It seems the routines interpreting ELF headers trust them more than
necessary. To be specific:
1) do_load_elf_binary() can be confused by odd values e_phentsize
impact: the kernel may be coaxed to access the memory outside the
area it has kmalloc()'ed for the phdr table
fix: the kernel refuses to load the binary if e_phentsize !=
sizeof(elf_phdr) (check reused from do_load_elf_interpret())
I have also added this check to do_load_elf_library() to make
things consistent (even it does not use the value)
I think this is an unwise change.
The designers of the ELF format specifically detached these two sizes
so that in the future they could, for example, extend the phdr with
new contents at the end which have no effect if ignored. The
intention is that the binary format could be extended yet still read
properly by older conforming implementations.
Your change prevents that goal from being realized, it also makes us
non-conformant. So therefore I'd suggest that this is fixed in
another way.
[ Actually, this is quite serious because it is possible to make the
loader block forever when it opens the interpreter (e.g. if the
filename points at a fifo). One needs only several processes of this
sort to hoard all kernel memory. ]
We check these days in both 2.0.34 and 2.0.10? whether the file we are
opening is a true regular file or not. Previously you could do fun
things like make the kernel open up /dev/cdrom as the interpreter etc.
Later,
David S. Miller
davem@dm.cobaltmicro.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu