From cb8607b89ffbba905eac3af595d1db974d2ffc5d Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 10 Jul 2025 18:07:07 +0100 Subject: [PATCH] linux-user/gen-vdso: Don't read off the end of buf[] In gen-vdso we load in a file and assume it's a valid ELF file. In particular we assume it's big enough to be able to read the ELF information in e_ident in the ELF header. Add a check that the total file length is at least big enough for all the e_ident bytes, which is good enough for the code in gen-vdso.c. This will catch the most obvious possible bad input file (truncated) and allow us to run the sanity checks like "not actually an ELF file" without potentially crashing. The code in elf32_process() and elf64_process() still makes assumptions about the file being well-formed, but this is OK because we only run it on the vdso binaries that we create ourselves in the build process by running the compiler. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Signed-off-by: Richard Henderson Message-ID: <20250710170707.1299926-3-peter.maydell@linaro.org> --- linux-user/gen-vdso.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux-user/gen-vdso.c b/linux-user/gen-vdso.c index 1c406d1b10..aeaa927db8 100644 --- a/linux-user/gen-vdso.c +++ b/linux-user/gen-vdso.c @@ -124,6 +124,11 @@ int main(int argc, char **argv) goto perror_inf; } + if (total_len < EI_NIDENT) { + fprintf(stderr, "%s: file too small (truncated?)\n", inf_name); + return EXIT_FAILURE; + } + buf = malloc(total_len); if (buf == NULL) { goto perror_inf; -- 2.47.2