Kernel+LibELF: Validate PT_LOAD and PT_TLS offsets before memcpy()'ing

Before this, you could make the kernel copy memory from anywhere by setting up an ELF executable with a program header specifying file offsets outside the file. Since ELFImage didn't even know how large it was, we had no clue that we were copying things from outside the ELF. Fix this by adding a size field to ELFImage and validating program header ranges before memcpy()'ing to them. The ELF code is definitely going to need more validation and checking.
author: Andreas Kling <awesomekling@gmail.com> 2020-01-06 21:04:57 +0100
committer: Andreas Kling <awesomekling@gmail.com> 2020-01-06 21:04:57 +0100
commit: 78a63930cca64e78a6ba7ed30d46ec8570dd3bde (patch)
tree: 5e4dc2622d59a9b6f151a4abb964c2db49a02c43 /Libraries/LibELF/ELFDynamicLoader.cpp
parent: 9bf1fe943994b956a7ea1a9aa5cd8097b8df3bb3 (diff)
download: serenity-78a63930cca64e78a6ba7ed30d46ec8570dd3bde.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/Libraries/LibELF/ELFDynamicLoader.cpp b/Libraries/LibELF/ELFDynamicLoader.cpp
index ef1e0e71ed..2a6dcb0780 100644
--- a/Libraries/LibELF/ELFDynamicLoader.cpp
+++ b/Libraries/LibELF/ELFDynamicLoader.cpp
@@ -56,7 +56,7 @@ void* ELFDynamicLoader::symbol_for_name(const char* name)
 
 bool ELFDynamicLoader::load_from_image(unsigned flags)
 {
-    ELFImage elf_image((u8*)m_file_mapping);
+    ELFImage elf_image((u8*)m_file_mapping, m_file_size);
 
     m_valid = elf_image.is_valid() && elf_image.is_dynamic();
author	Andreas Kling <awesomekling@gmail.com>	2020-01-06 21:04:57 +0100
committer	Andreas Kling <awesomekling@gmail.com>	2020-01-06 21:04:57 +0100
commit	78a63930cca64e78a6ba7ed30d46ec8570dd3bde (patch)
tree	5e4dc2622d59a9b6f151a4abb964c2db49a02c43 /Libraries/LibELF/ELFDynamicLoader.cpp
parent	9bf1fe943994b956a7ea1a9aa5cd8097b8df3bb3 (diff)
download	serenity-78a63930cca64e78a6ba7ed30d46ec8570dd3bde.zip