From a378776e5a063db095f3080f3da9f005ad0bbab9 Mon Sep 17 00:00:00 2001 From: christos Date: Wed, 25 Jun 2003 13:48:06 +0000 Subject: [PATCH] Limit the number of program headers we accept to avoid resource exhaustion by a hand-crafted elf binary. --- sys/kern/exec_elf32.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sys/kern/exec_elf32.c b/sys/kern/exec_elf32.c index bdcc62ea7f45..11a78b8ddc04 100644 --- a/sys/kern/exec_elf32.c +++ b/sys/kern/exec_elf32.c @@ -1,4 +1,4 @@ -/* $NetBSD: exec_elf32.c,v 1.89 2003/03/01 05:55:51 matt Exp $ */ +/* $NetBSD: exec_elf32.c,v 1.90 2003/06/25 13:48:06 christos Exp $ */ /*- * Copyright (c) 1994, 2000 The NetBSD Foundation, Inc. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(1, "$NetBSD: exec_elf32.c,v 1.89 2003/03/01 05:55:51 matt Exp $"); +__KERNEL_RCSID(1, "$NetBSD: exec_elf32.c,v 1.90 2003/06/25 13:48:06 christos Exp $"); /* If not included by exec_elf64.c, ELFSIZE won't be defined. */ #ifndef ELFSIZE @@ -103,6 +103,8 @@ int ELFNAME2(netbsd,probe)(struct proc *, struct exec_package *, #define ELF_ROUND(a, b) (((a) + (b) - 1) & ~((b) - 1)) #define ELF_TRUNC(a, b) ((a) & ~((b) - 1)) +#define MAXPHNUM 50 + /* * Copy arguments onto the stack in the normal way, but add some * extra information in case of dynamic binding. @@ -389,6 +391,9 @@ ELFNAME(load_file)(struct proc *p, struct exec_package *epp, char *path, if ((error = ELFNAME(check_header)(&eh, ET_DYN)) != 0) goto bad; + if (eh.e_phnum > MAXPHNUM) + goto bad; + phsize = eh.e_phnum * sizeof(Elf_Phdr); ph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK); @@ -549,6 +554,9 @@ ELFNAME2(exec,makecmds)(struct proc *p, struct exec_package *epp) ELFNAME(check_header)(eh, ET_DYN) != 0) return ENOEXEC; + if (eh->e_phnum > MAXPHNUM) + return ENOEXEC; + error = vn_marktext(epp->ep_vp); if (error) return (error); @@ -718,6 +726,9 @@ ELFNAME2(netbsd,signature)(struct proc *p, struct exec_package *epp, size_t phsize; int error; + if (eh->e_phnum > MAXPHNUM) + return ENOEXEC; + phsize = eh->e_phnum * sizeof(Elf_Phdr); ph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK); error = exec_read_from(p, epp->ep_vp, eh->e_phoff, ph, phsize);