1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-30 17:28:10 +00:00

Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication

It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
Andreas Kling 2020-01-16 22:04:44 +01:00
parent 60143c8d4e
commit c6e552ac8f
9 changed files with 140 additions and 24 deletions

View file

@ -4278,11 +4278,11 @@ int Process::sys$module_load(const char* user_path, size_t path_length)
elf_image->for_each_symbol([&](const ELFImage::Symbol& symbol) {
dbg() << " - " << symbol.type() << " '" << symbol.name() << "' @ " << (void*)symbol.value() << ", size=" << symbol.size();
if (!strcmp(symbol.name(), "module_init")) {
if (symbol.name() == "module_init") {
module->module_init = (ModuleInitPtr)(text_base + symbol.value());
} else if (!strcmp(symbol.name(), "module_fini")) {
} else if (symbol.name() == "module_fini") {
module->module_fini = (ModuleFiniPtr)(text_base + symbol.value());
} else if (!strcmp(symbol.name(), "module_name")) {
} else if (symbol.name() == "module_name") {
const u8* storage = section_storage_by_name.get(symbol.section().name()).value_or(nullptr);
if (storage)
module->name = String((const char*)(storage + symbol.value()));