Permalink
Browse files

Guard check in module loader against integer overflow

The check:

	if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))

may not work if there's an overflow in the right-hand side of the condition.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
  • Loading branch information...
1 parent 3c7ec94 commit ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c David Howells committed with rustyrussell May 22, 2012
Showing with 2 additions and 1 deletion.
  1. +2 −1 kernel/module.c
View
3 kernel/module.c
@@ -2429,7 +2429,8 @@ static int copy_and_check(struct load_info *info,
goto free_hdr;
}
- if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) {
+ if (hdr->e_shoff >= len ||
+ hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) {
err = -ENOEXEC;
goto free_hdr;
}

0 comments on commit ef26a5a

Please sign in to comment.