Skip to content
Browse files

core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap
memory block, associated to state->shdr. As the computed size is the
result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize),
it could have overflowed and result in allocating a small memory block.

Use an overflow checking macro to prevent this case.

Signed-off-by: Jerome Forissier <>
Reported-by: Bastien Simondi <> [1.7]
Reviewed-by: Jens Wiklander <>
Reviewed-by: Joakim Bech <>
  • Loading branch information...
jforissier committed Jan 31, 2019
1 parent bcc81cf commit 5787ecdf758d9edbfb5fb93c49c808f7a51a214b
Showing with 5 additions and 2 deletions.
  1. +5 −2 core/arch/arm/kernel/elf_load.c
@@ -585,8 +585,11 @@ TEE_Result elf_load_body(struct elf_load_state *state, vaddr_t vabase)
if (ehdr.e_shoff) {
/* We have section headers */
res = alloc_and_copy_to(&p, state, ehdr.e_shoff,
ehdr.e_shnum * ehdr.e_shentsize);
size_t sz = 0;

if (MUL_OVERFLOW(ehdr.e_shnum, ehdr.e_shentsize, &sz))
res = alloc_and_copy_to(&p, state, ehdr.e_shoff, sz);
if (res != TEE_SUCCESS)
return res;
state->shdr = p;

0 comments on commit 5787ecd

Please sign in to comment.
You can’t perform that action at this time.