link_elf: Uncapped dynamic-section walk (parse_dynamic)
Needs ReviewPublic
Actions

Authored by thebugfixers_pm.me on Wed, Jun 24, 9:41 AM.

Details

Reviewers

None

Group Reviewers

Src Committers
Contributor Reviews (src)

Summary

There is no limit on how far this loop advances. If the PT_DYNAMIC segment is malformed and lacks a DT_NULL terminator within its bounds, the kernel scans forward indefinitely.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

thebugfixers_pm.me created this revision.Wed, Jun 24, 9:41 AM

Herald added subscribers: olce, imp. · View Herald TranscriptWed, Jun 24, 9:41 AM

thebugfixers_pm.me requested review of this revision.Wed, Jun 24, 9:41 AM

thebugfixers_pm.me added a parent revision: D57785: link_elf: Guard against subtraction underflow.Fri, Jun 26, 5:25 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

link_elf.c

5 lines

Diff 180515

View Options

link_elf: Uncapped dynamic-section walk (parse_dynamic)Needs ReviewPublicActions