rustsec-2022-0079
Vulnerability from osv_rustsec
Published
2022-10-31 12:00
Modified
2023-06-13 13:10
Summary
ELF header parsing library doesn't check for valid offset
Details

The crate has several unsafe sections that don't perform proper pointer validation.

An example can be found in the following function:

fn section_header_raw(&self) -> &[ET::SectionHeader] {
    let sh_off = self.elf_header().section_header_offset() as usize;
    let sh_num = self.elf_header().section_header_entry_num() as usize;
    unsafe {
        let sh_ptr = self.content().as_ptr().add(sh_off);
        from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num)
    }
}

While this will work perfectly fine if the ELF header is valid, malicious or malformed input can contain a section header offset of an arbitrary size, meaning that the resultant pointer in the unsafe block can point to an artibrary address in the address space of the process.

This can result in unpredictable behaviour, and in our fuzz testing, we discovered that it's trivial to cause SIGABRT (signal 6), or SEGV (signal 11).

The function should either be marked as unsafe, with a note that the caller is responsible for providing only valid inputs, or it should ideally do the due diligence to ensure that the offset doesn't exceed the bounds of the header (and add additional checks as necessary).

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "elf_rs",
        "purl": "pkg:cargo/elf_rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-g6pw-999w-j75m"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The crate has several unsafe sections that don\u0027t perform proper pointer validation.\n\nAn example can be found in the following function:\n\n```\nfn section_header_raw(\u0026self) -\u003e \u0026[ET::SectionHeader] {\n    let sh_off = self.elf_header().section_header_offset() as usize;\n    let sh_num = self.elf_header().section_header_entry_num() as usize;\n    unsafe {\n        let sh_ptr = self.content().as_ptr().add(sh_off);\n        from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num)\n    }\n}\n```\n\nWhile this will work perfectly fine *if* the ELF header is valid, malicious or\nmalformed input can contain a section header offset of an arbitrary size, meaning\nthat the resultant pointer in the unsafe block can point to an artibrary address\nin the address space of the process.\n\nThis can result in unpredictable behaviour, and in our fuzz testing, we discovered\nthat it\u0027s trivial to cause SIGABRT (signal 6), or SEGV (signal 11).\n\nThe function should either be marked as unsafe, with a note that the caller is responsible\nfor providing only valid inputs, or it should ideally do the due diligence to ensure that the\noffset doesn\u0027t exceed the bounds of the header (and add additional checks as necessary).",
  "id": "RUSTSEC-2022-0079",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2022-10-31T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/elf_rs"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0079.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/vincenthouyi/elf_rs/issues/11"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "ELF header parsing library doesn\u0027t check for valid offset"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.