Verify more bits of the ELF header: the program header table

entry size and the ELF version.  Also, avoid a potential integer
overflow when determining whether the ELF header fits entirely
within the first page.

Reviewed by:	jdp

A panic when attempting to execute an ELF binary with a bogus program
header table entry size was

Reported by:	Christer Öberg <christer.oberg@texonet.com>

1 files changed, 6 insertions, 6 deletions

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index fac25e8..73c8729 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -201,7 +201,9 @@ __elfN(check_header)(const Elf_Ehdr *hdr)
 	if (!IS_ELF(*hdr) ||
 	    hdr->e_ident[EI_CLASS] != ELF_TARG_CLASS ||
 	    hdr->e_ident[EI_DATA] != ELF_TARG_DATA ||
-	    hdr->e_ident[EI_VERSION] != EV_CURRENT)
+	    hdr->e_ident[EI_VERSION] != EV_CURRENT ||
+	    hdr->e_phentsize != sizeof(Elf_Phdr) ||
+	    hdr->e_version != ELF_TARG_VER)
 		return (ENOEXEC);
 
 	/*
@@ -216,9 +218,6 @@ __elfN(check_header)(const Elf_Ehdr *hdr)
 	if (i == MAX_BRANDS)
 		return (ENOEXEC);
 
-	if (hdr->e_version != ELF_TARG_VER)
-		return (ENOEXEC);
-
 	return (0);
 }
 
@@ -585,9 +584,10 @@ __elfN(load_file)(struct proc *p, const char *file, u_long *addr,
 		goto fail;
 	}
 
-	/* Only support headers that fit within first page for now */
+	/* Only support headers that fit within first page for now      */
+	/*    (multiplication of two Elf_Half fields will not overflow) */
 	if ((hdr->e_phoff > PAGE_SIZE) ||
-	    (hdr->e_phoff + hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE) {
+	    (hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE - hdr->e_phoff) {
 		error = ENOEXEC;
 		goto fail;
 	}