From nobody Thu Jun  4 00:36:20 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gW5GX6cCzz6h5tN
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Thu, 04 Jun 2026 00:36:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gW5GX51Lmz3prQ
	for <dev-commits-src-branches@FreeBSD.org>; Thu, 04 Jun 2026 00:36:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1780533380;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=w8n7uhB/qi7ZLrH1ahIwexKIAegJM3Ykz9oqcKm9aXM=;
	b=S7UwkjMt2n7d1JwVNlGLQtys8I1Hp1GRNRLpUil1af9A/1B/8IFyb0xnA2sHde9OvZM89c
	Edc/BGEpEl4zvViC+yCarOAy6slv/wuN59oTYwrfp9PlbBhdCBE4dWmrQQiIgeRHOE12HX
	R4bR8ZELQX29uo7DA73J+GIDHwN43MGhwBaW90rR+TnIo4ownTgVpY+DdWCGX6+Rx4Nq+6
	0E6XW8ywfRkDF695QKGzjglnJ7REf4mJIcp01K9/4ucpJimoAd2r6q12XSjf7dIyrdYRlT
	FFRbJPWpchMnHTf7ytYy7w27TyFij/8gM2YZj1r+FPictOFGxLwROEcckT9tdQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780533380; a=rsa-sha256; cv=none;
	b=r6iXU453Ma0Z7iNUIws5D4iD+JnNQBBiV6V0Tu0WI+ulBPSkv38Z3rDB7cusJ7Elhfy/kp
	9ZvGSPjMV07FKYCBSNNyV978p+nQRxDjpxK/XfO+p67CmtNFxRtce+OGU1rS3kGaSk63RE
	72l0sdvWJcJ7/BRMLK0C2RGv/mPOFoCuu2o9AKcCXQm2pw5R8kPMz7W79GwovQDT3WXfYp
	ZSILDMOysXjDAbs9VjS45FIzQNa0dIjKOVr2UYKYxWJ38nL9vUmT7La7bmtuFnYh2ghptx
	AebpMaqRTyNfl6eY5sNH5ERzKcYX0XrUGy6jxxmw7CBPVxcqyq37VfFv+jclAg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1780533380;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=w8n7uhB/qi7ZLrH1ahIwexKIAegJM3Ykz9oqcKm9aXM=;
	b=ggZtvk5ywLYxh5RGPaaV3dByVbk3OsjecfvUBPPXPNsugDIpQPN9LdCrF7TtacAMRZQQZh
	6TizdHreCj/6G10N8mmBtYAukdZiS+LVn4nszcaMQJLp8BhoExo/UsDfNQdO1H4KTRRCqw
	Stg8BCgCZCLGAdFWWemwv1RlDFhsrHV5s3O/JNgzQkkMJiE7CjHeBDG4cUfVe/x6d44uro
	cKAAay225TO+lRsS6m9zq7DXEaMuFu93lK5k6yOzhuO8ZxXpNIOjRQEcCGMA7Xhi2DQKiM
	22cIV6kOHT781XC4FTuAWom8nD6nxNEdTeiL6mfwKdYb7qKiW95NoHvgJbXY5w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gW5GX4KS1zbQC
	for <dev-commits-src-branches@FreeBSD.org>; Thu, 04 Jun 2026 00:36:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 22210
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 04 Jun 2026 00:36:20 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: 21d0d2a519da - stable/15 - imgact_elf: add sysctl kern.elfXX.phnums for the number of program headers
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
List-Id: <dev-commits-src-branches.FreeBSD.org>
List-Post: <mailto:dev-commits-src-branches@FreeBSD.org>
List-Help: <mailto:dev-commits-src-branches+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 21d0d2a519da14acb55f164b43ff2aaf7254e0c2
Auto-Submitted: auto-generated
Date: Thu, 04 Jun 2026 00:36:20 +0000
Message-Id: <6a20c884.22210.1f7a35d1@gitrepo.freebsd.org>

The branch stable/15 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=21d0d2a519da14acb55f164b43ff2aaf7254e0c2

commit 21d0d2a519da14acb55f164b43ff2aaf7254e0c2
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-05-29 14:47:31 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-06-04 00:34:42 +0000

    imgact_elf: add sysctl kern.elfXX.phnums for the number of program headers
    
    (cherry picked from commit 201090678e033237e20d80eb29cc059e0df9a1e1)
---
 sys/kern/imgact_elf.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index 9b5215d9217a..31102522ef35 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -84,8 +84,6 @@
 #define ELF_NOTE_ROUNDSIZE	4
 #define OLD_EI_BRAND	8
 
-#define	ELF_OFFPAGE_PHNUM	128
-
 /*
  * ELF_ABI_NAME is a string name of the ELF ABI.  ELF_ABI_ID is used
  * to build variable names.
@@ -229,6 +227,11 @@ SYSCTL_BOOL(ELF_NODE_OID, OID_AUTO, allow_wx,
     CTLFLAG_RWTUN, &__elfN(allow_wx), 0,
     "Allow pages to be mapped simultaneously writable and executable");
 
+static u_int __elfN(phnums) = 128;
+SYSCTL_UINT(ELF_NODE_OID, OID_AUTO, phnums,
+    CTLFLAG_RWTUN, &__elfN(phnums), 0,
+    "Max number of program headers to accept");
+
 static const Elf_Brandinfo *elf_brand_list[MAX_BRANDS];
 
 #define	aligned(a, t)	(rounddown2((u_long)(a), sizeof(t)) == (u_long)(a))
@@ -855,17 +858,14 @@ __elfN(load_file)(struct thread *td, const char *file, u_long *addr,
 		goto fail;
 	}
 
-	if (!aligned(imgp->image_header + hdr->e_phoff, Elf_Addr)) {
+	if (!aligned(imgp->image_header + hdr->e_phoff, Elf_Addr) ||
+	    hdr->e_phnum > __elfN(phnums)) {
 		error = ENOEXEC;
 		goto fail;
 	}
 	if (__elfN(phdr_in_zero_page)(hdr)) {
 		phdr = (const Elf_Phdr *)(imgp->image_header + hdr->e_phoff);
 	} else {
-		if (hdr->e_phnum > ELF_OFFPAGE_PHNUM) {
-			error = ENOEXEC;
-			goto fail;
-		}
 		VOP_UNLOCK(imgp->vp);
 		phdr = m_phdrs = malloc(hdr->e_phnum * sizeof(Elf_Phdr),
 		    M_TEMP, M_WAITOK | M_ZERO);
@@ -1165,11 +1165,13 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 		uprintf("PHDRS wrap\n");
 		return (ENOEXEC);
 	}
+	if (hdr->e_phnum > __elfN(phnums)) {
+		uprintf("Too many program headers (%u, %u max)\n",
+		    hdr->e_phnum, __elfN(phnums));
+		return (ENOEXEC);
+	}
 	if (__elfN(phdr_in_zero_page)(hdr)) {
 		phdr = (const Elf_Phdr *)(imgp->image_header + hdr->e_phoff);
-	} else if (hdr->e_phnum > ELF_OFFPAGE_PHNUM) {
-		uprintf("Too many program headers\n");
-		return (ENOEXEC);
 	} else {
 		VOP_UNLOCK(imgp->vp);
 		phdr = m_phdrs = malloc(hdr->e_phnum * sizeof(Elf_Phdr),