Commit ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c
Committed by
Rusty Russell
1 parent
3c7ec94d2c
Guard check in module loader against integer overflow
The check: if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) may not work if there's an overflow in the right-hand side of the condition. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff
kernel/module.c
... | ... | @@ -2429,7 +2429,8 @@ |
2429 | 2429 | goto free_hdr; |
2430 | 2430 | } |
2431 | 2431 | |
2432 | - if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) { | |
2432 | + if (hdr->e_shoff >= len || | |
2433 | + hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) { | |
2433 | 2434 | err = -ENOEXEC; |
2434 | 2435 | goto free_hdr; |
2435 | 2436 | } |