From: Daniel Dickman <didickman@gmail.com>
Subject: Re: [patch] fix verification of null bytes in elf notes
To: Lennart Jablonka <humm@ljabl.com>
Cc: tech@openbsd.org
Date: Tue, 7 Apr 2026 08:35:29 -0400

I think this is correct but while looking at this function is the desc padding check working as intended? Is that a second bug or do I need more coffee?

> On Apr 6, 2026, at 6:40 PM, Lennart Jablonka <humm@ljabl.com> wrote:
> 
> elf_os_pt_note_name verifies that padding bytes that can occur in
> ELF notes are null bytes as they ought to.  Except it doesn't,
> because the continue applies to the inner loop.
> 
> Index: exec_elf.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/exec_elf.c,v
> diff -u -p -r1.195 exec_elf.c
> --- exec_elf.c    9 Feb 2026 21:58:27 -0000    1.195
> +++ exec_elf.c    6 Apr 2026 19:58:16 -0000
> @@ -1042,15 +1042,17 @@ elf_os_pt_note_name(Elf_Note *np, int *t
>        /* verify name padding (after the NUL) is NUL */
>        for (j = namlen + 1; j < elfround(np->namesz); j++)
>            if (((char *)(np + 1))[j] != '\0')
> -                continue;
> +                goto cont;
>        /* verify desc padding is NUL */
>        for (j = np->descsz; j < elfround(np->descsz); j++)
>            if (((char *)(np + 1))[j] != '\0')
> -                continue;
> +                goto cont;
>        if (strcmp((char *)(np + 1), elf_note_names[i].name) == 0) {
>            *typep = np->type;
>            return elf_note_names[i].id;
>        }
> +    cont:
> +        ;
>    }
>    return (0);
> }
>