> + name_sz = READ_ONCE(nhdr->n_namesz); > + desc_sz = READ_ONCE(nhdr->n_descsz); > + new_offs = note_offs + sizeof(Elf32_Nhdr) + ALIGN(name_sz, 4) + ALIGN(desc_sz, 4); Don't you need to check the name_sz and desc_sz overflows separately? Otherwise name_sz could be ~0 and desc_sz small (or reversed) and the check below wouldn't trigger, but still bad things could happen. > + if (new_offs <= note_offs /* overflow */ || new_offs > note_size) > + break; -Andi
