RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 04:17:35 +00:00
Code Issues Activity Actions

Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication

Browse source 
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
This commit is contained in:
Andreas Kling 2020-01-16 22:04:44 +01:00
parent 60143c8d4e
commit c6e552ac8f
9 changed files with 140 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Libraries/LibELF/ELFImage.h
View file

@ -39,7 +39,7 @@ public:
~Symbol() {}
const char* name() const { return m_image.table_string(m_sym.st_name); }
StringView name() const { return m_image.table_string(m_sym.st_name); }
unsigned section_index() const { return m_sym.st_shndx; }
unsigned value() const { return m_sym.st_value; }
unsigned size() const { return m_sym.st_size; }
@ -94,7 +94,7 @@ public:
}
~Section() {}
const char* name() const { return m_image.section_header_table_string(m_section_header.sh_name); }
StringView name() const { return m_image.section_header_table_string(m_section_header.sh_name); }
unsigned type() const { return m_section_header.sh_type; }
unsigned offset() const { return m_section_header.sh_offset; }
unsigned size() const { return m_section_header.sh_size; }
@ -183,9 +183,10 @@ private:
const Elf32_Ehdr& header() const;
const Elf32_Shdr& section_header(unsigned) const;
const Elf32_Phdr& program_header_internal(unsigned) const;
const char* table_string(unsigned offset) const;
const char* section_header_table_string(unsigned offset) const;
const char* section_index_to_string(unsigned index) const;
StringView table_string(unsigned offset) const;
StringView section_header_table_string(unsigned offset) const;
StringView section_index_to_string(unsigned index) const;
StringView table_string(unsigned table_index, unsigned offset) const;
const u8* m_buffer { nullptr };
size_t m_size { 0 };