On Tue, Aug 13, 2024 at 2:29 AM Andrii Nakryiko <andrii@xxxxxxxxxx> wrote:
> Harden build ID parsing logic, adding explicit READ_ONCE() where it's
> important to have a consistent value read and validated just once.
>
> Also, as pointed out by Andi Kleen, we need to make sure that entire ELF
> note is within a page bounds, so move the overflow check up and add an
> extra note_size boundaries validation.
>
> Fixes tag below points to the code that moved this code into
> lib/buildid.c, and then subsequently was used in perf subsystem, making
> this code exposed to perf_event_open() users in v5.12+.
Sorry, I missed some things in previous review rounds:
[...]
> @@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id,
[...]
> if (nhdr->n_type == BUILD_ID &&
> - nhdr->n_namesz == sizeof("GNU") &&
> - !strcmp((char *)(nhdr + 1), "GNU") &&
> - nhdr->n_descsz > 0 &&
> - nhdr->n_descsz <= BUILD_ID_SIZE_MAX) {
> - memcpy(build_id,
> - note_start + note_offs +
> - ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr),
> - nhdr->n_descsz);
> - memset(build_id + nhdr->n_descsz, 0,
> - BUILD_ID_SIZE_MAX - nhdr->n_descsz);
> + name_sz == note_name_sz &&
> + strcmp((char *)(nhdr + 1), note_name) == 0 &&
Please change this to something like "memcmp((char *)(nhdr + 1),
note_name, note_name_sz) == 0" to ensure that we can't run off the end
of the page if there are no null bytes in the rest of the page.
[...]
> @@ -90,8 +97,8 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id,
> for (i = 0; i < ehdr->e_phnum; ++i) {
Please change this to "for (i = 0; i < phnum; ++i) {" like in the
64-bit version.
With these two changes applied:
Reviewed-by: Jann Horn <jannh@xxxxxxxxxx>
