git: bf839416381c - main - imgact_elf: avoid mapsz overflow

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=bf839416381cb9f63a8a82ea6e897a22830a8009

commit bf839416381cb9f63a8a82ea6e897a22830a8009
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-12-08 09:33:19 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-12 14:28:39 +0000

    imgact_elf: avoid mapsz overflow
    
    Reported and tested by: pho
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D33359
---
 sys/kern/imgact_elf.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index d4c5a6341ee6..b926bc926611 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -1182,6 +1182,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 			}
 			if (phdr[i].p_align > maxalign)
 				maxalign = phdr[i].p_align;
+			if (mapsz + phdr[i].p_memsz < mapsz) {
+				uprintf("Mapsize overflow\n");
+				error = ENOEXEC;
+				goto ret;
+			}
 			mapsz += phdr[i].p_memsz;
 			n++;
 
@@ -1311,6 +1316,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 	imgp->proc->p_elf_brandinfo = brand_info;
 
 	maxv = vm_map_max(map) - lim_max(td, RLIMIT_STACK);
+	if (mapsz >= maxv - vm_map_min(map)) {
+		uprintf("Excessive mapping size\n");
+		error = ENOEXEC;
+	}
+
 	if (error == 0 && et_dyn_addr == ET_DYN_ADDR_RAND) {
 		KASSERT((map->flags & MAP_ASLR) != 0,
 		    ("ET_DYN_ADDR_RAND but !MAP_ASLR"));