libkmod: Avoid OOB with huge ELF files

On 32 bit systems it is possible to trigger an out of boundary write
with excessively huge ELF files.

The calculation of required memory for char pointer vector and strings
might overflow, leading to an allocation which is too small. Subsequent
memcpy leads to an out of boundary write.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/149
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>

diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c
index 9f68eadc36fe1cd479aae22643ca5e131a46711c..bea83eca51facc9dad971e49d67434000371497b 100644 (file)
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@@ -6,6 +6,7 @@
 #include <assert.h>
 #include <elf.h>
 #include <errno.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -428,6 +429,7 @@ int kmod_elf_get_section(const struct kmod_elf *elf, const char *section,
 int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char ***array)
 {
        size_t i, j, count;
+       size_t vecsz;
        uint64_t size;
        const void *buf;
        const char *strings;
@@ -468,7 +470,13 @@ int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char *
        if (strings[i - 1] != '\0')
                count++;
 
-       *array = a = malloc(size + 1 + sizeof(char *) * (count + 1));
+       /* make sure that vector and strings fit into memory constraints */
+       vecsz = sizeof(char *) * (count + 1);
+       if (SIZE_MAX / sizeof(char *) - 1 < count || SIZE_MAX - size <= vecsz) {
+               return -ENOMEM;
+       }
+
+       *array = a = malloc(vecsz + size + 1);
        if (*array == NULL)
                return -errno;