This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

robustify branch

From: Roland McGrath <roland at redhat dot com>
To: elfutils-devel at lists dot fedorahosted dot org
Date: Fri, 18 Sep 2009 17:49:47 -0700
Subject: robustify branch

I'd like to ask you to reconsider merging the robustify branch.
It prevents crashes, buffer overruns, and confusions resulting
from extremely bogus ELF header data in input files, such as
fields that could cause integer overflow.

In the past you said that you did not want libelf and utilities
to add any code to cope with abjectly bogus data.  I take it your
sentiment is that you should just not work with ELF files of
untrusted origin, ever.  In many ways I think that is quite
reasonable, but in practice it's not always feasible to avoid
even looking at some unknown file.  Things happen, and people
lose track of where things came from, and can't always just toss
them when they are not sure.  I think it is reasonable to expect
to have a robust tool that tells you whether a file is too bogus
to look at or not.

Fedora and RHEL have been carrying this patch (and will) forever,
so it's in the code that everybody is actually using anyway.

In my -O2 build (F11/x86_64) it bloats libelf's text by 0.83%,
elflint's by 0.56%, readelf's by 0.40%, and strip's by 0.07%.

elflint is the tool you use to decide whether an ELF file is safe
to work with or is too bogus to feed to anything else.  readelf
is the tool you use to figure out exactly what's wrong with it,
whether diagnosing build tool bugs or investigating an actual
maliciously composed bogus binary.

libelf is the common dependency that elflint and readelf both
must rely on for the lowest-level bits of their robustness.
libelf is also the only part of our suite that is used in an
unknown variety of third-party and user applications that may
have expectations of robust diagnosis of all possible bad input
data (which is a fairly normal expectation out there).

strip is something that nobody should apply to random unknown
binaries.  But we have real-world experience from admins
(misguided as they may be) blindly applying it to ELF files,
likely being stupid enough to do that in privileged situations,
and being unnerved by the possibility of strip being exploited
with buffer overruns in maliciously composed bogus ELF files.
And anyway, 0.07%.


Thanks,
Roland

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]