kernel_loader: check phdr memory size addition

The mem_offset + phdr.memsz addition is using untrusted input (phdr.memsz) and can overflow; add an explicit check to avoid panics on invalid values. BUG=None TEST=/usr/libexec/fuzzers/crosvm_zimage_fuzzer in cros_fuzz shell Change-Id: Ie6f7f27bd00958ff85201cecaa75ce2b19779b8b Signed-off-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1674664 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
2024-11-24 20:48:55 +00:00 · 2019-06-24 15:12:10 -07:00 · 2019-06-24 15:12:10 -07:00 · 76199b4a05
commit 76199b4a05
parent 6b51bd334f
1 changed files with 6 additions and 1 deletions
--- a/kernel_loader/src/lib.rs
+++ b/kernel_loader/src/lib.rs
@ -26,6 +26,7 @@ pub enum Error {
    InvalidProgramHeaderSize,
    InvalidProgramHeaderOffset,
    InvalidProgramHeaderAddress,
+    InvalidProgramHeaderMemSize,
    ReadElfHeader,
    ReadKernelImage,
    ReadProgramHeader,
@ -49,6 +50,7 @@ impl Display for Error {
            InvalidProgramHeaderSize => "invalid program header size",
            InvalidProgramHeaderOffset => "invalid program header offset",
            InvalidProgramHeaderAddress => "invalid Program Header Address",
+            InvalidProgramHeaderMemSize => "invalid Program Header memory size",
            ReadElfHeader => "unable to read elf header",
            ReadKernelImage => "unable to read kernel image",
            ReadProgramHeader => "unable to read program header",
@ -132,7 +134,10 @@ where
            .read_to_memory(mem_offset, kernel_image, phdr.p_filesz as usize)
            .map_err(|_| Error::ReadKernelImage)?;

-        kernel_end = mem_offset.offset() + phdr.p_memsz;
+        kernel_end = mem_offset
+            .offset()
+            .checked_add(phdr.p_memsz)
+            .ok_or(Error::InvalidProgramHeaderMemSize)?;
    }

    Ok(kernel_end)