DF-0040
Section-header index not bounds-checked against e_shnum in link_elf_obj_load_file (heap OOB read)
| Field | Value |
|---|---|
| ID | DF-0040 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |
| CWE | CWE-125 Out-of-bounds Read |
| File | sys/kern/link_elf_obj.c |
| Lines | 551 (symstrindex off-by-one), 603-604 (e_shstrndx) |
| Area | kern |
| Confidence | certain |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
link_elf_obj_load_file indexes shdr[] with two attacker-controlled indices
without a correct < e_shnum guard: :551 uses symstrindex > e_shnum
instead of >= (so a crafted sh_link == e_shnum reads shdr[e_shnum], one
past the array), and :603-604 indexes shdr[e_shstrndx] with no
e_shstrndx < e_shnum check (so an e_shstrndx up to 65535 reads far past the
allocation). Both are heap OOB reads of attacker-influenced extent. The preload
path link_elf_obj_preload_file uses the correct >= form (:245-248),
confirming the load_file checks are regressions.
Root cause
if (symstrindex < 0 || symstrindex > hdr->e_shnum || /* should be >= */
shdr[symstrindex].sh_type != SHT_STRTAB) {
sys/kern/link_elf_obj.c:603-604:
if (hdr->e_shstrndx != 0 &&
shdr[hdr->e_shstrndx].sh_type == SHT_STRTAB) { /* no < e_shnum check */
shdr is kmalloc(e_shnum*sizeof(Elf_Shdr)) (:503). Correct bounds are in
link_elf_obj_preload_file (:245-248, uses >=).
Threat model & preconditions
- Attacker position: root via
kldload(2)(SYSCAP_NOKLD, securelevel 0); ELF bytes fully attacker-controlled. Root already owns the kernel (a valid.ko'sSYSINITruns in kernel context), so this grants no new privilege โ it is robustness/defense-in-depth (matters for verified-boot / securelevel / restricted-module scenarios and clean panic-free parsing). - Privileges gained or impact: heap OOB read of
M_LINKERmemory; panic if it crosses into unmapped pages (local DoS), or attacker-influencedsh_type/sh_size/sh_offsetvalues then drivekmalloc/vn_rdwr. - Reachability:
kldload(2)of a crafted.kowithsh_link == e_shnumand/ore_shstrndx >= e_shnum.
Recommended fix
--- a/sys/kern/link_elf_obj.c
+++ b/sys/kern/link_elf_obj.c
@@ -551
- if (symstrindex < 0 || symstrindex > hdr->e_shnum ||
+ if (symstrindex < 0 || symstrindex >= hdr->e_shnum ||
@@ -603
if (hdr->e_shstrndx != 0 &&
+ hdr->e_shstrndx < hdr->e_shnum &&
shdr[hdr->e_shstrndx].sh_type == SHT_STRTAB) {
References
sys/kern/link_elf_obj.c:551,603-604โ the unchecked indices.sys/kern/link_elf_obj.c:245-248โ preload's correct>=bounds.- CWE-125 Out-of-bounds Read.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/link_elf_obj.c. - pending Reported to DragonFlyBSD security contact.