Date: Sun, 19 Dec 2021 02:44:32 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f1b1fa3505e6 - stable/13 - imgact_elf: avoid mapsz overflow Message-ID: <202112190244.1BJ2iW9r012685@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=f1b1fa3505e666134c66588659ba63601615e947 commit f1b1fa3505e666134c66588659ba63601615e947 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-12-08 09:33:19 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-12-19 02:42:51 +0000 imgact_elf: avoid mapsz overflow (cherry picked from commit bf839416381cb9f63a8a82ea6e897a22830a8009) --- sys/kern/imgact_elf.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index 17c0752c35fa..0f42017cb7ef 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1162,6 +1162,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) } if (phdr[i].p_align > maxalign) maxalign = phdr[i].p_align; + if (mapsz + phdr[i].p_memsz < mapsz) { + uprintf("Mapsize overflow\n"); + error = ENOEXEC; + goto ret; + } mapsz += phdr[i].p_memsz; n++; @@ -1290,6 +1295,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp) imgp->proc->p_sysent = sv; maxv = vm_map_max(map) - lim_max(td, RLIMIT_STACK); + if (mapsz >= maxv - vm_map_min(map)) { + uprintf("Excessive mapping size\n"); + error = ENOEXEC; + } + if (error == 0 && et_dyn_addr == ET_DYN_ADDR_RAND) { KASSERT((map->flags & MAP_ASLR) != 0, ("ET_DYN_ADDR_RAND but !MAP_ASLR"));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112190244.1BJ2iW9r012685>