git: b5149b265346 - main - linker: Handle a truncated hints file properly
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 23 Oct 2024 22:13:20 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e
commit b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-23 16:54:56 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-10-23 22:12:45 +0000
linker: Handle a truncated hints file properly
If vattr.va_size is 0, we will end up accessing invalid memory. This is
mostly harmless (because malloc(0) still allocates some memory), but it
triggers a KASAN report.
PR: 282268
Reviewed by: christos, imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D47240
---
sys/kern/kern_linker.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index 3f34bb12aeaa..f388ac8a583a 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -2030,6 +2030,10 @@ linker_hints_lookup(const char *path, int pathlen, const char *modname,
printf("linker.hints file too large %ld\n", (long)vattr.va_size);
goto bad;
}
+ if (vattr.va_size < sizeof(ival)) {
+ printf("linker.hints file truncated\n");
+ goto bad;
+ }
hints = malloc(vattr.va_size, M_TEMP, M_WAITOK);
error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)hints, vattr.va_size, 0,
UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &reclen, td);