RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 11:48:10 +00:00
Code Issues Activity Actions

Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication

Browse source 
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
Andreas Kling 2020-01-16 22:04:44 +01:00
parent 60143c8d4e
commit c6e552ac8f
9 changed files with 140 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/KSyms.cpp
View file

@ -20,10 +20,10 @@ static u8 parse_hex_digit(char nibble)
return 10 + (nibble - 'a');
}
u32 address_for_kernel_symbol(const char* name)
u32 address_for_kernel_symbol(const StringView& name)
{
for (unsigned i = 0; i < ksym_count; ++i) {
if (!strcmp(name, s_ksyms[i].name))
if (!strncmp(name.characters_without_null_termination(), s_ksyms[i].name, name.length()))
return s_ksyms[i].address;
}
return 0;