Fail if a PT_LOAD segment has a memory size of 0. This prevents a panic

later on, and it makes no sense for a binary to have such a segment.

ok bluhm@, guenther@

diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c
index 6fb2183..328e549 100644 (file)
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exec_elf.c,v 1.143 2018/07/10 04:19:59 guenther Exp $ */
+/*     $OpenBSD: exec_elf.c,v 1.144 2018/07/20 21:48:27 kettenis Exp $ */
 
 /*
  * Copyright (c) 1996 Per Fogelstrom
@@ -365,8 +365,11 @@ elf_load_file(struct proc *p, char *path, struct exec_package *epp,
 
        for (i = 0; i < eh.e_phnum; i++) {
                if (ph[i].p_type == PT_LOAD) {
-                       if (ph[i].p_filesz > ph[i].p_memsz)
+                       if (ph[i].p_filesz > ph[i].p_memsz ||
+                           ph[i].p_memsz == 0) {
+                               error = EINVAL;
                                goto bad1;
+                       }
                        loadmap[idx].vaddr = trunc_page(ph[i].p_vaddr);
                        loadmap[idx].memsz = round_page (ph[i].p_vaddr +
                            ph[i].p_memsz - loadmap[idx].vaddr);
@@ -561,7 +564,8 @@ exec_elf_makecmds(struct proc *p, struct exec_package *epp)
                        if (interp[pp->p_filesz - 1] != '\0')
                                goto bad;
                } else if (pp->p_type == PT_LOAD) {
-                       if (pp->p_filesz > pp->p_memsz) {
+                       if (pp->p_filesz > pp->p_memsz ||
+                           pp->p_memsz == 0) {
                                error = EINVAL;
                                goto bad;
                        }