Prevent offset + size overflow.

it is possible to overflow uint64_t by summing variables offset and size up in elf_get_section_info. Thee values are extracted from module file and are possibly maliciously tampered with. If offset is in valid range and size very large, the result will overflow and the size check passes. Later on, this will most likely lead to a segmentation fault due to accessing uninitialized memory. Attached please find a proof of concept module, which will trigger a segmentation fault on modinfo. Tested on amd64: tobias:~$ modinfo poc.ko filename: /home/tobias/poc.ko Segmentation fault There are more errors of this type in the ELF handling code that will be fixed in other patches.
2025-02-20 08:26:55 +07:00 · 2015-02-09 23:22:51 +01:00 · 2015-02-09 23:22:51 +01:00 · 67466f266d
commit 67466f266d
parent eeb627004b
1 changed files with 1 additions and 1 deletions
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@ -251,7 +251,7 @@ static inline int elf_get_section_info(const struct kmod_elf *elf, uint16_t idx,
 #undef READV

 	min_size = *offset + *size;
-	if (min_size > elf->size) {
+	if (ULLONG_MAX - *offset < *size || min_size > elf->size) {
 		ELFDBG(elf, "out-of-bounds: %"PRIu64" >= %"PRIu64" (ELF size)\n",
 		       min_size, elf->size);
 		return -EINVAL;