From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB630C3DA4A for ; Wed, 14 Aug 2024 18:54:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 357936B0093; Wed, 14 Aug 2024 14:54:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2E0366B0095; Wed, 14 Aug 2024 14:54:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1A6746B0096; Wed, 14 Aug 2024 14:54:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id E80C06B0093 for ; Wed, 14 Aug 2024 14:54:37 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 9FC6D160EDE for ; Wed, 14 Aug 2024 18:54:37 +0000 (UTC) X-FDA: 82451752194.25.6561DC3 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf11.hostedemail.com (Postfix) with ESMTP id 5AFBE40024 for ; Wed, 14 Aug 2024 18:54:34 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=H5kdLwT9; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf11.hostedemail.com: domain of andrii@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=andrii@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723661595; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vAy4clIrBnEmCFnt8Y99q4dGcS6cLzPtJwvKdL5ln0A=; b=6qDbSdePGSSezW2WpdvqjxcnMBRCEqSmiqTIZABny6D9d/kJc3/WK6L94uvg2yDtjlwq4n npYUVpaS8K32HQ7KKj068c44AmKgW8yFKXWB51ewvOqs19EMwcdNPxu9oiUhLJpGE9Da+A ocZHCb7ysQgFWWnbUxwviM0iDwLJJHs= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723661595; a=rsa-sha256; cv=none; b=da/xkzwH8OlQ0NsoV4FWSZxgILa0+tb4QPXbw3/H6s2tSVgoa4SQ9ZE9KxC3ESNWj9EXtO CXfFhJeF4f0y87CIvWRKd8pd8MSl1gKas6pDj2uQ3Ihtj8zHW0UWcdPDz7n6JkFoeij7cX diA2hcNXY1kU3j7igKl8ytbxAGJcFmk= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=H5kdLwT9; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf11.hostedemail.com: domain of andrii@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=andrii@kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 371ACCE1ADF; Wed, 14 Aug 2024 18:54:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2C3DC116B1; Wed, 14 Aug 2024 18:54:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1723661671; bh=Cd2n2547OKq5mRkrfmg4+0GI2njBDE3a4HVKwVRW1Co=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H5kdLwT9gA2Er33HcqKTTepe8GL7ks1Y5es208W568OdqKOL3ox++bE7UFOAACAzB CUxWDxPJGWrx7wRYoyINg4itYmDmx51ZoHzdlx+PGmA3lqi+U6lPqfebVOT54DiGzt EI3c4rSCmKZYLoDSpOMKaWcwboEx9m2P9QNpdL05dWJMMpTa93iyPil0tt4UUlG9Ts nLhcROkWVErE9feL4dWVWdO4FkwuKM0XUwAsOQU4uwyexOa43etyi/OoBq4BVFdYx1 H4a/DFcTB26HWetQa4EcLBlKnrbm5N/Cl6WkVqsI0bOnCHG/6SHfHQwfGB/n3UZGof ckkWVgr0yC2wg== From: Andrii Nakryiko To: bpf@vger.kernel.org Cc: linux-mm@kvack.org, akpm@linux-foundation.org, adobriyan@gmail.com, shakeel.butt@linux.dev, hannes@cmpxchg.org, ak@linux.intel.com, osandov@osandov.com, song@kernel.org, jannh@google.com, linux-fsdevel@vger.kernel.org, willy@infradead.org, Andrii Nakryiko Subject: [PATCH v6 bpf-next 03/10] lib/buildid: take into account e_phoff when fetching program headers Date: Wed, 14 Aug 2024 11:54:10 -0700 Message-ID: <20240814185417.1171430-4-andrii@kernel.org> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20240814185417.1171430-1-andrii@kernel.org> References: <20240814185417.1171430-1-andrii@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 5AFBE40024 X-Stat-Signature: dsrsax79jxjjtpq76mkancehgywceb44 X-Rspam-User: X-HE-Tag: 1723661674-267451 X-HE-Meta: U2FsdGVkX1/EDcpwQnAsJaRgI89sOqcylVarmT99cf3Dpmcgk86JcgpF9uoEjiuzWPfba576+FlUVRIAd0RT2ZF/HGXB1lH1wINcjTNMh0pkElX1ZoKmjKBEf4uZwbAw9wAo+0bKEKR3rM7D3FykSaAN1LdJpkf9c5pIKWVKTY6C4lshzSJMDAMVYzVdxngExxeklAIPj2kah6Hgs+3xK9NlJGEtDP62QSZQDKmuiAQPjJjnnWVTOdgDVGrv1wxP/y1IfpD4OvgnFIlpCceg3EGJD29/8vY55dX7BrICkt0fgeO2xNOMuqhJ/xC5OHES3huswqFDwrRBXOUtIWnzHldKnfhbIm3VqYBzQwbIo7eU7mxADDa/BS8HHxUCck4wQqFtczncFE7Kf6pm9mp5Ko1XbHuLhAaHWlTsDGIvgPbKYOC+huCoRHzA94QwDE2uNRK8b+bX4i9flkOuA3ragPkdDWaxw1F8KNKP6+7cIl235ll5EIlh0ZNDjUqK/tXRGSeJnJjVft+mnbXGsWi37mlr30gQ0jesRl7+6fhHuB0oGZtsIFls8iAsbz+YSUERI7IiWC4KtBB29YzzvOjLKXw7Wzz7+glgYarv0vom1jdh2MtggqSpn3uoauUBUrnc7O6gfPyUnHYdrusY8g+Uy8NpxUxVycCz/eQjZTKOaEQeeeRrx1a9HNdcpO5yRLrvsnkPS+CR6NPNlYhMoXxyrE719/8WxcU1ylBJeE93IhpqBep1zBp6f7Q9MSypxt/s0u+YFjevb8mPnhUAo+XHffcBozJwgIjyuGrEFN0SR3+LIJlPs45wWUsdN8j6NhXPH1HQS3afQmRfu0gngTgPnflk9ilKE0QmukQa7TSIY7xJZgWSJwN+q9490bRYJqZtdwBW6Wh07JPltje7+66Y8wy0k6X0WY6XLze8o+1X6YMGYJmiUw2yH9pr0VxNgOjNMHq1UbmUdUUj7EQiUhY zI70gjTH F87D1T6LAZP1UN1onTuE4B20OO2xAgiauKkbZI2U6KUURXfqUpJE6aDF5cjaf3pf5+hjhfIBPYajXnZh8FRFYj5pGN7LTKKB3/jCwJmYPxDKlid4dh94T81oaHRVKukepvC0vlbZGfXEAoOAZVPi1hOXEJCn4hZm8AIb0vREVJNuYqwu8O+LAPMOx5dZG1LukswHZ1lxZ5HyuRzawSTGW2kwvz4kQedaYAh4B6GzfzNRE9n4eKbAIaIJ7D4liit58aZlOKyC3hlg1S+cqGB7J/JmdbQC+4y5jkNDLWUMFYkYXttkNHF9sKA/Hyg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Current code assumption is that program (segment) headers are following ELF header immediately. This is a common case, but is not guaranteed. So take into account e_phoff field of the ELF header when accessing program headers. Reported-by: Alexey Dobriyan Signed-off-by: Andrii Nakryiko --- lib/buildid.c | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/lib/buildid.c b/lib/buildid.c index bfe00b66b1e8..7fb08a1d98bd 100644 --- a/lib/buildid.c +++ b/lib/buildid.c @@ -213,28 +213,26 @@ static int get_build_id_32(struct freader *r, unsigned char *build_id, __u32 *si { const Elf32_Ehdr *ehdr; const Elf32_Phdr *phdr; - __u32 phnum, i; + __u32 phnum, phoff, i; ehdr = freader_fetch(r, 0, sizeof(Elf32_Ehdr)); if (!ehdr) return r->err; - /* - * FIXME - * Neither ELF spec nor ELF loader require that program headers - * start immediately after ELF header. - */ - if (ehdr->e_phoff != sizeof(Elf32_Ehdr)) - return -EINVAL; - /* subsequent freader_fetch() calls invalidate pointers, so remember locally */ phnum = READ_ONCE(ehdr->e_phnum); + phoff = READ_ONCE(ehdr->e_phoff); + /* only supports phdr that fits in one page */ if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) return -EINVAL; + /* check that phoff is not large enough to cause an overflow */ + if (phoff + phnum * sizeof(Elf32_Phdr) < phoff) + return -EINVAL; + for (i = 0; i < phnum; ++i) { - phdr = freader_fetch(r, i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr)); + phdr = freader_fetch(r, phoff + i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr)); if (!phdr) return r->err; @@ -252,27 +250,26 @@ static int get_build_id_64(struct freader *r, unsigned char *build_id, __u32 *si const Elf64_Ehdr *ehdr; const Elf64_Phdr *phdr; __u32 phnum, i; + __u64 phoff; ehdr = freader_fetch(r, 0, sizeof(Elf64_Ehdr)); if (!ehdr) return r->err; - /* - * FIXME - * Neither ELF spec nor ELF loader require that program headers - * start immediately after ELF header. - */ - if (ehdr->e_phoff != sizeof(Elf64_Ehdr)) - return -EINVAL; - /* subsequent freader_fetch() calls invalidate pointers, so remember locally */ phnum = READ_ONCE(ehdr->e_phnum); + phoff = READ_ONCE(ehdr->e_phoff); + /* only supports phdr that fits in one page */ if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) return -EINVAL; + /* check that phoff is not large enough to cause an overflow */ + if (phoff + phnum * sizeof(Elf64_Phdr) < phoff) + return -EINVAL; + for (i = 0; i < phnum; ++i) { - phdr = freader_fetch(r, i * sizeof(Elf64_Phdr), sizeof(Elf64_Phdr)); + phdr = freader_fetch(r, phoff + i * sizeof(Elf64_Phdr), sizeof(Elf64_Phdr)); if (!phdr) return r->err; -- 2.43.5