diff options
author | Daniel Verkamp <dverkamp@chromium.org> | 2019-06-24 15:12:10 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-06-25 17:12:06 +0000 |
commit | 76199b4a054fa888badc2a4793040658be54c9ff (patch) | |
tree | 488834a62f8748c2c3031da6f0fb6c0d6cd84390 /kernel_loader/src | |
parent | 6b51bd334fcf384595629a69ad54950b441adb72 (diff) | |
download | crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar.gz crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar.bz2 crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar.lz crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar.xz crosvm-76199b4a054fa888badc2a4793040658be54c9ff.tar.zst crosvm-76199b4a054fa888badc2a4793040658be54c9ff.zip |
kernel_loader: check phdr memory size addition
The mem_offset + phdr.memsz addition is using untrusted input (phdr.memsz) and can overflow; add an explicit check to avoid panics on invalid values. BUG=None TEST=/usr/libexec/fuzzers/crosvm_zimage_fuzzer in cros_fuzz shell Change-Id: Ie6f7f27bd00958ff85201cecaa75ce2b19779b8b Signed-off-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1674664 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'kernel_loader/src')
-rw-r--r-- | kernel_loader/src/lib.rs | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/kernel_loader/src/lib.rs b/kernel_loader/src/lib.rs index 7ff6efa..75828f5 100644 --- a/kernel_loader/src/lib.rs +++ b/kernel_loader/src/lib.rs @@ -26,6 +26,7 @@ pub enum Error { InvalidProgramHeaderSize, InvalidProgramHeaderOffset, InvalidProgramHeaderAddress, + InvalidProgramHeaderMemSize, ReadElfHeader, ReadKernelImage, ReadProgramHeader, @@ -49,6 +50,7 @@ impl Display for Error { InvalidProgramHeaderSize => "invalid program header size", InvalidProgramHeaderOffset => "invalid program header offset", InvalidProgramHeaderAddress => "invalid Program Header Address", + InvalidProgramHeaderMemSize => "invalid Program Header memory size", ReadElfHeader => "unable to read elf header", ReadKernelImage => "unable to read kernel image", ReadProgramHeader => "unable to read program header", @@ -132,7 +134,10 @@ where .read_to_memory(mem_offset, kernel_image, phdr.p_filesz as usize) .map_err(|_| Error::ReadKernelImage)?; - kernel_end = mem_offset.offset() + phdr.p_memsz; + kernel_end = mem_offset + .offset() + .checked_add(phdr.p_memsz) + .ok_or(Error::InvalidProgramHeaderMemSize)?; } Ok(kernel_end) |