git: f1b1fa3505e6 - stable/13 - imgact_elf: avoid mapsz overflow

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Sun, 19 Dec 2021 02:44:32 UTC

The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=f1b1fa3505e666134c66588659ba63601615e947

commit f1b1fa3505e666134c66588659ba63601615e947
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-12-08 09:33:19 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-19 02:42:51 +0000

    imgact_elf: avoid mapsz overflow
    
    (cherry picked from commit bf839416381cb9f63a8a82ea6e897a22830a8009)
---
 sys/kern/imgact_elf.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index 17c0752c35fa..0f42017cb7ef 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -1162,6 +1162,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 			}
 			if (phdr[i].p_align > maxalign)
 				maxalign = phdr[i].p_align;
+			if (mapsz + phdr[i].p_memsz < mapsz) {
+				uprintf("Mapsize overflow\n");
+				error = ENOEXEC;
+				goto ret;
+			}
 			mapsz += phdr[i].p_memsz;
 			n++;
 
@@ -1290,6 +1295,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 	imgp->proc->p_sysent = sv;
 
 	maxv = vm_map_max(map) - lim_max(td, RLIMIT_STACK);
+	if (mapsz >= maxv - vm_map_min(map)) {
+		uprintf("Excessive mapping size\n");
+		error = ENOEXEC;
+	}
+
 	if (error == 0 && et_dyn_addr == ET_DYN_ADDR_RAND) {
 		KASSERT((map->flags & MAP_ASLR) != 0,
 		    ("ET_DYN_ADDR_RAND but !MAP_ASLR"));