Unbounded st_name / sh_name offsets into symbol/section string tables (heap OOB read via strcmp)
| Field | Value |
|---|---|
| ID | DF-0041 |
| Status | new |
| Severity | Low |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |
| CWE | CWE-125 Out-of-bounds Read |
| File | sys/kern/link_elf_obj.c |
| Lines | 304, 707, 935, 1035, 1052, 1161, 1195 |
| Area | kern |
| Confidence | likely |
| Discovered | 2026-06-29 |
| Reported | pending |
Summary
Every site that resolves a name from ddbstrtab or shstrtab computes
strtab + st_name (or + sh_name) without verifying the uint32 offset is
< ddbstrcnt/shstrcnt. The string tables are kmalloc'd to exactly
sh_size with no guaranteed NUL terminator, so strcmp/strncmp on a crafted
out-of-range (or non-terminated) st_name/sh_name reads past the allocation
until it hits a NUL or an unmapped page (panic / limited heap info-leak). Sites:
:304 (preload sh_name), :707 (load sh_name), :935 (symbol_name),
:1035/:1052 (lookup_symbol/symbol_values), :1161 (elf_obj_lookup),
:1195 (fix_link_set).
Root cause
sys/kern/link_elf_obj.c:1035 (link_elf_obj_lookup_symbol):
strp = ef->ddbstrtab + symp->st_name; /* symp->st_name is Elf64_Word; ddbstrcnt never checked */
... strcmp(name, strp) ...
Allocations (:591, :607) give exactly sh_size bytes with no trailing NUL
and no per-symbol offset validation.
Threat model & preconditions
- Attacker position: root via
kldload(2)(also reachable post-load viakldsym(2)/dependency resolution/ddb lookups). Root already owns the kernel, so defense-in-depth. - Privileges gained or impact: heap OOB read (panic if it crosses unmapped pages; limited heap-layout leak via match behavior). No new privilege.
- Reachability:
kldload(2)of a.kowhose symtab hasst_name >= strtab size(or an interior non-terminated offset).
Recommended fix
Guard each name access against the table count, and NUL-terminate the allocations (+1) so in-range-but-unterminated offsets cannot run off the end:
@@ -1034
for (i = 0, symp = ef->ddbsymtab; i < ef->ddbsymcnt; i++, symp++) {
+ if (symp->st_name >= (Elf64_Word)ef->ddbstrcnt)
+ continue;
strp = ef->ddbstrtab + symp->st_name;
@@ -590
- ef->ddbstrtab = kmalloc(shdr[symstrindex].sh_size, M_LINKER, M_WAITOK);
+ ef->ddbstrtab = kmalloc(shdr[symstrindex].sh_size + 1, M_LINKER, M_WAITOK);
+ ef->ddbstrtab[ef->ddbstrcnt] = '\0';
@@ -606
- ef->shstrtab = kmalloc(shdr[shstrindex].sh_size, M_LINKER, M_WAITOK);
+ ef->shstrtab = kmalloc(shdr[shstrindex].sh_size + 1, M_LINKER, M_WAITOK);
+ ef->shstrtab[ef->shstrcnt] = '\0';
(apply the same >= ddbstrcnt guard at :935,:1052,:1161,:1195 and
>= shstrcnt for sh_name at :304,:707).
References
sys/kern/link_elf_obj.c:1035,935,1052,1161,1195,304,707— unbounded name offsets.- CWE-125 Out-of-bounds Read.
Timeline
- 2026-06-29 Discovered during automated file-by-file audit of
sys/kern/link_elf_obj.c. - pending Reported to DragonFlyBSD security contact.