From: Tobias Stoeckmann <tobias@stoeckmann.org>
To: linux-modules@vger.kernel.org
Subject: [PATCH] libkmod: properly validate file size
Date: Tue, 10 Feb 2015 19:46:40 +0100 [thread overview]
Message-ID: <20150210184640.GA25175@localhost> (raw)
Hi,
in function kmod_elf_new, the file size has to be properly validated against
section offset. Currently, the file size is considered valid based on
ELF header size + section header size * section count. That is not sufficient.
In fact, ELF specifies a section header offset, which doesn't have to be the
size of the ELF header. The supplied test cases even cover this.
The correct test is: section offset + section header size * section count
This patch also verifies that this value won't overflow. I don't know a way
to crash a tool due to this bug, because later on the offset check would
prevent out-of-bounds access. An overflow would just mean to access a wrong
part in elf->memory. Yet it's a validation error.
Please note: The file size does not have to be validated against the size
of the ELF header again, elf_identify did this already.
Tobias
---
libkmod/libkmod-elf.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c
index 4af829e..2f50ad2 100644
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@@ -272,7 +272,8 @@ static const char *elf_get_strings_section(const struct kmod_elf *elf, uint64_t
struct kmod_elf *kmod_elf_new(const void *memory, off_t size)
{
struct kmod_elf *elf;
- size_t hdr_size, shdr_size, min_size;
+ uint64_t min_size;
+ size_t shdrs_size, shdr_size;
int class;
assert_cc(sizeof(uint16_t) == sizeof(Elf32_Half));
@@ -308,12 +309,10 @@ struct kmod_elf *kmod_elf_new(const void *memory, off_t size)
if (elf->class & KMOD_ELF_32) {
const Elf32_Ehdr *hdr _unused_ = elf_get_mem(elf, 0);
LOAD_HEADER;
- hdr_size = sizeof(Elf32_Ehdr);
shdr_size = sizeof(Elf32_Shdr);
} else {
const Elf64_Ehdr *hdr _unused_ = elf_get_mem(elf, 0);
LOAD_HEADER;
- hdr_size = sizeof(Elf64_Ehdr);
shdr_size = sizeof(Elf64_Shdr);
}
#undef LOAD_HEADER
@@ -330,8 +329,9 @@ struct kmod_elf *kmod_elf_new(const void *memory, off_t size)
elf->header.section.entry_size, shdr_size);
goto invalid;
}
- min_size = hdr_size + shdr_size * elf->header.section.count;
- if (min_size >= elf->size) {
+ shdrs_size = shdr_size * elf->header.section.count;
+ if (addu64_overflow(shdrs_size, elf->header.section.offset, &min_size)
+ || min_size > elf->size) {
ELFDBG(elf, "file is too short to hold sections\n");
goto invalid;
}
--
2.3.0
next reply other threads:[~2015-02-10 18:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-10 18:46 Tobias Stoeckmann [this message]
2015-02-13 3:23 ` [PATCH] libkmod: properly validate file size Lucas De Marchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150210184640.GA25175@localhost \
--to=tobias@stoeckmann.org \
--cc=linux-modules@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).