The ELF loader (kernel/loader/elf.c) has no target address verification, allowing arbitrary kernel writes

[CupCupRay]

Summary

elf_load_at() copies ELF segment data to phdr->p_vaddr without validating the destination address. A user process can craft a malicious ELF binary and call sys_execve to write arbitrary data to any kernel address.

Details

kernel/loader/elf.c:188-195:

// Destination address fully controlled by the ELF file
uint64_t dest_addr = is_pie ? (load_base + phdr->p_vaddr) : phdr->p_vaddr;
void *dest = (void *)dest_addr;
const void *src = base + phdr->p_offset;

// Validation only checks SOURCE data is within file bounds
if (phdr->p_offset > size || phdr->p_filesz > size - phdr->p_offset) {
    return -1;
}

elf_memcpy(dest, src, phdr->p_filesz);  // arbitrary kernel address write

The validation at lines 182-184 only checks that the source data fits within the file. The destination address is completely unvalidated.

Impact

A user process constructs a malicious ELF (valid magic, AArch64 machine type, ET_EXEC type), sets p_vaddr to point at kernel code or page tables, then calls sys_execve. The loader writes segment data to that address.

CRITICAL — Arbitrary kernel code execution: overwrite kernel code or modify page tables for full physical memory access.

Suggested Fix

if (dest_addr < USER_CODE_BASE || dest_addr + phdr->p_memsz > USER_CODE_END) {
    printk(KERN_ERR "[ELF] Segment %d: dest 0x%llx outside user range\n", i, dest_addr);
    return -1;
}