Commit ef26a5a6 authored May 22, 2012 by David Howells Committed by Rusty Russell May 23, 2012

Guard check in module loader against integer overflow



The check:

	if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))

may not work if there's an overflow in the right-hand side of the condition.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

parent 3c7ec94d

kernel/module.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -2429,7 +2429,8 @@ static int copy_and_check(struct load_info *info,
		goto free_hdr;
		}

		if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) {
		if (hdr->e_shoff >= len \|\|
		hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) {
		err = -ENOEXEC;
		goto free_hdr;
		}