| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241015231651.3851138-12-mmaurer@google.com>
Date: Tue, 15 Oct 2024 23:16:45 +0000
From: Matthew Maurer <mmaurer@...gle.com>
To: mcgrof@...nel.org
Cc: linux-kernel@...r.kernel.org, linux-modules@...r.kernel.org,
samitolvanen@...gle.com, Matthew Maurer <mmaurer@...gle.com>,
Petr Pavlu <petr.pavlu@...e.com>, Daniel Gomez <da.gomez@...sung.com>
Subject: [PATCH 11/12] module: Additional validation in elf_validity_cache_strtab
Validate properties of the strtab that are depended on elsewhere, but
were previously unchecked:
* String table nonempty (offset 0 is valid)
* String table has a leading NUL (offset 0 corresponds to "")
* String table is NUL terminated (strfoo functions won't run out of the
table while reading).
* All symbols names are inbounds of the string table.
Signed-off-by: Matthew Maurer <mmaurer@...gle.com>
---
kernel/module/main.c | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 22aa5eb4e4f4..3db9ff544c09 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2123,17 +2123,53 @@ static int elf_validity_cache_index(struct load_info *info, int flags)
}
/**
- * elf_validity_cache_strtab() - Cache symbol string table
+ * elf_validity_cache_strtab() - Validate and cache symbol string table
* @info: Load info to read from and update.
* Must have &load_info->sechdrs and &load_info->secstrings populated.
* Must have &load_info->index populated.
*
+ * Checks:
+ *
+ * * The string table is not empty.
+ * * The string table starts and ends with NUL (required by ELF spec).
+ * * Every &Elf_Sym->st_name offset in the symbol table is inbounds of the
+ * string table.
+ *
+ * And caches the pointer as &load_info->strtab in @info.
+ *
* Return: 0 on success, negative error code if a check failed.
*/
static int elf_validity_cache_strtab(struct load_info *info)
{
Elf_Shdr *str_shdr = &info->sechdrs[info->index.str];
+ Elf_Shdr *sym_shdr = &info->sechdrs[info->index.sym];
char *strtab = (char *)info->hdr + str_shdr->sh_offset;
+ Elf_Sym *syms = (void *)info->hdr + sym_shdr->sh_offset;
+ int i;
+
+ if (str_shdr->sh_size == 0) {
+ pr_err("empty symbol string table\n");
+ return -ENOEXEC;
+ }
+ if (strtab[0] != '\0') {
+ pr_err("symbol string table missing leading NUL\n");
+ return -ENOEXEC;
+ }
+ if (strtab[str_shdr->sh_size - 1] != '\0') {
+ pr_err("symbol string table isn't NUL terminated\n");
+ return -ENOEXEC;
+ }
+
+ /*
+ * Now that we know strtab is correctly structured, check symbol
+ * starts are inbounds before they're used later.
+ */
+ for (i = 0; i < sym_shdr->sh_size / sizeof(*syms); i++) {
+ if (syms[i].st_name >= str_shdr->sh_size) {
+ pr_err("symbol name out of bounds in string table");
+ return -ENOEXEC;
+ }
+ }
info->strtab = strtab;
return 0;
--
2.47.0.rc1.288.g06298d1525-goog
Powered by blists - more mailing lists