git: f1b1fa3505e6 - stable/13 - imgact_elf: avoid mapsz overflow

Konstantin Belousov Sat, 18 Dec 2021 18:47:11 -0800

The branch stable/13 has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f1b1fa3505e666134c66588659ba63601615e947


commit f1b1fa3505e666134c66588659ba63601615e947
Author:     Konstantin Belousov <[email protected]>
AuthorDate: 2021-12-08 09:33:19 +0000
Commit:     Konstantin Belousov <[email protected]>
CommitDate: 2021-12-19 02:42:51 +0000

    imgact_elf: avoid mapsz overflow
    
    (cherry picked from commit bf839416381cb9f63a8a82ea6e897a22830a8009)
---
 sys/kern/imgact_elf.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index 17c0752c35fa..0f42017cb7ef 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -1162,6 +1162,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params 
*imgp)
                        }
                        if (phdr[i].p_align > maxalign)
                                maxalign = phdr[i].p_align;
+                       if (mapsz + phdr[i].p_memsz < mapsz) {
+                               uprintf("Mapsize overflow\n");
+                               error = ENOEXEC;
+                               goto ret;
+                       }
                        mapsz += phdr[i].p_memsz;
                        n++;
 
@@ -1290,6 +1295,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params 
*imgp)
        imgp->proc->p_sysent = sv;
 
        maxv = vm_map_max(map) - lim_max(td, RLIMIT_STACK);
+       if (mapsz >= maxv - vm_map_min(map)) {
+               uprintf("Excessive mapping size\n");
+               error = ENOEXEC;
+       }
+
        if (error == 0 && et_dyn_addr == ET_DYN_ADDR_RAND) {
                KASSERT((map->flags & MAP_ASLR) != 0,
                    ("ET_DYN_ADDR_RAND but !MAP_ASLR"));

git: f1b1fa3505e6 - stable/13 - imgact_elf: avoid mapsz overflow

Reply via email to