Re: [PATCH v4 bpf-next 01/10] lib/buildid: harden build ID parsing logic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Aug 8, 2024 at 3:24 PM Andi Kleen <ak@xxxxxxxxxxxxxxx> wrote:
>
> > +             name_sz = READ_ONCE(nhdr->n_namesz);
> > +             desc_sz = READ_ONCE(nhdr->n_descsz);
> > +             new_offs = note_offs + sizeof(Elf32_Nhdr) + ALIGN(name_sz, 4) + ALIGN(desc_sz, 4);
>
> Don't you need to check the name_sz and desc_sz overflows separately?
>
> Otherwise name_sz could be ~0 and desc_sz small (or reversed) and the check
> below wouldn't trigger, but still bad things could happen.

Yes, both sizes are full u32, so yes, they could technically both
overflow resulting in final non-overflown new_offs. I'll switch the
additions to be done step by step.

>
>
> > +             if (new_offs <= note_offs /* overflow */ || new_offs > note_size)
> > +                     break;
>
> -Andi
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux