Date: Tue, 07 Mar 2017 12:49:04 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217610] ELF loader should have a special case for program headers with p_filesz == 0 Message-ID: <bug-217610-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217610 Bug ID: 217610 Summary: ELF loader should have a special case for program headers with p_filesz =3D=3D 0 Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: fuz@fuz.su The ELF loader in imgact_elf.c contains the following code to verify a prog= ram header before loading it: /* * It's necessary to fail if the filsz + offset taken from the * header is greater than the actual file pager object's size. * If we were to allow this, then the vm_map_find() below would * walk right off the end of the file object and into the ether. * * While I'm here, might as well check for something else that * is invalid: filsz cannot be greater than memsz. */ if ((off_t)filsz + offset > imgp->attr->va_size || filsz > memsz) { uprintf("elf_load_section: truncated ELF file\n"); return (ENOEXEC); } However, this code is incorrect. If a program header corresponds to sections that are all marked NOBITS, GNU ld generates a program header with p_filesz= =3D=3D 0 and p_offset at the next aligned offset just past the end of the file. Th= is is fine as no bytes are actually ever read from the binary. However, FreeBSD refuses to load such a valid ELF binary. I request to amend this verificati= on procedure to add a special case for program headers with p_filesz =3D=3D 0: if (filesz > memsz || filesz > 0 && (off_t)filesz + offset > imgp->attr->va_size) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217610-8>