libkmod: Prevent OOB with huge amount of symbols

On 32 bit systems it's possible to overflow the final calculation of
required memory for symbols retrieved from __ksymtab_strings.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/198
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>

diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c
index a54c56a45561d2e558d74c54bf705ed5a9ae7212..07c8ca8e73df84eb980ce850f80cbda6ae89d262 100644 (file)
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@@ -651,6 +651,7 @@ static int kmod_elf_get_symbols_symtab(const struct kmod_elf *elf,
        char *itr;
        struct kmod_modversion *a;
        int count, err;
+       size_t vec_size, tmp_size, total_size;
 
        *array = NULL;
 
@@ -681,7 +682,14 @@ static int kmod_elf_get_symbols_symtab(const struct kmod_elf *elf,
        if (strings[i - 1] != '\0')
                count++;
 
-       *array = a = malloc(size + 1 + sizeof(struct kmod_modversion) * count);
+       /* sizeof(struct kmod_modversion) * count + size + 1 */
+       if (umulsz_overflow(sizeof(struct kmod_modversion), count, &vec_size) ||
+           uaddsz_overflow(size, vec_size, &tmp_size) ||
+           uaddsz_overflow(1, tmp_size, &total_size)) {
+               return -ENOMEM;
+       }
+
+       *array = a = malloc(total_size);
        if (*array == NULL)
                return -errno;