core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap memory block, associated to state->shdr. As the computed size is the result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize), it could have overflowed and result in allocating a small memory block. Use an overflow checking macro to prevent this case. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.7] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
OP-TEE · Feb 25, 2019 · 5787ecd · 5787ecd
1 parent bcc81cf
commit 5787ecd
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/core/arch/arm/kernel/elf_load.c b/core/arch/arm/kernel/elf_load.c
@@ -585,8 +585,11 @@ TEE_Result elf_load_body(struct elf_load_state *state, vaddr_t vabase)
 	 */
 	if (ehdr.e_shoff) {
 		/* We have section headers */
-		res = alloc_and_copy_to(&p, state, ehdr.e_shoff,
+		size_t sz = 0;
-					ehdr.e_shnum * ehdr.e_shentsize);
+
+		if (MUL_OVERFLOW(ehdr.e_shnum, ehdr.e_shentsize, &sz))
+			return TEE_ERROR_OUT_OF_MEMORY;
+		res = alloc_and_copy_to(&p, state, ehdr.e_shoff, sz);
 		if (res != TEE_SUCCESS)
 			return res;
 		state->shdr = p;