Check was incorrectly being applied to size of elf phdrs, instead of the number. The ELF standard allows for up to 65535 headers, but the check was being compared to the number of headers multiplied by the size of a program header. --- fs/binfmt_elf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 13d053982dd7..f21896f250d2 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -445,11 +445,11 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, goto out; /* Sanity check the number of program headers... */ - /* ...and their total size. */ - size = sizeof(struct elf_phdr) * elf_ex->e_phnum; - if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) + if (elf_ex->e_phnum == 0) goto out; + size = array_size(sizeof(*elf_phdata), elf_ex->e_phnum); + elf_phdata = kmalloc(size, GFP_KERNEL); if (!elf_phdata) goto out; -- 2.17.1
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
