From nobody Wed Oct 22 13:02:02 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cs8Sp4Mvqz6FFmm; Wed, 22 Oct 2025 13:02:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cs8Sp3Bqwz3r7B; Wed, 22 Oct 2025 13:02:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761138122; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qs52kzNeZDDKAwsSFrtsz81CtovvMoQDjz66+NG26Ts=; b=CWLMEpiE+kGGn4DO+KNdjcL/RT8MW6fcuNwMh3EIyYu6/mjDISd2wFJ6Lic+Je6bhCb74n fDI3Hn7HbOAac8YZqPydWQXycElFhXcI3l67CWm1FXQtZuVNPahvJTP1Vqm9qoVyuhQs3e wdcn5HbQxwbajuCBh5BgCFPj6z4xnRT8E62b7+mr1OM0EgJicZqYgWrj7u6oWtGyoAdsdq ttLd+K707BRyLu3ZwtA9NMkqCcSTyMFA7I4EKDpDcSQ06cNVfvLbtoVS8s2zHpaFMvbtFP QHMfxdakUevfEoIvJLt3KuTbMBwvjiahXYNFT+SG40PpKol6Jt75Cj0WUaJebA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761138122; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Qs52kzNeZDDKAwsSFrtsz81CtovvMoQDjz66+NG26Ts=; b=vVUq3T0ILCrmxXv7QuZj6AjstLho4AOlRjh/siQINGyjxCnRKahTsig9Ich63oBuNMLPLw dgoDXHwvN1r3wM5AkSmhwsukftxXoLO3WMv7LbXRxrnmSsBzLEHFfbWvOlgDygp4mzOQx2 mrjd/P3WXmbKTb+IhkcGBy7rH62Ofp7LS/nhoBdvOkwMkaeZjTkbNa9WPv5eJeoFZ1P7pd HOxqY3e65VJIrP33WHrP7Sa7evCf3yax1fcuUIKjTdGMvbeXuE4mHfwzZdpRJ4u83CV0Af /ENBCIKq6pJg8bsdqSDOwsAHGJzchUI3qJspq7aeJDA0GyqkUHnLJq8cjeECkg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761138122; a=rsa-sha256; cv=none; b=fg6zEcPKLWn/lBmEo+DtSkjqAVZls+HDRFMTrE0W3zaW2AQlEz4vzCAOodwD4MDWdBjc2j qJvn3rbUUDZA8IL5hqQ/7SQ7iSPIVW8bsSti+nq1FKN2tY+Dg0IK5i8XNwqrAcvCDn+cCn 9gJDBWder2s8rsUCYD7PakDJafraY5H1S89X8vYx9LPItH2K7bJ+Gn6VLm8BxB7/T7NsPZ nlcgDY2NUygQryx4N4Ajcqfjyt53nuz5Lrz+Q/u2mzY0KMhnlq5WRtVKsraQKHUCC/CBvz 3iSpps0VHpLPXpDUI+bPh/lHOg1JR1EKJnfULjnymGaHTWODnG/MtbSSqgx05A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cs8Sp2fMszVTN; Wed, 22 Oct 2025 13:02:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59MD22Ja011362; Wed, 22 Oct 2025 13:02:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59MD226S011359; Wed, 22 Oct 2025 13:02:02 GMT (envelope-from git) Date: Wed, 22 Oct 2025 13:02:02 GMT Message-Id: <202510221302.59MD226S011359@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 6e4767672a21 - stable/13 - imgact_elf: Check note body sizes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 6e4767672a21f89c070d351d62a8d75629fd077d Auto-Submitted: auto-generated The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6e4767672a21f89c070d351d62a8d75629fd077d commit 6e4767672a21f89c070d351d62a8d75629fd077d Author: Mark Johnston AuthorDate: 2025-10-15 20:14:36 +0000 Commit: Mark Johnston CommitDate: 2025-10-22 12:34:07 +0000 imgact_elf: Check note body sizes In parse_notes we validate that the note name fits within the note buffer, but we do not do the same for the note data, so there is some potential for an OOB read in the note handler. Add a bounds check. Reported by: Ilja Van Sprundel Reviewed by: kib, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D53063 (cherry picked from commit c86af2cc4cd12fb0174843b22d737c3b5b5d55d0) --- sys/kern/imgact_elf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index b27129a555c4..cda86cf48001 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2750,7 +2750,7 @@ __elfN(parse_notes)(struct image_params *imgp, Elf_Note *checknote, } if ((const char *)note_end - (const char *)note < sizeof(Elf_Note)) { - uprintf("ELF note to short\n"); + uprintf("ELF note too short\n"); goto retf; } if (note->n_namesz != checknote->n_namesz || @@ -2758,9 +2758,9 @@ __elfN(parse_notes)(struct image_params *imgp, Elf_Note *checknote, note->n_type != checknote->n_type) goto nextnote; note_name = (const char *)(note + 1); - if (note_name + checknote->n_namesz >= - (const char *)note_end || strncmp(note_vendor, - note_name, checknote->n_namesz) != 0) + if (note_name + roundup2(note->n_namesz, ELF_NOTE_ROUNDSIZE) + + note->n_descsz >= (const char *)note_end || + strncmp(note_vendor, note_name, checknote->n_namesz) != 0) goto nextnote; if (cb(note, cb_arg, &res))