RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 06:07:44 +00:00
Code Issues Activity Actions

Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication

Browse source 
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
Andreas Kling 2020-01-16 22:04:44 +01:00
parent 60143c8d4e
commit c6e552ac8f
9 changed files with 140 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/KSyms.cpp
View file

@ -20,10 +20,10 @@ static u8 parse_hex_digit(char nibble)
return 10 + (nibble - 'a');
}
u32 address_for_kernel_symbol(const char* name)
u32 address_for_kernel_symbol(const StringView& name)
{
for (unsigned i = 0; i < ksym_count; ++i) {
if (!strcmp(name, s_ksyms[i].name))
if (!strncmp(name.characters_without_null_termination(), s_ksyms[i].name, name.length()))
return s_ksyms[i].address;
}
return 0;

2
Kernel/KSyms.h
View file

@ -8,7 +8,7 @@ struct KSym {
const char* name;
};
u32 address_for_kernel_symbol(const char* name);
u32 address_for_kernel_symbol(const StringView& name);
const KSym* ksymbolicate(u32 address);
void load_ksyms();

6
Kernel/Process.cpp
View file

@ -4278,11 +4278,11 @@ int Process::sys$module_load(const char* user_path, size_t path_length)
elf_image->for_each_symbol([&](const ELFImage::Symbol& symbol) {
dbg() << " - " << symbol.type() << " '" << symbol.name() << "' @ " << (void*)symbol.value() << ", size=" << symbol.size();
if (!strcmp(symbol.name(), "module_init")) {
if (symbol.name() == "module_init") {
module->module_init = (ModuleInitPtr)(text_base + symbol.value());
} else if (!strcmp(symbol.name(), "module_fini")) {
} else if (symbol.name() == "module_fini") {
module->module_fini = (ModuleFiniPtr)(text_base + symbol.value());
} else if (!strcmp(symbol.name(), "module_name")) {
} else if (symbol.name() == "module_name") {
const u8* storage = section_storage_by_name.get(symbol.section().name()).value_or(nullptr);
if (storage)
module->name = String((const char*)(storage + symbol.value()));