[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
Konstantin Belousov
kostikbel at gmail.com
Sun Oct 7 22:46:23 UTC 2018
On Mon, Oct 08, 2018 at 12:31:26AM +0200, Dag-Erling Smørgrav wrote:
> Konstantin Belousov <kostikbel at gmail.com> writes:
> > <Lena at lena.kiev.ua> writes:
> >> Program Headers:
> >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
> >> PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
> >> INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1
> >> [Requesting program interpreter: /lib/ld-linux.so.2]
> > As you see, the file delcares that file/memory length of the interpreter
> > name' segment is 0x11 == 16 decimal. But the string does not end on
> > byte 16, which is not NUL. We tighten the checks and do require that
> > PT_INTERP string is valid by checking that it is NUL-terminated at the
> > offset declared by the size.
>
> The string isn't just unterminated, though. It's actually longer than
> the section. To be precise, "/lib/ld-linux.so.2" is 18 characters long,
> plus NUL makes 19. The section is supposed to be 17 bytes long. I
> don't mind forgiving a missing NUL, but I'm not comfortable with reading
> past the end of the section, and it worries me that Linux doesn't care.
Apparently it was not Linux. Look at the astro/google-earth/Makefile
before r425359.
More information about the freebsd-security
mailing list