Check was incorrectly being applied to size of elf phdrs, instead of the number. The ELF standard allows for up to 65535 headers, but the check was being compared to the number of headers multiplied by the size of a program header. --- fs/binfmt_elf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 9fe3b51c116a..5605b5205f84 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -445,11 +445,11 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, goto out; /* Sanity check the number of program headers... */ - /* ...and their total size. */ - size = sizeof(struct elf_phdr) * elf_ex->e_phnum; - if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) + if (elf_ex->e_phnum == 0 || elf_ex->phnum > 65535) goto out; + size = sizeof(struct elf_phdr) * elf_ex->e_phnum; + elf_phdata = kmalloc(size, GFP_KERNEL); if (!elf_phdata) goto out; -- 2.17.1
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
