The elf_ex.e_phnum field can be set to zero. If elf_ex.e_phnum is set to zero, then a redundant kmalloc with the size zero is called and a following kfree. Check if elf_ex.e_phnum equals zero, and prevent the redundant kmalloc and kfree. Signed-off-by: Itay Ie <ieitayie@xxxxxxxxx> --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 187b3f2b9202..f25e8f241ae9 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1348,7 +1348,8 @@ static int load_elf_library(struct file *file) /* First of all, some simple consistency checks */ if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 || - !elf_check_arch(&elf_ex) || !file->f_op->mmap) + elf_ex.e_phnum == 0 || !elf_check_arch(&elf_ex) || + !file->f_op->mmap) goto out; if (elf_check_fdpic(&elf_ex)) goto out; @@ -1356,7 +1357,7 @@ static int load_elf_library(struct file *file) /* Now read in all of the header information */ j = sizeof(struct elf_phdr) * elf_ex.e_phnum; - /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */ + /* j < ELF_MIN_ALIGN because elf_ex.e_phnum is 1 or 2 */ error = -ENOMEM; elf_phdata = kmalloc(j, GFP_KERNEL); -- 2.32.0
