The name[hdr.n_namesz -1] check below can segfault if the header is garbage. So we check the computed header side fits within the expected area before going further.
Signed-off-by: Sylvain Munaut <[email protected]> --- kexec/kexec-elf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kexec/kexec-elf.c b/kexec/kexec-elf.c index 3515203..1d6320a 100644 --- a/kexec/kexec-elf.c +++ b/kexec/kexec-elf.c @@ -720,6 +720,14 @@ static int build_mem_notes(struct mem_ehdr *ehdr) desc = note + note_size; note_size += _ALIGN(hdr.n_descsz, 4); + if (((note+note_size) > note_end) || + ((note+note_size) < note_start)) { + /* Something is very wrong here ! Most likely the note + * header is invalid */ + fprintf(stderr, "ELF Note corrupted !\n"); + return -1; + } + if ((hdr.n_namesz != 0) && (name[hdr.n_namesz -1] != '\0')) { /* If note name string is not null terminated, just * warn user about it and continue processing. This -- 2.1.4 _______________________________________________ kexec mailing list [email protected] http://lists.infradead.org/mailman/listinfo/kexec
