Re: KASSERT in exec_elf.c for DYN executable when p_align==0

Sat, 17 Mar 2018 16:14:05 -0700 

Alexander Nasonov wrote:
> Steps to reproduce (on amd64 compiled with MKPIE=yes):
> 
> bvi -s 0x0e2 /bin/echo # change 20 to 00
> bvi -s 0x11a /bin/echo # change 20 to 00
> 
> /bin/echo # boom!
> 
> I would be nice to perform sanity checks of tainted executable
> instead of panicing.

Attached is a simple patch. I don't know (yet) if it works.

Alex

Index: exec_elf.c
===================================================================
RCS file: /cvsroot/src/sys/kern/exec_elf.c,v
retrieving revision 1.94
diff -p -u -u -r1.94 exec_elf.c
--- exec_elf.c  17 Mar 2018 00:30:50 -0000      1.94
+++ exec_elf.c  17 Mar 2018 23:10:43 -0000
@@ -129,7 +129,8 @@ elf_placedynexec(struct exec_package *ep
        Elf_Addr align, offset;
        int i;
 
-       for (align = i = 0; i < eh->e_phnum; i++)
+       align = 1;
+       for (i = 0; i < eh->e_phnum; i++)
                if (ph[i].p_type == PT_LOAD && ph[i].p_align > align)
                        align = ph[i].p_align;
 
@@ -679,6 +680,12 @@ exec_elf_makecmds(struct lwp *l, struct 
 
        for (i = 0; i < eh->e_phnum; i++) {
                pp = &ph[i];
+               if (pp->p_type == PT_LOAD &&
+                   (pp->p_align & (pp->p_align - 1)) != 0) {
+                       DPRINTF("bad alignment %#jx", (uintmax_t)pp->p_align);
+                       error = ENOEXEC;
+                       goto bad;
+               }
                if (pp->p_type == PT_INTERP) {
                        if (pp->p_filesz < 2 || pp->p_filesz > MAXPATHLEN) {
                                DPRINTF("bad interpreter namelen %#jx",

Reply via email to