Alexander Nasonov wrote: > Steps to reproduce (on amd64 compiled with MKPIE=yes): > > bvi -s 0x0e2 /bin/echo # change 20 to 00 > bvi -s 0x11a /bin/echo # change 20 to 00 > > /bin/echo # boom! > > I would be nice to perform sanity checks of tainted executable > instead of panicing.
Attached is a simple patch. I don't know (yet) if it works. Alex
Index: exec_elf.c =================================================================== RCS file: /cvsroot/src/sys/kern/exec_elf.c,v retrieving revision 1.94 diff -p -u -u -r1.94 exec_elf.c --- exec_elf.c 17 Mar 2018 00:30:50 -0000 1.94 +++ exec_elf.c 17 Mar 2018 23:10:43 -0000 @@ -129,7 +129,8 @@ elf_placedynexec(struct exec_package *ep Elf_Addr align, offset; int i; - for (align = i = 0; i < eh->e_phnum; i++) + align = 1; + for (i = 0; i < eh->e_phnum; i++) if (ph[i].p_type == PT_LOAD && ph[i].p_align > align) align = ph[i].p_align; @@ -679,6 +680,12 @@ exec_elf_makecmds(struct lwp *l, struct for (i = 0; i < eh->e_phnum; i++) { pp = &ph[i]; + if (pp->p_type == PT_LOAD && + (pp->p_align & (pp->p_align - 1)) != 0) { + DPRINTF("bad alignment %#jx", (uintmax_t)pp->p_align); + error = ENOEXEC; + goto bad; + } if (pp->p_type == PT_INTERP) { if (pp->p_filesz < 2 || pp->p_filesz > MAXPATHLEN) { DPRINTF("bad interpreter namelen %#jx",