git.ipfire.org Git - thirdparty/kmod.git/commit

author	Tobias Stoeckmann <tobias@stoeckmann.org>
	Mon, 9 Feb 2015 22:22:51 +0000 (23:22 +0100)
committer	Lucas De Marchi <lucas.demarchi@intel.com>
	Tue, 10 Feb 2015 11:34:44 +0000 (09:34 -0200)
commit	67466f266d4209744a2f6f3e8e92672110be1df3
tree	6dfd8ed0ca1d1006fa19a1347c768eb4d3615acb	tree \| snapshot
parent	eeb627004b6ee3610913f98ef143e84eb0546360	commit \| diff

Prevent offset + size overflow.

it is possible to overflow uint64_t by summing variables offset and
size up in elf_get_section_info. Thee values are extracted from module
file and are possibly maliciously tampered with.

If offset is in valid range and size very large, the result will
overflow and the size check passes. Later on, this will most likely
lead to a segmentation fault due to accessing uninitialized memory.

Attached please find a proof of concept module, which will trigger
a segmentation fault on modinfo. Tested on amd64:

tobias:~$ modinfo poc.ko
filename: /home/tobias/poc.ko
Segmentation fault

There are more errors of this type in the ELF handling code that will be
fixed in other patches.