kernel_loader: check phdr memory size addition

The mem_offset + phdr.memsz addition is using untrusted input
(phdr.memsz) and can overflow; add an explicit check to avoid panics on
invalid values.

BUG=None
TEST=/usr/libexec/fuzzers/crosvm_zimage_fuzzer in cros_fuzz shell

Change-Id: Ie6f7f27bd00958ff85201cecaa75ce2b19779b8b
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1674664
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

1 files changed, 6 insertions, 1 deletions

diff --git a/kernel_loader/src/lib.rs b/kernel_loader/src/lib.rs
index 7ff6efa..75828f5 100644
--- a/kernel_loader/src/lib.rs
+++ b/kernel_loader/src/lib.rs
@@ -26,6 +26,7 @@ pub enum Error {
     InvalidProgramHeaderSize,
     InvalidProgramHeaderOffset,
     InvalidProgramHeaderAddress,
+    InvalidProgramHeaderMemSize,
     ReadElfHeader,
     ReadKernelImage,
     ReadProgramHeader,
@@ -49,6 +50,7 @@ impl Display for Error {
             InvalidProgramHeaderSize => "invalid program header size",
             InvalidProgramHeaderOffset => "invalid program header offset",
             InvalidProgramHeaderAddress => "invalid Program Header Address",
+            InvalidProgramHeaderMemSize => "invalid Program Header memory size",
             ReadElfHeader => "unable to read elf header",
             ReadKernelImage => "unable to read kernel image",
             ReadProgramHeader => "unable to read program header",
@@ -132,7 +134,10 @@ where
             .read_to_memory(mem_offset, kernel_image, phdr.p_filesz as usize)
             .map_err(|_| Error::ReadKernelImage)?;
 
-        kernel_end = mem_offset.offset() + phdr.p_memsz;
+        kernel_end = mem_offset
+            .offset()
+            .checked_add(phdr.p_memsz)
+            .ok_or(Error::InvalidProgramHeaderMemSize)?;
     }
 
     Ok(kernel_end)