| From 55cf2f4b945f6a6416cc2524ba740b83cc9af25a Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@linaro.org> |
| Date: Wed, 4 Dec 2024 15:07:15 +0300 |
| Subject: binfmt_flat: Fix integer overflow bug on 32 bit systems |
| |
| From: Dan Carpenter <dan.carpenter@linaro.org> |
| |
| commit 55cf2f4b945f6a6416cc2524ba740b83cc9af25a upstream. |
| |
| Most of these sizes and counts are capped at 256MB so the math doesn't |
| result in an integer overflow. The "relocs" count needs to be checked |
| as well. Otherwise on 32bit systems the calculation of "full_data" |
| could be wrong. |
| |
| full_data = data_len + relocs * sizeof(unsigned long); |
| |
| Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> |
| Acked-by: Nicolas Pitre <npitre@baylibre.com> |
| Link: https://lore.kernel.org/r/5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain |
| Signed-off-by: Kees Cook <kees@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/binfmt_flat.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/binfmt_flat.c |
| +++ b/fs/binfmt_flat.c |
| @@ -529,7 +529,7 @@ static int load_flat_file(struct linux_b |
| * 28 bits (256 MB) is way more than reasonable in this case. |
| * If some top bits are set we have probable binary corruption. |
| */ |
| - if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) { |
| + if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) { |
| pr_err("bad header\n"); |
| ret = -ENOEXEC; |
| goto err; |
