svn commit: r367477 - in head/sys: kern sys

Sat, 07 Nov 2020 20:24:53 -0800 

Author: kevans
Date: Sun Nov  8 04:24:29 2020
New Revision: 367477
URL: https://svnweb.freebsd.org/changeset/base/367477

Log:
  imgact_binmisc: limit the extent of match on incoming entries
  
  imgact_binmisc matches magic/mask from imgp->image_header, which is only a
  single page in size mapped from the first page of an image. One can specify
  an interpreter that matches on, e.g., --offset 4096 --size 256 to read up to
  256 bytes past the mapped first page.
  
  The limitation is that we cannot specify a magic string that exceeds a
  single page, and we can't allow offset + size to exceed a single page
  either.  A static assert has been added in case someone finds it useful to
  try and expand the size, but it does seem a little unlikely.
  
  While this looks kind of exploitable at a sideways squinty-glance, there are
  a couple of mitigating factors:
  
  1.) imgact_binmisc is not enabled by default,
  2.) entries may only be added by the superuser,
  3.) trying to exploit this information to read what's mapped past the end
    would be worse than a root canal or some other relatably painful
    experience, and
  4.) there's no way one could pull this off without it being completely
    obvious.
  
  The first page is mapped out of an sf_buf, the implementation of which (or
  lack thereof) depends on your platform.
  
  MFC after:    1 week

Modified:
  head/sys/kern/imgact_binmisc.c
  head/sys/sys/imgact_binmisc.h

Modified: head/sys/kern/imgact_binmisc.c
==============================================================================
--- head/sys/kern/imgact_binmisc.c      Sun Nov  8 02:50:34 2020        
(r367476)
+++ head/sys/kern/imgact_binmisc.c      Sun Nov  8 04:24:29 2020        
(r367477)
@@ -236,6 +236,8 @@ imgact_binmisc_add_entry(ximgact_binmisc_entry_t *xbe)
 
        if (xbe->xbe_msize > IBE_MAGIC_MAX)
                return (EINVAL);
+       if (xbe->xbe_moffset + xbe->xbe_msize > IBE_MATCH_MAX)
+               return (EINVAL);
 
        for(cnt = 0, p = xbe->xbe_name; *p != 0; cnt++, p++)
                if (cnt >= IBE_NAME_MAX || !isascii((int)*p))

Modified: head/sys/sys/imgact_binmisc.h
==============================================================================
--- head/sys/sys/imgact_binmisc.h       Sun Nov  8 02:50:34 2020        
(r367476)
+++ head/sys/sys/imgact_binmisc.h       Sun Nov  8 04:24:29 2020        
(r367477)
@@ -47,6 +47,11 @@
 #define        IBE_INTERP_LEN_MAX      (MAXPATHLEN + IBE_ARG_LEN_MAX)
 #define        IBE_MAX_ENTRIES 64      /* Max number of interpreter entries. */
 
+/* We only map the first page for identification purposes. */
+#define        IBE_MATCH_MAX   PAGE_SIZE
+_Static_assert(IBE_MAGIC_MAX <= IBE_MATCH_MAX,
+    "Cannot identify binaries past the first page.");
+
 /*
  * Imgact bin misc interpreter entry flags.
  */
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to