[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Dag-Erling Smørgrav
des at des.no
Sun Oct 7 22:31:33 UTC 2018
Konstantin Belousov <kostikbel at gmail.com> writes:
> <Lena at lena.kiev.ua> writes:
>> Program Headers:
>> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
>> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
>> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1
>> [Requesting program interpreter: /lib/ld-linux.so.2]
> As you see, the file delcares that file/memory length of the interpreter
> name' segment is 0x11 == 16 decimal. But the string does not end on
> byte 16, which is not NUL. We tighten the checks and do require that
> PT_INTERP string is valid by checking that it is NUL-terminated at the
> offset declared by the size.
The string isn't just unterminated, though. It's actually longer than
the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long,
plus NUL makes 19. The section is supposed to be 17 bytes long. I
don't mind forgiving a missing NUL, but I'm not comfortable with reading
past the end of the section, and it worries me that Linux doesn't care.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list