From a31b8ecd5d81fe4de0cc4d887abce1fdcc05f6c2 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 23 Sep 2024 21:22:00 +0200 Subject: [PATCH] libkmod: Avoid OOB with huge ELF files On 32 bit systems it is possible to trigger an out of boundary write with excessively huge ELF files. The calculation of required memory for char pointer vector and strings might overflow, leading to an allocation which is too small. Subsequent memcpy leads to an out of boundary write. Signed-off-by: Tobias Stoeckmann Reviewed-by: Emil Velikov Link: https://github.com/kmod-project/kmod/pull/149 Signed-off-by: Lucas De Marchi --- libkmod/libkmod-elf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libkmod/libkmod-elf.c b/libkmod/libkmod-elf.c index 9f68eadc..bea83eca 100644 --- a/libkmod/libkmod-elf.c +++ b/libkmod/libkmod-elf.c @@ -6,6 +6,7 @@ #include #include #include +#include #include #include @@ -428,6 +429,7 @@ int kmod_elf_get_section(const struct kmod_elf *elf, const char *section, int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char ***array) { size_t i, j, count; + size_t vecsz; uint64_t size; const void *buf; const char *strings; @@ -468,7 +470,13 @@ int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char * if (strings[i - 1] != '\0') count++; - *array = a = malloc(size + 1 + sizeof(char *) * (count + 1)); + /* make sure that vector and strings fit into memory constraints */ + vecsz = sizeof(char *) * (count + 1); + if (SIZE_MAX / sizeof(char *) - 1 < count || SIZE_MAX - size <= vecsz) { + return -ENOMEM; + } + + *array = a = malloc(vecsz + size + 1); if (*array == NULL) return -errno; -- 2.47.3