Xen Test Framework

Advisory: XSA-194

When a guest requests BSD_SYMTAB, Some versions of libelf use a packed struct containing an Elf header, and three Section headers. These headers however are a union of their 32 and 64bit variants, resulting in padding between the headers when building the BSD symtab for a 32bit PV guest.

As a consequence, libelf stack gets leaked in the padding.

Spotting leakage in the Elf header is easy.

Spotting leakage in the Section headers are not. All buggy versions of libelf (to the time of writing) erroneously set Elf32_Ehdr.e_shentsize to sizeof(Elf32_Shdr), despite actually providing sizeof(Elf64_Shdr) per entry.

We therefore cannot distinguish an older libelf which provides real 32bit section headers, from a vulnerable version of libelf claiming 32bit section header but actually providing 64bit headers.

See also