RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 20:18:12 +00:00
Code Issues Activity Actions

Kernel+LibELF: Validate PT_LOAD and PT_TLS offsets before memcpy()'ing

Browse source 
Before this, you could make the kernel copy memory from anywhere by
setting up an ELF executable with a program header specifying file
offsets outside the file.

Since ELFImage didn't even know how large it was, we had no clue that
we were copying things from outside the ELF.

Fix this by adding a size field to ELFImage and validating program
header ranges before memcpy()'ing to them.

The ELF code is definitely going to need more validation and checking.
This commit is contained in:
Andreas Kling 2020-01-06 21:04:57 +01:00
parent 9bf1fe9439
commit 78a63930cc
6 changed files with 37 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Libraries/LibELF/ELFImage.cpp
View file

@ -2,8 +2,9 @@
#include <AK/kstdio.h>
#include <LibELF/ELFImage.h>
ELFImage::ELFImage(const u8* buffer)
ELFImage::ELFImage(const u8* buffer, size_t size)
: m_buffer(buffer)
, m_size(size)
{
m_valid = parse();
}
@ -59,6 +60,8 @@ void ELFImage::dump() const
dbgprintf(" entry: %x\n", header().e_entry);
dbgprintf(" shoff: %u\n", header().e_shoff);
dbgprintf(" shnum: %u\n", header().e_shnum);
dbgprintf(" phoff: %u\n", header().e_phoff);
dbgprintf(" phnum: %u\n", header().e_phnum);
dbgprintf(" shstrndx: %u\n", header().e_shstrndx);
for (unsigned i = 0; i < header().e_shnum; ++i) {