The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=681e834b02fd00a9dd3c55f820538bf3674a4a4b
commit 681e834b02fd00a9dd3c55f820538bf3674a4a4b Author: Konstantin Belousov <[email protected]> AuthorDate: 2021-12-08 09:33:57 +0000 Commit: Konstantin Belousov <[email protected]> CommitDate: 2021-12-19 02:42:51 +0000 imgact_elf: exclude invalid alignment requests (cherry picked from commit 714d6d09b57e9cf98a5c3f45f869c08be5454849) --- sys/kern/imgact_elf.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 77ecd1538084..e0dd2b13c143 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1092,7 +1092,7 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) Elf_Brandinfo *brand_info; struct sysentvec *sv; u_long addr, baddr, et_dyn_addr, entry, proghdr; - u_long maxalign, mapsz, maxv, maxv1; + u_long maxalign, maxsalign, mapsz, maxv, maxv1; uint32_t fctl0; int32_t osrel; bool free_interp; @@ -1133,7 +1133,20 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) interp = NULL; free_interp = false; td = curthread; + + /* + * Somewhat arbitrary, limit accepted max alignment for the + * loadable segment to the max supported superpage size. Too + * large alignment requests are not useful and are indicators + * of corrupted or outright malicious binary. + */ maxalign = PAGE_SIZE; + maxsalign = PAGE_SIZE * 1024; + for (i = MAXPAGESIZES - 1; i > 0; i--) { + if (pagesizes[i] > maxsalign) + maxsalign = pagesizes[i]; + } + mapsz = 0; for (i = 0; i < hdr->e_phnum; i++) { @@ -1141,6 +1154,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) case PT_LOAD: if (n == 0) baddr = phdr[i].p_vaddr; + if (phdr[i].p_align > maxsalign) { + uprintf("Invalid segment alignment\n"); + error = ENOEXEC; + goto ret; + } if (phdr[i].p_align > maxalign) maxalign = phdr[i].p_align; mapsz += phdr[i].p_memsz;
