> fix: the kernel refuses to load the binary if e_phentsize !=
> sizeof(elf_phdr) (check reused from do_load_elf_interpret())
[...]
> I think this is an unwise change.
>
> The designers of the ELF format specifically detached these two sizes
> so that in the future they could, for example, extend the phdr with
> new contents at the end which have no effect if ignored. The
> intention is that the binary format could be extended yet still read
> properly by older conforming implementations.
>
> Your change prevents that goal from being realized, it also makes us
> non-conformant. So therefore I'd suggest that this is fixed in
> another way.
Then the ORIGINAL code is broken because it makes implicit assumption
e_phentsize == sizeof(struct elf_phdr) when it increments elf_ppnt
(declared as elf_phdr *). My change makes this assumption explicit and
prevents a disaster when the assumption is violated.
> [ Actually, this is quite serious because it is possible to make the
> loader block forever when it opens the interpreter (e.g. if the
> filename points at a fifo). One needs only several processes of this
> sort to hoard all kernel memory. ]
>
> We check these days in both 2.0.34 and 2.0.10? whether the file we are
> opening is a true regular file or not. Previously you could do fun
> things like make the kernel open up /dev/cdrom as the interpreter etc.
Hmmm... yes there is a check in 2.0.34. I missed it. (OTOH, I can't find
it in 2.1.108?! Am I blind?) Nevertheless, this does not invalidate the
problem, it just makes its exploitation (considerably) harder.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu