RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 10:28:10 +00:00
Code Issues Activity Actions
serenity/Libraries/LibELF/ELFLoader.h
Andreas Kling c6e552ac8f Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication 
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
2020-01-16 22:11:31 +01:00

61 lines
1.5 KiB
C++
Raw Blame History

#pragma once
#include <AK/Function.h>
#include <AK/HashMap.h>
#include <AK/OwnPtr.h>
#include <AK/Vector.h>
#include <LibELF/ELFImage.h>
#ifdef KERNEL
#include <Kernel/VM/VirtualAddress.h>
class Region;
#endif
class ELFLoader {
public:
explicit ELFLoader(const u8*, size_t);
~ELFLoader();
bool load();
#if defined(KERNEL)
Function<void*(VirtualAddress, size_t, size_t, bool, bool, const String&)> alloc_section_hook;
Function<void*(size_t, size_t)> tls_section_hook;
Function<void*(VirtualAddress, size_t, size_t, size_t, bool r, bool w, bool x, const String&)> map_section_hook;
VirtualAddress entry() const { return m_image.entry(); }
#endif
char* symbol_ptr(const char* name);
bool has_symbols() const { return m_image.symbol_count(); }
String symbolicate(u32 address, u32* offset = nullptr) const;
private:
bool layout();
bool perform_relocations();
void* lookup(const ELFImage::Symbol&);
char* area_for_section(const ELFImage::Section&);
char* area_for_section_name(const char*);
struct PtrAndSize {
PtrAndSize() {}
PtrAndSize(char* p, unsigned s)
: ptr(p)
, size(s)
{
}
char* ptr { nullptr };
unsigned size { 0 };
};
ELFImage m_image;
struct SortedSymbol {
u32 address;
StringView name;
};
#ifdef KERNEL
mutable OwnPtr<Region> m_sorted_symbols_region;
#else
mutable Vector<SortedSymbol> m_sorted_symbols;
#endif
};
Reference in a new issue View git blame Copy permalink