From nobody Mon Dec 15 17:00:39 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dVRCD5gfCz6L1tF for ; Mon, 15 Dec 2025 17:00:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dVRCC60xSz3pt5 for ; Mon, 15 Dec 2025 17:00:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765818039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iB2NNc+dX/Havzp6vf2izlt+RGVGWMgx8ePhkMjVNQA=; b=KYEhFUE/Jb4t+B2CsZBBGpou5EvyLloqfya/vI25Y7OprpoDIulvmvfpECUiqdeF1xVCgt 3hj0ze3i+CIMBqBgmyllvUqjexUYI+vLsQ3hV4ax2Ze0+t47Ch77UAb3j/SrtH3T3wLJKJ ZBM3XuBvfQwu9YOAI6+8t3UUWtdB77Q2Shngoxzn0VhllLbTyTeyurrfzq1U8KB44Vw1vX 3fp8g4HjMy/flG9Py3IioLn1X4y/OKt3F6H7txJsqdsDsdrn0OAJKzfFUno7uSdnT2iVMe TWOv179lc2p/xudKnTkwbORiWA/nGL7VBk6DHoZewLn1k8dLtWzqJ83isd5QhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765818039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iB2NNc+dX/Havzp6vf2izlt+RGVGWMgx8ePhkMjVNQA=; b=EeOIXHDStM0KDjp9eBxaicvfngM7j+tLPgfi3jkFm5gKobr2eMwlB4dx6zr4yKWYwbi4Wm fMAfK+DN4z2APzUtTZ159lxumMV/KQ6I065RcpM2Uu9mXmbh+mdiVbSRWd3R21OwePEfE7 WW9H7ohWFn6Ygf2wt6/HaoBJ/7eMoaFEIZqoH8h11GjMjdev8Z3XjdHnL9kLPC5JH5CbQC DriJVoDjwJxMKVUB7VxlVj7tK1h9dCLXyxIg0qRjcfJriMu6opVm13WTuusw8UjnLJXD7N XXq3FHCQk2fqnWYuno5Xz19qSmf2+DpXYdwZ1aUE3IHgUCo6k/VEj4bDXtlWpg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765818039; a=rsa-sha256; cv=none; b=k4O3W862yWmMYqdfitrUuU7a1u5ESTqd74vaCOJr+dAt6eK0VjOCUKGBlQCm+NOM4sIo1T 95EClqcpsvJpLTrD+uR+046/ZYOIFF/Tpjxr1ngCKwkQJkastBvPNcKokt9eWyqAjQxWqJ un/rH2R+jiscziuX4+E0/kGuq57w1PiJuJk3rJellcTmO2qFz4U25I2z0ye2L9k5P+89Q/ MrunmtDeef1xeCTi8kh3Qro9h3uQqWh1hU3bujXxsho3FnizBaJSSFNi5jmnAMjMNZQqrv mNMKmjlxdPtdHyo3mXz8vx1G5b8uAZDeUATxSlNakNPj77L7wf0actU5W1JDaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dVRCC5HzMzCWL for ; Mon, 15 Dec 2025 17:00:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id d0d6 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 15 Dec 2025 17:00:39 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jessica Clarke Subject: git: d37b3562e701 - stable/14 - imgact_elf: Fix off-by-one in note size check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: d37b3562e701ab1583ea7ae47b9bd3214ef39d37 Auto-Submitted: auto-generated Date: Mon, 15 Dec 2025 17:00:39 +0000 Message-Id: <69403eb7.d0d6.25f06a1e@gitrepo.freebsd.org> The branch stable/14 has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=d37b3562e701ab1583ea7ae47b9bd3214ef39d37 commit d37b3562e701ab1583ea7ae47b9bd3214ef39d37 Author: Jessica Clarke AuthorDate: 2025-12-08 13:01:57 +0000 Commit: Jessica Clarke CommitDate: 2025-12-15 16:58:45 +0000 imgact_elf: Fix off-by-one in note size check Prior to c86af2cc4cd1 ("imgact_elf: Check note body sizes"), this was note_name + n_namesz >= note_end, which checks that there is at least one byte after the unpadded name (which could be either padding or data), and given our notes always have data with them this was fine. However, once we started checking the padded name (note that "FreeBSD\0" is already a multiple of 4 bytes, so has no padding) and data, this turned into checking that there is at least one byte after the unpadded data, and since our ELF notes already have a multiple of 4 bytes for their data and therefore have no padding, this means that we are now checking that there is at least one byte after the ELF note, which is not going to be the case for the last ELF note. Instead, switch this to a strict greater than, as should be used when comparing one-past-the-end pointers, which both sides of the inequality are. For executables, this was generally not a problem in reality, since the last of our ELF notes is NT_FREEBSD_NOINIT_TAG, which isn't read by the kernel. However, ld-elf.so.1 (and libcompat variants), like shared libraries, only has NT_FREEBSD_ABI_TAG, which meant the kernel did not see this ELF note when directly executing it (e.g. as done by ldd), and on RISC-V this is the only branding present, so doing so would fail with ENOEXEC. This does also mean on non-RISC-V direct exec ld-elf.so.1 runs with the wrong p_osrel, but given it sets kern.proc.osrel.PID to the executable's NT_FREEBSD_ABI_TAG that it loads, this probably doesn't matter in practice. PR: 291446 Reported by: bdragon Tested by: bdragon Fixes: c86af2cc4cd1 ("imgact_elf: Check note body sizes") MFC after: 3 days (cherry picked from commit 5d58198ccc2b562098ee5fc4898013622b32b065) --- sys/kern/imgact_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index f73fd997594d..ea74c07cbc48 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2811,7 +2811,7 @@ __elfN(parse_notes)(struct image_params *imgp, Elf_Note *checknote, goto nextnote; note_name = (const char *)(note + 1); if (note_name + roundup2(note->n_namesz, ELF_NOTE_ROUNDSIZE) + - note->n_descsz >= (const char *)note_end || + note->n_descsz > (const char *)note_end || strncmp(note_vendor, note_name, checknote->n_namesz) != 0) goto nextnote;