From: guenther Date: Sun, 26 Apr 2015 05:30:42 +0000 (+0000) Subject: Require a PT_LOAD segment's p_filesz to be no larger than its p_memsz. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1fec3ba2823248e1f08dbe6629855a883be9bf7b;p=openbsd Require a PT_LOAD segment's p_filesz to be no larger than its p_memsz. test cases provided by Alejandro Herna'ndez (nitrousenador (at) gmail.com) ok deraadt@ jsg@ --- diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c index 5ceea1f7303..f8bfefe3b3d 100644 --- a/sys/kern/exec_elf.c +++ b/sys/kern/exec_elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_elf.c,v 1.113 2015/03/30 21:08:38 miod Exp $ */ +/* $OpenBSD: exec_elf.c,v 1.114 2015/04/26 05:30:42 guenther Exp $ */ /* * Copyright (c) 1996 Per Fogelstrom @@ -362,6 +362,8 @@ ELFNAME(load_file)(struct proc *p, char *path, struct exec_package *epp, for (i = 0; i < eh.e_phnum; i++) { if (ph[i].p_type == PT_LOAD) { + if (ph[i].p_filesz > ph[i].p_memsz) + goto bad1; loadmap[idx].vaddr = trunc_page(ph[i].p_vaddr); loadmap[idx].memsz = round_page (ph[i].p_vaddr + ph[i].p_memsz - loadmap[idx].vaddr); @@ -558,6 +560,10 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp) goto bad; } } else if (pp->p_type == PT_LOAD) { + if (pp->p_filesz > pp->p_memsz) { + error = EINVAL; + goto bad; + } if (base_ph == NULL) base_ph = pp; } else if (pp->p_type == PT_PHDR) {