Re: [PATCH 1/4] elf: don't be afraid of overflow

From: Alexey Dobriyan
Date: Mon Mar 11 2019 - 13:10:13 EST


On Mon, Mar 11, 2019 at 12:04:23PM +0100, Pavel Machek wrote:
> On Mon 2019-02-04 23:27:15, Alexey Dobriyan wrote:
> > Number of ELF program headers is 16-bit by spec, so total size
> > comfortably fits into "unsigned int".
>
> If it can't overflow, gcc should know too, and optimize checks
> out... right?

Turns out it doesn't.

> > @@ -429,13 +430,9 @@ static struct elf_phdr *load_elf_phdrs(struct elfhdr *elf_ex,
> > goto out;
> >
> > /* Sanity check the number of program headers... */
> > - if (elf_ex->e_phnum < 1 ||
> > - elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr))
> > - goto out;
> > -
> > /* ...and their total size. */
>
> This is just wrong. You removed check for zero, and I'm pretty sure
> sizeof() is not 1, so this one can trigger, too.

No. ->e_phnum is 65535 max.

size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
goto out;