kexec elf: Sanity check on the note header before accessing it

The name[hdr.n_namesz -1] check below can segfault if the header is garbage. So we check the computed header side fits within the expected area before going further. Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com> Signed-off-by: Simon Horman <horms@verge.net.au>
author: Sylvain Munaut <s.munaut@whatever-company.com> 2016-08-26 12:46:14 +0000
committer: Simon Horman <horms@verge.net.au> 2016-10-07 11:53:55 +0900
commit: 97b6f5f78d955733ce7ae0dcf8944af84407d615 (patch)
tree: 216da9e52cbd122a725382beb842b4af47b31eed
parent: 1574ff1aae4f3a2396187b4fe4f75a9be2ba2cc3 (diff)
download: kexec-tools-97b6f5f78d955733ce7ae0dcf8944af84407d615.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/kexec/kexec-elf.c b/kexec/kexec-elf.c
index 35152035..1d6320a2 100644
--- a/kexec/kexec-elf.c
+++ b/kexec/kexec-elf.c
@@ -720,6 +720,14 @@ static int build_mem_notes(struct mem_ehdr *ehdr)
 		desc       = note + note_size;
 		note_size += _ALIGN(hdr.n_descsz, 4);
 
+		if (((note+note_size) > note_end) ||
+		    ((note+note_size) < note_start)) {
+			/* Something is very wrong here ! Most likely the note
+			 * header is invalid */
+			fprintf(stderr, "ELF Note corrupted !\n");
+			return -1;
+		}
+
 		if ((hdr.n_namesz != 0) && (name[hdr.n_namesz -1] != '\0')) {
 			/* If note name string is not null terminated, just
 			 * warn user about it and continue processing. This
author	Sylvain Munaut <s.munaut@whatever-company.com>	2016-08-26 12:46:14 +0000
committer	Simon Horman <horms@verge.net.au>	2016-10-07 11:53:55 +0900
commit	97b6f5f78d955733ce7ae0dcf8944af84407d615 (patch)
tree	216da9e52cbd122a725382beb842b4af47b31eed
parent	1574ff1aae4f3a2396187b4fe4f75a9be2ba2cc3 (diff)
download	kexec-tools-97b6f5f78d955733ce7ae0dcf8944af84407d615.tar.gz