diff options
author | nectar <nectar@FreeBSD.org> | 2004-03-18 16:33:05 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2004-03-18 16:33:05 +0000 |
commit | 97b3d4b119840e65d7b4b3e57af148d61484bc17 (patch) | |
tree | 55b9200bba0af4f2016cbaa48046ec9140ffbae7 /sys/kern | |
parent | 5dc13201b254bca92b5a556cc7874e413b9f4e6b (diff) | |
download | FreeBSD-src-97b3d4b119840e65d7b4b3e57af148d61484bc17.zip FreeBSD-src-97b3d4b119840e65d7b4b3e57af148d61484bc17.tar.gz |
Verify more bits of the ELF header: the program header table
entry size and the ELF version. Also, avoid a potential integer
overflow when determining whether the ELF header fits entirely
within the first page.
Reviewed by: jdp
A panic when attempting to execute an ELF binary with a bogus program
header table entry size was
Reported by: Christer Öberg <christer.oberg@texonet.com>
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/imgact_elf.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index fac25e8..73c8729 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -201,7 +201,9 @@ __elfN(check_header)(const Elf_Ehdr *hdr) if (!IS_ELF(*hdr) || hdr->e_ident[EI_CLASS] != ELF_TARG_CLASS || hdr->e_ident[EI_DATA] != ELF_TARG_DATA || - hdr->e_ident[EI_VERSION] != EV_CURRENT) + hdr->e_ident[EI_VERSION] != EV_CURRENT || + hdr->e_phentsize != sizeof(Elf_Phdr) || + hdr->e_version != ELF_TARG_VER) return (ENOEXEC); /* @@ -216,9 +218,6 @@ __elfN(check_header)(const Elf_Ehdr *hdr) if (i == MAX_BRANDS) return (ENOEXEC); - if (hdr->e_version != ELF_TARG_VER) - return (ENOEXEC); - return (0); } @@ -585,9 +584,10 @@ __elfN(load_file)(struct proc *p, const char *file, u_long *addr, goto fail; } - /* Only support headers that fit within first page for now */ + /* Only support headers that fit within first page for now */ + /* (multiplication of two Elf_Half fields will not overflow) */ if ((hdr->e_phoff > PAGE_SIZE) || - (hdr->e_phoff + hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE) { + (hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE - hdr->e_phoff) { error = ENOEXEC; goto fail; } |