LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-01-08 20:32:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
ca0f3db004
ladybird/Libraries/LibELF/Validation.cpp

247 lines
10 KiB
C++
Raw Normal View History

LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
/*
* Copyright (c) 2020, Andrew Kaster <andrewdkaster@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/Assertions.h>
#include <AK/String.h>
#include <LibELF/Validation.h>
Meta+LibC through LibHTTP: Make clang-format-10 clean Why break at LibHTTP? Because "Meta+Libraries" would be insanely large, and breaking between LibHTTP and LibJS makes the commits roughly evenly large.
2020-09-18 10:49:51 +03:00
#include <LibELF/exec_elf.h>
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
namespace ELF {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
bool validate_elf_header(const Elf32_Ehdr& elf_header, size_t file_size, bool verbose)
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
{
if (!IS_ELF(elf_header)) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgputstr("File is not an ELF file.\n");
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (ELFCLASS32 != elf_header.e_ident[EI_CLASS]) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgputstr("File is not a 32 bit ELF file.\n");
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (ELFDATA2LSB != elf_header.e_ident[EI_DATA]) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgputstr("File is not a little endian ELF file.\n");
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (EV_CURRENT != elf_header.e_ident[EI_VERSION]) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has unrecognized ELF version (%d), expected (%d)!\n", elf_header.e_ident[EI_VERSION], EV_CURRENT);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (ELFOSABI_SYSV != elf_header.e_ident[EI_OSABI]) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has unknown OS ABI (%d), expected SYSV(0)!\n", elf_header.e_ident[EI_OSABI]);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (0 != elf_header.e_ident[EI_ABIVERSION]) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has unknown SYSV ABI version (%d)!\n", elf_header.e_ident[EI_ABIVERSION]);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (EM_386 != elf_header.e_machine) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has unknown machine (%d), expected i386 (3)!\n", elf_header.e_machine);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF: Catch more Shenanigans in ELF files Check for even more weird program header/section header offsets and sizes. Namely, the ones encountered in #4221 :)
2020-12-01 09:18:49 +03:00
if (ET_EXEC != elf_header.e_type && ET_DYN != elf_header.e_type && ET_REL != elf_header.e_type && ET_CORE != elf_header.e_type) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
LibELF: Catch more Shenanigans in ELF files Check for even more weird program header/section header offsets and sizes. Namely, the ones encountered in #4221 :)
2020-12-01 09:18:49 +03:00
dbgprintf("File has unloadable ELF type (%d), expected REL (1), EXEC (2), DYN (3) or CORE(4)!\n", elf_header.e_type);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (EV_CURRENT != elf_header.e_version) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has unrecognized ELF version (%d), expected (%d)!\n", elf_header.e_version, EV_CURRENT);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (sizeof(Elf32_Ehdr) != elf_header.e_ehsize) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has incorrect ELF header size..? (%d), expected (%zu)!\n", elf_header.e_ehsize, sizeof(Elf32_Ehdr));
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF: Allow elf files with no section header to pass validation
2020-12-04 13:19:50 +03:00
if (elf_header.e_phoff < elf_header.e_ehsize || (elf_header.e_shnum != SHN_UNDEF && elf_header.e_shoff < elf_header.e_ehsize)) {
LibELF: Catch more Shenanigans in ELF files Check for even more weird program header/section header offsets and sizes. Namely, the ones encountered in #4221 :)
2020-12-01 09:18:49 +03:00
if (verbose) {
dbgprintf("SHENANIGANS! program header offset (%d) or section header offset (%d) overlap with ELF header!\n",
elf_header.e_phoff, elf_header.e_shoff);
}
return false;
}
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
if (elf_header.e_phoff > file_size || elf_header.e_shoff > file_size) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose) {
dbgprintf("SHENANIGANS! program header offset (%d) or section header offset (%d) are past the end of the file!\n",
elf_header.e_phoff, elf_header.e_shoff);
}
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF: Catch more Shenanigans in ELF files Check for even more weird program header/section header offsets and sizes. Namely, the ones encountered in #4221 :)
2020-12-01 09:18:49 +03:00
if (elf_header.e_phnum == 0 && elf_header.e_phoff != 0) {
if (verbose)
dbgputstr("SHENANIGANS! File has no program headers, but it does have a program header offset (%d)!\n", elf_header.e_phoff);
return false;
}
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
if (elf_header.e_phnum != 0 && elf_header.e_phoff != elf_header.e_ehsize) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose) {
dbgprintf("File does not have program headers directly after the ELF header? program header offset (%d), expected (%d).\n",
elf_header.e_phoff, elf_header.e_ehsize);
}
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (0 != elf_header.e_flags) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has incorrect ELF header flags...? (%d), expected (%d).\n", elf_header.e_flags, 0);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (0 != elf_header.e_phnum && sizeof(Elf32_Phdr) != elf_header.e_phentsize) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has incorrect program header size..? (%d), expected (%zu).\n", elf_header.e_phentsize, sizeof(Elf32_Phdr));
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (sizeof(Elf32_Shdr) != elf_header.e_shentsize) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("File has incorrect section header size..? (%d), expected (%zu).\n", elf_header.e_shentsize, sizeof(Elf32_Shdr));
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
size_t end_of_last_program_header = elf_header.e_phoff + (elf_header.e_phnum * elf_header.e_phentsize);
if (end_of_last_program_header > file_size) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("SHENANIGANS! End of last program header (%zu) is past the end of the file!\n", end_of_last_program_header);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF: Allow elf files with no section header to pass validation
2020-12-04 13:19:50 +03:00
if (elf_header.e_shoff != SHN_UNDEF && elf_header.e_shoff < end_of_last_program_header) {
LibELF: Catch more Shenanigans in ELF files Check for even more weird program header/section header offsets and sizes. Namely, the ones encountered in #4221 :)
2020-12-01 09:18:49 +03:00
if (verbose) {
dbgprintf("SHENANIGANS! Section header table begins at file offset %d, which is within program headers [ %d - %zu ]!\n",
elf_header.e_shoff, elf_header.e_phoff, end_of_last_program_header);
}
return false;
}
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
size_t end_of_last_section_header = elf_header.e_shoff + (elf_header.e_shnum * elf_header.e_shentsize);
if (end_of_last_section_header > file_size) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("SHENANIGANS! End of last section header (%zu) is past the end of the file!\n", end_of_last_section_header);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF: Allow using ELF::Loader for ET_CORE objects
2020-11-11 23:04:33 +03:00
if (elf_header.e_shstrndx != SHN_UNDEF && elf_header.e_shstrndx >= elf_header.e_shnum) {
Lagom+LibELF: Add an ELF fuzzer, and tweak the code to survive a few minutes of fuzzing (#3071) If a buffer smaller than Elf32_Ehdr was passed to Image, header() would do an out-of-bounds read. Make parse() check for that. Make most Image methods assert that the image is_valid(). For that to work, set m_valid early in Image::parse() instead of only at its end. Also reorder a few things so that the fuzzer doesn't hit (valid) assertions, which were harmless from a security PoV but which still allowed userspace to crash the kernel with an invalid ELF file. Make dbgprintf()s configurable at run time so that the fuzzer doesn't produce lots of logspam.
2020-08-10 16:55:17 +03:00
if (verbose)
dbgprintf("SHENANIGANS! Section header string table index (%d) is not a valid index given we have %d section headers!\n", elf_header.e_shstrndx, elf_header.e_shnum);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
return true;
}
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
bool validate_program_headers(const Elf32_Ehdr& elf_header, size_t file_size, const u8* buffer, size_t buffer_size, String* interpreter_path, bool verbose)
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
{
// Can we actually parse all the program headers in the given buffer?
size_t end_of_last_program_header = elf_header.e_phoff + (elf_header.e_phnum * elf_header.e_phentsize);
if (end_of_last_program_header > buffer_size) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("Unable to parse program headers from buffer, buffer too small! Buffer size: %zu, End of program headers %zu\n",
buffer_size, end_of_last_program_header);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if (file_size < buffer_size) {
dbgputstr("We somehow read more from a file than was in the file in the first place!\n");
ASSERT_NOT_REACHED();
}
size_t num_program_headers = elf_header.e_phnum;
auto program_header_begin = (const Elf32_Phdr*)&(buffer[elf_header.e_phoff]);
for (size_t header_index = 0; header_index < num_program_headers; ++header_index) {
auto& program_header = program_header_begin[header_index];
switch (program_header.p_type) {
case PT_INTERP:
// We checked above that file_size was >= buffer size. We only care about buffer size anyway, we're trying to read this!
if (program_header.p_offset + program_header.p_filesz > buffer_size) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("Found PT_INTERP header (%zu), but the .interp section was not within our buffer :( Your program will not be loaded today.\n", header_index);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (interpreter_path)
*interpreter_path = String((const char*)&buffer[program_header.p_offset], program_header.p_filesz - 1);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
break;
case PT_LOAD:
case PT_DYNAMIC:
case PT_NOTE:
case PT_PHDR:
case PT_TLS:
if (program_header.p_offset + program_header.p_filesz > file_size) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("SHENANIGANS! Program header %zu segment leaks beyond end of file!\n", header_index);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
if ((program_header.p_flags & PF_X) && (program_header.p_flags & PF_W)) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("SHENANIGANS! Program header %zu segment is marked write and execute\n", header_index);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
break;
LibELF: Ignore PT_GNU_STACK headers We always map stacks R/W (never X), so we can just ignore this header as far as I understand.
2020-08-20 11:08:02 +03:00
case PT_GNU_STACK:
if (program_header.p_flags & PF_X) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("Possible shenanigans! Validating an ELF with executable stack.\n");
LibELF: Ignore PT_GNU_STACK headers We always map stacks R/W (never X), so we can just ignore this header as far as I understand.
2020-08-20 11:08:02 +03:00
}
break;
LibELF: Validate PT_GNU_RELRO program header I'm not sure if this is the correct validation. This is based on it being "read-only after relocation".
2020-09-09 10:40:17 +03:00
case PT_GNU_RELRO:
if ((program_header.p_flags & PF_X) && (program_header.p_flags & PF_W)) {
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("SHENANIGANS! Program header %zu segment is marked write and execute\n", header_index);
LibELF: Validate PT_GNU_RELRO program header I'm not sure if this is the correct validation. This is based on it being "read-only after relocation".
2020-09-09 10:40:17 +03:00
return false;
}
break;
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
default:
// Not handling other program header types in other code so... let's not surprise them
LibELF+Kernel: Validate program headers in Image::parse This should catch more malformed ELF files earlier than simply checking the ELF header alone. Also change the API of validate_program_headers to take the interpreter_path by pointer. This makes it less awkward to call when we don't care about the interpreter, and just want the validation.
2020-12-01 09:21:55 +03:00
if (verbose)
dbgprintf("Found program header (%zu) of unrecognized type %x!\n", header_index, program_header.p_type);
LibELF: Move validation methods to their own file These validate_elf_* methods really had no business being static methods of ELF::Image. Now that the ELF namespace exists, it makes sense to just move them to be free functions in the namespace.
2020-04-11 21:32:38 +03:00
return false;
}
}
return true;
}
} // end namespace ELF
Reference in New Issue Copy Permalink