summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOtto Moerbeek <otto@cvs.openbsd.org>2008-08-12 09:44:27 +0000
committerOtto Moerbeek <otto@cvs.openbsd.org>2008-08-12 09:44:27 +0000
commit72470cfeb65691eec8b92b74e609412cdc285e18 (patch)
tree62d0da4789b08f452efb8dab463402fe0b48017d
parentea093c833f07cf2166bb61f1f00ddb2289ac865b (diff)
basic bounds check on elf header info. avoid crashes on i.e.e truncated
kernels; noted by jasper@ ok miod@
-rw-r--r--usr.sbin/config/exec_elf.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/usr.sbin/config/exec_elf.c b/usr.sbin/config/exec_elf.c
index 09e8c37aa7f..c2bb4ab38b9 100644
--- a/usr.sbin/config/exec_elf.c
+++ b/usr.sbin/config/exec_elf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exec_elf.c,v 1.10 2004/01/04 18:30:05 deraadt Exp $ */
+/* $OpenBSD: exec_elf.c,v 1.11 2008/08/12 09:44:26 otto Exp $ */
/*
* Copyright (c) 1999 Mats O Jansson. All rights reserved.
@@ -25,7 +25,7 @@
*/
#ifndef LINT
-static char rcsid[] = "$OpenBSD: exec_elf.c,v 1.10 2004/01/04 18:30:05 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: exec_elf.c,v 1.11 2008/08/12 09:44:26 otto Exp $";
#endif
#include <err.h>
@@ -141,9 +141,23 @@ elf_loadkernel(char *file)
if (read(fd, elf_total, (size_t)elf_size) != elf_size)
errx(1, "can't read elf kernel");
+ if (elf_ex.e_phoff > (size_t)elf_size)
+ errx(1, "incorrect ELF header or truncated file");
+ if (elf_ex.e_shoff > (size_t)elf_size)
+ errx(1, "incorrect ELF header or truncated file");
+
elf_phdr = (Elf_Phdr *)&elf_total[elf_ex.e_phoff];
elf_shdr = (Elf_Shdr *)&elf_total[elf_ex.e_shoff];
+ if ((char *)&elf_shdr[elf_ex.e_shstrndx] +
+ sizeof(elf_shdr[elf_ex.e_shstrndx]) >= elf_total + (size_t)elf_size)
+ errx(1, "incorrect ELF header or truncated file");
+
+ if ((char *)&elf_shdr[elf_ex.e_shstrndx].sh_offset +
+ sizeof(elf_shdr[elf_ex.e_shstrndx].sh_offset) >=
+ elf_total + (size_t)elf_size)
+ errx(1, "incorrect ELF header or truncated file");
+
elf_shstrtab = &elf_total[elf_shdr[elf_ex.e_shstrndx].sh_offset];
close(fd);