Require a PT_LOAD segment's p_filesz to be no larger than its p_memsz.

author guenther <guenther@openbsd.org>

Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)

committer guenther <guenther@openbsd.org>

Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)
author guenther <guenther@openbsd.org>
Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)
committer guenther <guenther@openbsd.org>
Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)
diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c

index 5ceea1f..f8bfefe 100644 (file)
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exec_elf.c,v 1.113 2015/03/30 21:08:38 miod Exp $     */
+/*     $OpenBSD: exec_elf.c,v 1.114 2015/04/26 05:30:42 guenther Exp $ */
  
  /*
   * Copyright (c) 1996 Per Fogelstrom
@@ -362,6 +362,8 @@ ELFNAME(load_file)(struct proc *p, char *path, struct exec_package *epp,
  
         for (i = 0; i < eh.e_phnum; i++) {
                 if (ph[i].p_type == PT_LOAD) {
+                       if (ph[i].p_filesz > ph[i].p_memsz)
+                               goto bad1;
                         loadmap[idx].vaddr = trunc_page(ph[i].p_vaddr);
                         loadmap[idx].memsz = round_page (ph[i].p_vaddr +
                             ph[i].p_memsz - loadmap[idx].vaddr);
@@ -558,6 +560,10 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp)
                                 goto bad;
                         }
                 } else if (pp->p_type == PT_LOAD) {
+                       if (pp->p_filesz > pp->p_memsz) {
+                               error = EINVAL;
+                               goto bad;
+                       }
                         if (base_ph == NULL)
                                 base_ph = pp;
                 } else if (pp->p_type == PT_PHDR) {
author	guenther <guenther@openbsd.org>
	Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)
committer	guenther <guenther@openbsd.org>
	Sun, 26 Apr 2015 05:30:42 +0000 (05:30 +0000)