From: David Howells Date: Tue, 22 May 2012 14:56:13 +0000 (+0100) Subject: Guard check in module loader against integer overflow X-Git-Tag: firefly_0821_release~3680^2~2786^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ef26a5a6eadb7cd0637e1e9e246cd42505b8ec8c;p=firefly-linux-kernel-4.4.55.git Guard check in module loader against integer overflow The check: if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) may not work if there's an overflow in the right-hand side of the condition. Signed-off-by: David Howells Signed-off-by: Rusty Russell --- diff --git a/kernel/module.c b/kernel/module.c index a4e60973ca73..4edbd9c11aca 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2429,7 +2429,8 @@ static int copy_and_check(struct load_info *info, goto free_hdr; } - if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr)) { + if (hdr->e_shoff >= len || + hdr->e_shnum * sizeof(Elf_Shdr) > len - hdr->e_shoff) { err = -ENOEXEC; goto free_hdr; }