Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Advisories: GSA_kwCzR0hTQS1nNnB3LTk5OXctajc1bc4AAxG5
ELF header parsing library doesn't check for valid offset
The crate has several unsafe sections that don't perform proper pointer validation.
An example can be found in the following function:
fn section_header_raw(&self) -> &[ET::SectionHeader] {
let sh_off = self.elf_header().section_header_offset() as usize;
let sh_num = self.elf_header().section_header_entry_num() as usize;
unsafe {
let sh_ptr = self.content().as_ptr().add(sh_off);
from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num)
}
}
While this will work perfectly fine if the ELF header is valid, malicious or malformed input can contain a section header offset of an arbitrary size, meaning that the resultant pointer in the unsafe block can point to an artibrary address in the address space of the process.
This can result in unpredictable behaviour, and in our fuzz testing, we discovered that it's trivial to cause SIGABRT (signal 6), or SEGV (signal 11).
The function should either be marked as unsafe, with a note that the caller is responsible for providing only valid inputs, or it should ideally do the due diligence to ensure that the offset doesn't exceed the bounds of the header (and add additional checks as necessary).
Permalink: https://github.com/advisories/GHSA-g6pw-999w-j75mSource: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 days ago
Updated: 8 days ago
Identifiers: GHSA-g6pw-999w-j75m
References:
- https://github.com/vincenthouyi/elf_rs/issues/11
- https://rustsec.org/advisories/RUSTSEC-2022-0079.html
- https://github.com/advisories/GHSA-g6pw-999w-j75m
Affected Packages
cargo:elf_rs
Versions: < 0.3.0Fixed in: 0.3.0