Missing e_shentsize validation causes heap OOB read on shdr[] array
All 7 are root-only (kldload needs SYSCAP_NOKLD), defense-in-depth (root
already owns the kernel via a valid .ko's SYSINIT), and several are analogues
of the link_elf_obj.c findings DF-0040/41/42 in this sibling file.
DF-0057 โ Missing e_shentsize validation โ heap OOB read on shdr[]
| Field | Value |
|---|---|
| Severity | Low |
kmalloc(e_shnum*e_shentsize) (:593) but no e_shentsize == sizeof(Elf_Shdr)
check; shdr[i] indexed with 64-byte stride. If e_shentsize < 64 the allocation
is too small โ shdr[i] OOB read. Sibling link_elf_obj.c:499 validates; this
file omits. Fix: reject e_shentsize != sizeof(Elf_Shdr).
DF-0058 โ Unbounded sh_link โ symstrindex OOB read (DF-0040 analogue, worse)
| Field | Value |
|---|---|
| Severity | Low |
symstrindex = shdr[i].sh_link (Elf64_Word) set with no bounds check vs
e_shnum (DF-0040 in link_elf_obj.c had an off-by-one >; this file has zero
check). shdr[symstrindex].sh_size/sh_offset deref at :612/:620 is OOB if
symstrindex >= e_shnum. Fix: if (shdr[i].sh_link >= hdr->e_shnum) continue;.
DF-0059 โ Uninitialized segs[1]/segs[0] dereference when fewer than 2 PT_LOAD
| Field | Value |
|---|---|
| Severity | Low |
segs[2] uninitialized stack (:399); :531 checks phdyn != NULL but not
nsegs == 2; :541-542 unconditionally derefs segs[0]/segs[1]. Crafted ELF
with PT_DYNAMIC but 0/1 PT_LOAD โ wild deref โ panic. Fix: require
nsegs == 2 before the derefs.
DF-0060 โ DT_HASH d_ptr dereferenced without bounds โ wild kernel read
| Field | Value |
|---|---|
| Severity | Low |
parse_dynamic DT_HASH: hashtab = ef->address + dp->d_un.d_ptr with no
d_ptr < lf->size check; immediate hashtab[0]/hashtab[1] deref โ wild read
from ef->address + arbitrary_offset. Same gap in DT_STRTAB/DT_SYMTAB/DT_REL/
DT_RELA/DT_JMPREL/DT_PLTGOT. Fix: if (dp->d_un.d_ptr >= lf->size) return ENOEXEC;
in each case.
DF-0061 โ Relocation r_offset never bounds-checked (DF-0042 analogue, wild write)
| Field | Value |
|---|---|
| Severity | Low |
relocate_file dispatches each rel/rela to elf_reloc with no
r_offset < lf->size check; arch helper (elf_machdep.c:90) writes
*(relocbase + r_offset). Crafted r_offset yields wild write of symbol-resolved
value past the module buffer. Same gap in link_elf_reloc_local (:1024-1051).
Fix: skip r_offset >= lf->size entries.
DF-0062 โ Unbounded st_name into strtab (DF-0041 analogue, OOB read via strcmp)
| Field | Value |
|---|---|
| Severity | Low |
Every strtab name site does ef->strtab + symp->st_name without checking
st_name < ef->strsz; strtab has no guaranteed NUL; crafted st_name >= strsz
โ strcmp walks off the allocation (panic / heap info-leak). Fix: guard
st_name < strsz/ddbstrcnt at each site; NUL-terminate the strtab allocation.
DF-0063 โ Hash-chain cycle in link_elf_lookup_symbol โ infinite-loop DoS
| Field | Value |
|---|---|
| Severity | Low |
while (symnum != STN_UNDEF) follows ef->chains[symnum] (attacker-controlled
module buffer); the bounds check at :813 only rejects symnum >= nchains, no
cycle detection; crafted 2-cycle (chains[1]=2, chains[2]=1) โ infinite loop
pinning a CPU during relocate_file. Fix: cap iterations at nchains
(a valid chain visits each symbol at most once).
Common notes
All 7 are root-only defense-in-depth. Each has a concrete, one-line or few-line
fix. The fixes for DF-0058/0061/0062 mirror the fixes already proposed for
DF-0040/0042/0041 in the sibling link_elf_obj.c.