From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 23 Sep 2024 19:22:00 +0000 (+0200)
Subject: libkmod: Avoid OOB with huge ELF files
X-Git-Tag: v34~289
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a31b8ecd5d81fe4de0cc4d887abce1fdcc05f6c2;p=thirdparty%2Fkmod.git

libkmod: Avoid OOB with huge ELF files

On 32 bit systems it is possible to trigger an out of boundary write
with excessively huge ELF files.

The calculation of required memory for char pointer vector and strings
might overflow, leading to an allocation which is too small. Subsequent
memcpy leads to an out of boundary write.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/149
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c
index 9f68eadc..bea83eca 100644
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@@ -6,6 +6,7 @@
 #include <assert.h>
 #include <elf.h>
 #include <errno.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -428,6 +429,7 @@ int kmod_elf_get_section(const struct kmod_elf *elf, const char *section,
 int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char ***array)
 {
 	size_t i, j, count;
+	size_t vecsz;
 	uint64_t size;
 	const void *buf;
 	const char *strings;
@@ -468,7 +470,13 @@ int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char *
 	if (strings[i - 1] != '\0')
 		count++;
 
-	*array = a = malloc(size + 1 + sizeof(char *) * (count + 1));
+	/* make sure that vector and strings fit into memory constraints */
+	vecsz = sizeof(char *) * (count + 1);
+	if (SIZE_MAX / sizeof(char *) - 1 < count || SIZE_MAX - size <= vecsz) {
+		return -ENOMEM;
+	}
+
+	*array = a = malloc(vecsz + size + 1);
 	if (*array == NULL)
 		return -errno;