On Thu, Jul 25, 2024 at 3:45 PM Andi Kleen <ak@xxxxxxxxxxxxxxx> wrote:
>
> > @@ -214,13 +214,14 @@ static int get_build_id_32(struct freader *r, unsigned char *build_id, __u32 *si
> >
> > /* subsequent freader_fetch() calls invalidate pointers, so remember locally */
> > phnum = ehdr->e_phnum;
> > + phoff = READ_ONCE(ehdr->e_phoff);
> >
> > /* only supports phdr that fits in one page */
> > if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
> > return -EINVAL;
> >
> > for (i = 0; i < phnum; ++i) {
> > - phdr = freader_fetch(r, i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr));
> > + phdr = freader_fetch(r, phoff + i * sizeof(Elf32_Phdr), sizeof(Elf32_Phdr));
>
> What happens if phoff is big enough that this computation wraps?
>
phoff is u32, phoff + i * sizeof(Elf32_Phdr) will be casted to u64 as
it's passed into freader_fetch (which expects u64), and so it will be
an offset slightly bigger than 4GB into the file. If that happens to
be a valid file offset, so be it, we'll fetch the page at that file
offset. If not, freader_fetch() will return NULL.
