mirror of
https://github.com/RGBCube/serenity
synced 2025-05-30 17:28:10 +00:00
Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication
It was possible to craft a custom ELF executable that when symbolicated would cause the kernel to read from user-controlled addresses anywhere in memory. You could then fetch this memory via /proc/PID/stack We fix this by making ELFImage hand out StringView rather than raw const char* for symbol names. In case a symbol offset is outside the ELF image, you get a null StringView. :^) Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
parent
60143c8d4e
commit
c6e552ac8f
9 changed files with 140 additions and 24 deletions
|
@ -4278,11 +4278,11 @@ int Process::sys$module_load(const char* user_path, size_t path_length)
|
|||
|
||||
elf_image->for_each_symbol([&](const ELFImage::Symbol& symbol) {
|
||||
dbg() << " - " << symbol.type() << " '" << symbol.name() << "' @ " << (void*)symbol.value() << ", size=" << symbol.size();
|
||||
if (!strcmp(symbol.name(), "module_init")) {
|
||||
if (symbol.name() == "module_init") {
|
||||
module->module_init = (ModuleInitPtr)(text_base + symbol.value());
|
||||
} else if (!strcmp(symbol.name(), "module_fini")) {
|
||||
} else if (symbol.name() == "module_fini") {
|
||||
module->module_fini = (ModuleFiniPtr)(text_base + symbol.value());
|
||||
} else if (!strcmp(symbol.name(), "module_name")) {
|
||||
} else if (symbol.name() == "module_name") {
|
||||
const u8* storage = section_storage_by_name.get(symbol.section().name()).value_or(nullptr);
|
||||
if (storage)
|
||||
module->name = String((const char*)(storage + symbol.value()));
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue