RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 07:58:11 +00:00
Code Issues Activity Actions

Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication

Browse source 
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
Andreas Kling 2020-01-16 22:04:44 +01:00
parent 60143c8d4e
commit c6e552ac8f
9 changed files with 140 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

27
Libraries/LibELF/ELFImage.cpp
View file

@ -31,7 +31,7 @@ static const char* object_file_type_to_string(Elf32_Half type)
}
}
const char* ELFImage::section_index_to_string(unsigned index) const
StringView ELFImage::section_index_to_string(unsigned index) const
{
if (index == SHN_UNDEF)
return "Undefined";
@ -136,20 +136,29 @@ bool ELFImage::parse()
return true;
}
const char* ELFImage::section_header_table_string(unsigned offset) const
StringView ELFImage::table_string(unsigned table_index, unsigned offset) const
{
auto& sh = section_header(header().e_shstrndx);
auto& sh = section_header(table_index);
if (sh.sh_type != SHT_STRTAB)
return nullptr;
return raw_data(sh.sh_offset + offset);
size_t computed_offset = sh.sh_offset + offset;
if (computed_offset >= m_size) {
dbgprintf("SHENANIGANS! ELFImage::table_string() computed offset outside image.\n");
return {};
}
size_t max_length = m_size - computed_offset;
size_t length = strnlen(raw_data(sh.sh_offset + offset), max_length);
return { raw_data(sh.sh_offset + offset), length };
}
const char* ELFImage::table_string(unsigned offset) const
StringView ELFImage::section_header_table_string(unsigned offset) const
{
auto& sh = section_header(m_string_table_section_index);
if (sh.sh_type != SHT_STRTAB)
return nullptr;
return raw_data(sh.sh_offset + offset);
return table_string(header().e_shstrndx, offset);
}
StringView ELFImage::table_string(unsigned offset) const
{
return table_string(m_string_table_section_index, offset);
}
const char* ELFImage::raw_data(unsigned offset) const