diff options
author | David Howells <dhowells@redhat.com> | 2012-05-22 15:56:13 +0100 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2012-05-23 22:28:53 +0930 |
commit | ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c (patch) | |
tree | 94f8b1998d94080a842f94529f0d95cfe1bcc53a /kernel/module.c | |
parent | 3c7ec94d2c4a67d9663a080aa5080134308261c4 (diff) | |
download | kernel_goldelico_gta04-ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c.zip kernel_goldelico_gta04-ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c.tar.gz kernel_goldelico_gta04-ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c.tar.bz2 |
Guard check in module loader against integer overflow
The check:
if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))
may not work if there's an overflow in the right-hand side of the condition.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'kernel/module.c')
-rw-r--r-- | kernel/module.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/module.c b/kernel/module.c index a4e6097..4edbd9c 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2429,7 +2429,8 @@ static int copy_and_check(struct load_info *info, goto free_hdr; } - if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) { + if (hdr->e_shoff >= len || + hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) { err = -ENOEXEC; goto free_hdr; } |