Re: [PATCH][RFC] invalid ELF binaries can execute - better sanity checking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Jelinek <jakub@redhat.com>
To: Jesper Juhl <juhl@dif.dk>
Cc: linux-kernel@vger.kernel.org, Eric Youngdale <ericy@cais.com>
Subject: Re: [PATCH][RFC] invalid ELF binaries can execute - better sanity checking
Date: Fri, 9 Jan 2004 05:28:51 -0500	[thread overview]
Message-ID: <20040109102851.GF24876@devserv.devel.redhat.com> (raw)
In-Reply-To: <Pine.LNX.4.56.0401090236390.11276@jju_lnx.backbone.dif.dk>

On Fri, Jan 09, 2004 at 03:19:12AM +0100, Jesper Juhl wrote:
> --- linux-2.6.1-rc1-mm2-orig/fs/binfmt_elf.c    2003-12-31 05:47:13.000000000 +0100
> +++ linux-2.6.1-rc1-mm2/fs/binfmt_elf.c 2004-01-09 01:41:05.000000000 +0100
> @@ -482,11 +482,14 @@ static int load_elf_binary(struct linux_
>         /* First of all, some simple consistency checks */
>         if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
>                 goto out;
> -
> +       if (elf_ex.e_ident[EI_CLASS] == ELFCLASSNONE)
> +               goto out;
>         if (elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN)
>                 goto out;
>         if (!elf_check_arch(&elf_ex))
>                 goto out;
> +       if (elf_ex.e_version == EV_NONE)
> +               goto out;
>         if (!bprm->file->f_op||!bprm->file->f_op->mmap)
>                 goto out;

These checks look useless for me.
If you want to check EI_CLASS or e_version, why is 0 so special and not say
157?
If you want to be sure EI_CLASS and e_version are correct, the test should
be:
	if (elf_ex.e_ident[EI_CLASS] != ELF_CLASS)
		goto out;
resp.
	if (elf_ex.e_version != EV_CURRENT)
		goto out;
Furthermore, there is load_elf_interp, which needs similar checks, otherwise
they are useless, because you can create a proper ELF binary loading
incorrect ELF interpreter.
Why not to check EI_DATA and EI_VERSION as well though?
glibc loader does:
#ifndef VALID_ELF_HEADER
# define VALID_ELF_HEADER(hdr,exp,size) (memcmp (hdr, exp, size) == 0)
# define VALID_ELF_OSABI(osabi)         (osabi == ELFOSABI_SYSV)
# define VALID_ELF_ABIVERSION(ver)      (ver == 0)
#endif
  static const unsigned char expected[EI_PAD] =
  {
    [EI_MAG0] = ELFMAG0,
    [EI_MAG1] = ELFMAG1,
    [EI_MAG2] = ELFMAG2,
    [EI_MAG3] = ELFMAG3,
    [EI_CLASS] = ELFW(CLASS),
    [EI_DATA] = byteorder,
    [EI_VERSION] = EV_CURRENT,
    [EI_OSABI] = ELFOSABI_SYSV,
    [EI_ABIVERSION] = 0
  };
      if (__builtin_expect (! VALID_ELF_HEADER (ehdr->e_ident, expected,
                                                EI_PAD), 0))
        {
...
	}
      if (__builtin_expect (ehdr->e_version, EV_CURRENT) != EV_CURRENT)
        {
          errstring = N_("ELF file version does not match current one");
          goto call_lose;
        }
      if (! __builtin_expect (elf_machine_matches_host (ehdr), 1))
        goto close_and_out;
...

Perhaps binfmt_elf.c wants to be able to load different OSABI ELF objects,
if so, it could just memcmp the first EI_OSABI bytes of e_ident and check
e_version and other fields outside of e_ident.

	Jakub

next prev parent reply	other threads:[~2004-01-09 10:29 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-09  2:19 [PATCH][RFC] invalid ELF binaries can execute - better sanity checking Jesper Juhl
2004-01-09  2:27 ` Jesper Juhl
2004-01-09  3:20 ` Andrew Morton
2004-01-09  3:36   ` Valdis.Kletnieks
2004-01-09  3:40     ` Jesper Juhl
2004-01-09 20:20       ` Maciej Zenczykowski
2004-01-09 20:41         ` Christoph Hellwig
2004-01-10  0:27           ` Xavier Bestel
2004-01-10  2:27             ` Maciej Zenczykowski
2004-01-10  9:52               ` Xavier Bestel
2004-01-10 13:41         ` Jesper Juhl
2004-01-10 22:38           ` Maciej Zenczykowski
2004-01-10 22:45             ` Jesper Juhl
2004-01-10 14:05         ` Willy Tarreau
2004-01-22 19:24         ` [PATCH][RFC] invalid ELF binaries can execute - better sanitychecking Adrian Bunk
2004-01-09  3:36   ` [PATCH][RFC] invalid ELF binaries can execute - better sanity checking Jesper Juhl
2004-01-09  4:15   ` Anton Blanchard
2004-01-09 10:28 ` Jakub Jelinek [this message]
2004-01-09 10:50   ` Jesper Juhl
2004-01-09 18:08     ` Mike Fedyk
2004-01-09 18:25       ` Jesper Juhl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040109102851.GF24876@devserv.devel.redhat.com \
    --to=jakub@redhat.com \
    --cc=ericy@cais.com \
    --cc=juhl@dif.dk \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.