From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFA97C5B543 for ; Sat, 7 Jun 2025 08:29:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3BE536B0088; Sat, 7 Jun 2025 04:29:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 36EE56B0089; Sat, 7 Jun 2025 04:29:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 25D086B008A; Sat, 7 Jun 2025 04:29:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 0293C6B0088 for ; Sat, 7 Jun 2025 04:29:17 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 342C01619C9 for ; Sat, 7 Jun 2025 08:29:16 +0000 (UTC) X-FDA: 83527929912.12.719EB40 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by imf13.hostedemail.com (Postfix) with ESMTP id 7236D2000B for ; Sat, 7 Jun 2025 08:29:14 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WuFWZkpQ; spf=pass (imf13.hostedemail.com: domain of pranav.tyagi03@gmail.com designates 209.85.210.182 as permitted sender) smtp.mailfrom=pranav.tyagi03@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749284954; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=gqrQNrZhDEaoDoYGNSTeR9PK55978s8pQW2q+WWm76Q=; b=AoElN6hk3UDPA8NNogs6ztqqOyFAbJhit/VVs+CG9/h/AvM7X0rJGXW/L8F/qngCFwcocC Y5W6niyiFpFF9mzpiKRAOeurs1WSF/vjhYqq5KQzKESFMUbP6/7fBjXMBPq5pjIFndw+1l MAK9zjawV9JvqyqBPubmRzjWOTSojuU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749284954; a=rsa-sha256; cv=none; b=i9SNtaHKCJLk93Rh6l25LkxhnDYCzR6MQ2MSYM4rH1dR3hZgB5PnPWfM3M8yPtPCZL59lJ 8X2tzXhxS/7DT/unjYfy/mgIQz3PUzEm6RD8LB6y1cB0nIv5U7fn+duE7lp3ACZ0owm9Bz HKl9RXKio8t3gijamiTscsdC47Cl3Oc= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WuFWZkpQ; spf=pass (imf13.hostedemail.com: domain of pranav.tyagi03@gmail.com designates 209.85.210.182 as permitted sender) smtp.mailfrom=pranav.tyagi03@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-742c27df0daso2630315b3a.1 for ; Sat, 07 Jun 2025 01:29:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749284953; x=1749889753; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gqrQNrZhDEaoDoYGNSTeR9PK55978s8pQW2q+WWm76Q=; b=WuFWZkpQ2zmuKML1yJOtowucn3BCJSXanyE7jwR7PGMW50wlE/+GNfYr+7B2tUXZ+d AELM6EMJ/wn1Cf6iqSXoHLmfHlDsfGcMVruI6jwya4kbNIRBFyqni6C92mLHabEZCGyg pRQjwNGKCZ72bX+S5wwHRYGsWKWMJJLp3uNT7HLcKppglAA2DLDjLnmY3X9NEdvuXv2Y PvPl01CVAAPwfrru0QdZnPKYampC8uZvf9meSAaZ9w6sFIQi126mSvAcLEPE0W/eAJPo GXcIz313xMPbo5u2MuByDWqm6hfu1pJasekz/U/0SgrxQUDpzCnAHKBt/qTY5qeI3LdU SboA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749284953; x=1749889753; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gqrQNrZhDEaoDoYGNSTeR9PK55978s8pQW2q+WWm76Q=; b=MoP+tcW2uslbzj7wapHjN4hdhUgDpFBs/RHLmexZf9nJMGB1lG6y/8gQRX35/nv9Zu QwE5HWYDInKVszPWkA0GiaKZU7XCVdFKCjvaCr3zfKXyLD3fUr/WUoHgWfyIECPHCkTo QZ6zkxgamFWxe2+RvGnoTNqeqc0kFCrogvUHitK92xEy9OLObxaKcdqBOGyHdros91Qf bR7nsMEymi5uZHJ+V/+uHkuR7riWDpV8cZNJqygCGNirKyaLb93b5mitiOmraS3yNCdV cwFlYq911HO//tFZw5igjUynsOib9KKtJwcxevqwJy1mi9uHDJnymp6k7MrLPdadHJzB 4D7w== X-Forwarded-Encrypted: i=1; AJvYcCXxy+h/2RR7K/pl+tYtXPm39x1BKom7AOjNXpcixlRQmaAGGrob+WLLUtn8bKNa91XWY1NoAjnwtQ==@kvack.org X-Gm-Message-State: AOJu0Yy/wgfzUVv1Ug8JAuI9ithnHZVp2RPlriyDtAG/eeF78x4nqDAB 4u74laCMBXXTK7LhEe+Ank8O0ulQnGUB6UbYYo9fbTgS8wKqZLAXFmWl X-Gm-Gg: ASbGncsQ6UqpX55W+fOUFAqHIBZOOYZA1RrytsdFafqk6finB8HZHfj35xFAyUngY3h 6Zn22E4THzZ4LH4qyCavJ+J3oy1NQjAdhsrOiWukTDcJ3UVWGQdXxIsMDukjn4SboJ/+LCLAJP0 WNIQSOSlIfe0gVeEenLjkjuLsEw3b3k9u82TAnmp1DrvOPzi7iS/pDt8F0VHuVnxgsHgC4bcCqI puF3+g+Cz63KsRDrnDWeKB6wYwz67KPXuEpECkZ55d2f1m539ApBEyDdWuYRkS7AUxHiz6WFjrM cbXsAAdFTNSIuJbCzcg5zs44FyyrOGfaGZKq4C6e6FyI6o/+ILcEp1jq8xmaDAiz6C0K0yV+fFA MFyS1gw== X-Google-Smtp-Source: AGHT+IE9aCBOMW8jOB8EK9bPb1ZC5O8NIYvfw46IhJ0zE1a/ZNZp97aFpovU0yXogxp864rkRJ3vng== X-Received: by 2002:a05:6a00:4f8b:b0:746:cc71:cc0d with SMTP id d2e1a72fcca58-74827ff5446mr8425921b3a.12.1749284953096; Sat, 07 Jun 2025 01:29:13 -0700 (PDT) Received: from manjaro.domain.name ([2401:4900:1c66:bf5b:2e56:6e66:c9ef:ed1b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7482b083908sm2332354b3a.76.2025.06.07.01.29.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Jun 2025 01:29:12 -0700 (PDT) From: Pranav Tyagi To: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kees@kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, Pranav Tyagi Subject: [PATCH] binfmt_elf: use check_mul_overflow() for size calc Date: Sat, 7 Jun 2025 13:58:44 +0530 Message-ID: <20250607082844.8779-1-pranav.tyagi03@gmail.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 7236D2000B X-Stat-Signature: k3tek7jc3j85ozgu77o37b699fmh66qd X-Rspam-User: X-HE-Tag: 1749284954-984477 X-HE-Meta: U2FsdGVkX1+cfrG4vxiC1KXdl1zC7zsCoRmL39NsQADtiVuBl6QvCqAbFp4/pCqYcMrsC8aa8pt3EGGGWN3+2SvU+xJesea0PwklSrE9/HLx8Fz/+3GCzKU/zXHKqVe5lieEt81jMQGUwAoD+sGBF4+2/y4j2IH4/2mF84RB2oe/IjBDJj+Wuvs78RTkkaKOHsTQTGtGc4BeLAyAocayTd2NuwXpqH+Wkl5uXqEt82b91Ya2kPMKSFedLHVqCq98c/UxMFkeYTvY0Xp2out6NCBtfZrfNxwqWFxB4wAv8LECFyc7Otl2f2iBTnmOe0nIBXG0u1hu4njvIi1tE0tV817UEgbRSBk5+zh7lKSDQG9D5XDQAPisCuE2N6kH6Kk79Tobt+wAl9dj/3O8Iv1FTlPO970suu+OkCeXz2lJTwhKvSEj7oYEqbty4TzEt3XUnJZEZMr5RyZRf9D0OTpOI2FVzlLBmCSf1rMFOXCHnmxYo8AQsNBhbTfphZpxYimtjBA6z16YUr+hm2xsh+eGHPUkBqxfwyZSIvbNPJ70xX6csL1fcL1j4qH0XynYZnzG/cqk6SNk5w5pnJpB2IGBxNc8xGG3W1r73M4mxz2hHYSzZO5r0tO2Hc7uv4oop7kSgyQAK0AcrLbzKXyFL/0HMiGt0/nwsPfdCXQeTBUaEA20xKaQgdbKP0oL1Yj5dVAcbeEUKRMgIvHUanr1d2tGxmN8Xaw93tu5BKUzD3cviJaoqqmQYWbM6MpzBtKLe/Aw96dxAt0GolFhvr70gAKEq1A0JEWjpbNE0W9EbDM249hYhbsa0Kiom6EeDy2XPOOTJR85JPrjXGUSEQ7vNNl4aV0/jD4y/oqRSPKQHQG9NswoQQIwKbIXkmnfJ//rGfO7HAP7mLLA8AYrLIgZREQ5w0uxTSqfpOz64Ukhs9I6SuJfAvG702AmIjKDcx+GaBI62+Ops3mUW6aMMHHZDls aA2njvHk VfBnhxvTDwABnppKiaehqrJ1KOJ5ROChCFXNiA6XQuqBaW4qvRJx0PBa/mibnyimneta7YWZ5TWUaSJ0SaOFjJw3Tn+P5eko/gyHZWnoI03wCQpLjE2rgxUtrb6RdZy5MWVdzYsk+TaCIxi/MBQXH4yJ7XXHF1JSamemZOODwuQYZZ/eGD6im+t/apcGeKiXPIp4O+9hNzCvlc7MvnUnjXG4kX8Tei3wCdTDzPWU2Cja/TlwPBZOLD6n/XdoYFKJNpIVpd1E30R4WlepiRRaWVl/5KGTIWiqb0bUcAeinqUA2KNBJiiK77NbBMI0CCVFLneoC+LS+J+LJxt0xyrATQiDW13Kg4bfeTZ3GPpRd50yKcGHKJQ4dCx5vuOespM8t0tfSq7jPioFDBZUComRi6WpOrlMpE+O32ezxULlwKJ1zDZINKqgJQ0OUPZgLLiZc6uMX5WC+F56XKXkNBGOh+Y2NLdB13dAVfvGLJTNd41RdxZ7fNdkMaofpnvobfJM8csK3KIWxq8JLp8F3uqTIr6vLIIQi6lDVXvID9efA0zxVsqNTtIFgX8BZJA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Use check_mul_overflow() to safely compute the total size of ELF program headers instead of relying on direct multiplication. Directly multiplying sizeof(struct elf_phdr) with e_phnum risks integer overflow, especially on 32-bit systems or with malformed ELF binaries crafted to trigger wrap-around. If an overflow occurs, kmalloc() could allocate insufficient memory, potentially leading to out-of-bound accesses, memory corruption or security vulnerabilities. Using check_mul_overflow() ensures the multiplication is performed safely and detects overflows before memory allocation. This change makes the function more robust when handling untrusted or corrupted binaries. Signed-off-by: Pranav Tyagi Link: https://github.com/KSPP/linux/issues/92 --- fs/binfmt_elf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index a43363d593e5..774e705798b8 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -518,7 +518,10 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, /* Sanity check the number of program headers... */ /* ...and their total size. */ - size = sizeof(struct elf_phdr) * elf_ex->e_phnum; + + if (check_mul_overflow(sizeof(struct elf_phdr), elf_ex->e_phnum, &size)) + goto out; + if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) goto out; -- 2.49.0