Re: [PATCH 1/4] elf: don't be afraid of overflow

From: Alexey Dobriyan
Date: Mon Mar 11 2019 - 13:10:13 EST

Next message: Allison Henderson: "Re: [PATCH 1/2] xfs: zero initialize highstale and lowstale in xfs_dir2_leaf_addname"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH v6 06/11] perf tools report: Support builtin perf script in scripts menu"
In reply to: Pavel Machek: "Re: [PATCH 1/4] elf: don't be afraid of overflow"
Next in thread: Pavel Machek: "Re: [PATCH 1/4] elf: don't be afraid of overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 11, 2019 at 12:04:23PM +0100, Pavel Machek wrote:
> On Mon 2019-02-04 23:27:15, Alexey Dobriyan wrote:
> > Number of ELF program headers is 16-bit by spec, so total size
> > comfortably fits into "unsigned int".
>
> If it can't overflow, gcc should know too, and optimize checks
> out... right?

Turns out it doesn't.

> > @@ -429,13 +430,9 @@ static struct elf_phdr *load_elf_phdrs(struct elfhdr *elf_ex,
> > goto out;
> >
> > /* Sanity check the number of program headers... */
> > - if (elf_ex->e_phnum < 1 ||
> > - elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
> > - goto out;
> > -
> > /* ...and their total size. */
>
> This is just wrong. You removed check for zero, and I'm pretty sure
> sizeof() is not 1, so this one can trigger, too.

No. ->e_phnum is 65535 max.

size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
goto out;

Next message: Allison Henderson: "Re: [PATCH 1/2] xfs: zero initialize highstale and lowstale in xfs_dir2_leaf_addname"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH v6 06/11] perf tools report: Support builtin perf script in scripts menu"
In reply to: Pavel Machek: "Re: [PATCH 1/4] elf: don't be afraid of overflow"
Next in thread: Pavel Machek: "Re: [PATCH 1/4] elf: don't be afraid of overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]