From 65ea7d4ad3844057e537c76a7486b4d871f7a8b2 Mon Sep 17 00:00:00 2001 From: kettenis Date: Fri, 20 Jul 2018 21:48:27 +0000 Subject: [PATCH] Fail if a PT_LOAD segment has a memory size of 0. This prevents a panic later on, and it makes no sense for a binary to have such a segment. ok bluhm@, guenther@ --- sys/kern/exec_elf.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c index 6fb2183db65..328e549157b 100644 --- a/sys/kern/exec_elf.c +++ b/sys/kern/exec_elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_elf.c,v 1.143 2018/07/10 04:19:59 guenther Exp $ */ +/* $OpenBSD: exec_elf.c,v 1.144 2018/07/20 21:48:27 kettenis Exp $ */ /* * Copyright (c) 1996 Per Fogelstrom @@ -365,8 +365,11 @@ elf_load_file(struct proc *p, char *path, struct exec_package *epp, for (i = 0; i < eh.e_phnum; i++) { if (ph[i].p_type == PT_LOAD) { - if (ph[i].p_filesz > ph[i].p_memsz) + if (ph[i].p_filesz > ph[i].p_memsz || + ph[i].p_memsz == 0) { + error = EINVAL; goto bad1; + } loadmap[idx].vaddr = trunc_page(ph[i].p_vaddr); loadmap[idx].memsz = round_page (ph[i].p_vaddr + ph[i].p_memsz - loadmap[idx].vaddr); @@ -561,7 +564,8 @@ exec_elf_makecmds(struct proc *p, struct exec_package *epp) if (interp[pp->p_filesz - 1] != '\0') goto bad; } else if (pp->p_type == PT_LOAD) { - if (pp->p_filesz > pp->p_memsz) { + if (pp->p_filesz > pp->p_memsz || + pp->p_memsz == 0) { error = EINVAL; goto bad; } -- 2.20.1