On Tue, Aug 13, 2024 at 2:29 AM Andrii Nakryiko andrii@kernel.org wrote:
Harden build ID parsing logic, adding explicit READ_ONCE() where it's important to have a consistent value read and validated just once.
Also, as pointed out by Andi Kleen, we need to make sure that entire ELF note is within a page bounds, so move the overflow check up and add an extra note_size boundaries validation.
Fixes tag below points to the code that moved this code into lib/buildid.c, and then subsequently was used in perf subsystem, making this code exposed to perf_event_open() users in v5.12+.
Sorry, I missed some things in previous review rounds:
[...]
@@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id,
[...]
if (nhdr->n_type == BUILD_ID &&
nhdr->n_namesz == sizeof("GNU") &&!strcmp((char *)(nhdr + 1), "GNU") &&nhdr->n_descsz > 0 &&nhdr->n_descsz <= BUILD_ID_SIZE_MAX) {memcpy(build_id,note_start + note_offs +ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr),nhdr->n_descsz);memset(build_id + nhdr->n_descsz, 0,BUILD_ID_SIZE_MAX - nhdr->n_descsz);
name_sz == note_name_sz &&strcmp((char *)(nhdr + 1), note_name) == 0 &&
Please change this to something like "memcmp((char *)(nhdr + 1), note_name, note_name_sz) == 0" to ensure that we can't run off the end of the page if there are no null bytes in the rest of the page.
[...]
@@ -90,8 +97,8 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, for (i = 0; i < ehdr->e_phnum; ++i) {
Please change this to "for (i = 0; i < phnum; ++i) {" like in the 64-bit version.
With these two changes applied:
Reviewed-by: Jann Horn jannh@google.com