From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 20 Oct 2024 14:32:17 +0000 (+0200)
Subject: libkmod: Prevent OOB with huge amount of symbols
X-Git-Tag: v34~185
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=33e3d24cdb270cdfab71e9bd1c856e6430b3c11e;p=thirdparty%2Fkmod.git

libkmod: Prevent OOB with huge amount of symbols

On 32 bit systems it's possible to overflow the final calculation of
required memory for symbols retrieved from __ksymtab_strings.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/198
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c
index a54c56a4..07c8ca8e 100644
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@@ -651,6 +651,7 @@ static int kmod_elf_get_symbols_symtab(const struct kmod_elf *elf,
 	char *itr;
 	struct kmod_modversion *a;
 	int count, err;
+	size_t vec_size, tmp_size, total_size;
 
 	*array = NULL;
 
@@ -681,7 +682,14 @@ static int kmod_elf_get_symbols_symtab(const struct kmod_elf *elf,
 	if (strings[i - 1] != '\0')
 		count++;
 
-	*array = a = malloc(size + 1 + sizeof(struct kmod_modversion) * count);
+	/* sizeof(struct kmod_modversion) * count + size + 1 */
+	if (umulsz_overflow(sizeof(struct kmod_modversion), count, &vec_size) ||
+	    uaddsz_overflow(size, vec_size, &tmp_size) ||
+	    uaddsz_overflow(1, tmp_size, &total_size)) {
+		return -ENOMEM;
+	}
+
+	*array = a = malloc(total_size);
 	if (*array == NULL)
 		return -errno;