78 2e 73 6f 2e 32 00 00  04 00 00 00 10 00 00 00  |x.so.2..........|
00000150  01 00 00 00 47 4e 55 00  00 00 00 00 02 00 00 00  |....GNU.........|
00000160  06 00 00 00 0f 00 00 00  04 00 00 00 14 00 00 00  |................|
00000170  03 00 00 00 47 4e 55 00  ec f1 2d c9 13 9e 39 77  |....GNU.ЛЯ-и.·9w|
00000180  54 45 91 3d e6 c5 0b ae  90 8a 6d 1a 03 00 00 00  |TE▒=Фе.╝░┼m.....|
00000190  0b 00 00 00 09 00 00 00  04 00 00 00 0a 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000001b0  02 00 00 00 00 00 00 00  05 00 00 00 06 00 00 00  |................|
000001c0  07 00 00 00 08 00 00 00  03 00 00 00 00 00 00 00  |................|

The commit:
https://lists.freebsd.org/pipermail/svn-src-all/2018-September/170051.html

 		case PT_INTERP:
 			/* Path to interpreter */
-			if (phdr[i].p_filesz > MAXPATHLEN) {
+			if (phdr[i].p_filesz < 2 ||
+			    phdr[i].p_filesz > MAXPATHLEN) {
 				uprintf("Invalid PT_INTERP\n");
 				error = ENOEXEC;


 				interp = __DECONST(char *, imgp->image_header) +
 				    phdr[i].p_offset;
+				if (interp[interp_name_len - 1] != '\0') {
+					uprintf("Invalid PT_INTERP\n");
+					error = ENOEXEC;

More information about the freebsd-security mailing list