From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28136C5B552 for ; Tue, 10 Jun 2025 07:59:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B293A6B0093; Tue, 10 Jun 2025 03:59:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B03A46B0096; Tue, 10 Jun 2025 03:59:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9F1716B0098; Tue, 10 Jun 2025 03:59:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 818CD6B0093 for ; Tue, 10 Jun 2025 03:59:28 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 247BB101864 for ; Tue, 10 Jun 2025 07:59:28 +0000 (UTC) X-FDA: 83538741216.14.AD9104D Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by imf23.hostedemail.com (Postfix) with ESMTP id D644D14000C for ; Tue, 10 Jun 2025 07:59:25 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="g5SxXac/"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=NuACWvpd; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="g5SxXac/"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=NuACWvpd; spf=pass (imf23.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749542366; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9jbMSIU7EVX+J2XdZO+ASS01ov216EaiT+rrndfaPCo=; b=HB5gBcqkfEBNGFmpjoOMw52Z21FBg1FKcuznURIbxoWqQBmqAohonH+h1Tg+Z7etmpd05u HagJAMzLnYrMWTiybposX2KT88AOPBFeHGL0gI1Sk6gS1bspxNjtMPSaPQ0W4TRGY45+zx bUJuJ/Dh3sjqoSAdQ4bLeQ3ZDhad86o= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="g5SxXac/"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=NuACWvpd; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="g5SxXac/"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=NuACWvpd; spf=pass (imf23.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749542366; a=rsa-sha256; cv=none; b=KWL84+UzjhbPWYkex36Z9wK574g9tqxM8P3rhvT/1xPZMbZ0co/9g08wFTRJtaNMiL0kzW pVxEMxgiFrVj3jhOWnatNT9KjPovexgtybmC42+rGiMbulppqZOYoneGyGBMXOdnDpF6Mr Fmtqr1atOaE1uu56lkkiYyocNhoSVwI= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E47981F45A; Tue, 10 Jun 2025 07:59:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749542362; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9jbMSIU7EVX+J2XdZO+ASS01ov216EaiT+rrndfaPCo=; b=g5SxXac/M/M0m3bhfVw0y+S0sUXTGAQ1Segni9flIkvz7sv8ulxLKqUW0gx4FaMZAA/dcs qHRknZaMlN+CKlZVsOaq+A0HmLTuGTk8SQ1bUDAv5ULGbQ2VToGT7Ra4tLI6xg7bjCnY2c j4gSNh11ZlnH+jDLOtJK5pfDDEiW9Ug= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749542362; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9jbMSIU7EVX+J2XdZO+ASS01ov216EaiT+rrndfaPCo=; b=NuACWvpdO202Rcg2FSLqtcUYwR9oprqDfyDvq2+PH6fGDscgf2nNPAK3FowYNs4cPKSil9 /Dk2I2UbK759TQAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749542362; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9jbMSIU7EVX+J2XdZO+ASS01ov216EaiT+rrndfaPCo=; b=g5SxXac/M/M0m3bhfVw0y+S0sUXTGAQ1Segni9flIkvz7sv8ulxLKqUW0gx4FaMZAA/dcs qHRknZaMlN+CKlZVsOaq+A0HmLTuGTk8SQ1bUDAv5ULGbQ2VToGT7Ra4tLI6xg7bjCnY2c j4gSNh11ZlnH+jDLOtJK5pfDDEiW9Ug= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749542362; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9jbMSIU7EVX+J2XdZO+ASS01ov216EaiT+rrndfaPCo=; b=NuACWvpdO202Rcg2FSLqtcUYwR9oprqDfyDvq2+PH6fGDscgf2nNPAK3FowYNs4cPKSil9 /Dk2I2UbK759TQAA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D9AE0139E2; Tue, 10 Jun 2025 07:59:22 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 2H0eNdrlR2g2DgAAD6G6ig (envelope-from ); Tue, 10 Jun 2025 07:59:22 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 867D8A099E; Tue, 10 Jun 2025 09:59:22 +0200 (CEST) Date: Tue, 10 Jun 2025 09:59:22 +0200 From: Jan Kara To: Kees Cook Cc: Pranav Tyagi , viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev Subject: Re: [PATCH] binfmt_elf: use check_mul_overflow() for size calc Message-ID: References: <20250607082844.8779-1-pranav.tyagi03@gmail.com> <202506092053.827AD89DC5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202506092053.827AD89DC5@keescook> X-Rspamd-Action: no action X-Rspam-User: X-Rspamd-Queue-Id: D644D14000C X-Rspamd-Server: rspam09 X-Stat-Signature: mpge4rnsf1bhhrh3nb9tu1h9xd7mkie1 X-HE-Tag: 1749542365-39898 X-HE-Meta: U2FsdGVkX194v4/GJkLluBd9JOi8exyaf1O2UMJZh6I2BJaFetxSIstVHgEZv4IG13FyW3hcKpuntrAd53WW41Vje5jBHVgJ2DX8/nOqB7mFCpxU8QdFwAtdWJDRBES8VcDH6eYt5cMn0YrrbQwgnRfJ24OBMACiYR/EMdL0UZZyLkuUtzJhzG/RCn4nFlfB9GB9bcbXiQcdXyub5I/VZ7NzVEbW2SB8j9yBnkChJyNi+olGRqQ3WlRykVsjPXxtR13hp9STqO1k61mJahJCAULE7l1WwI3bUYq+WjWLhX3ustTHgWsRWzsjYlKVXq3R/dhrW38F1dHaxjvUo6IMgAHpA/K4zmXhtGLx40w94RCb52yiTtDjxm+HZ0KW2DmUakmdZpsfAUQIzzAkbm/5lx3uEFdX6gftgcQcFk1lZstXy8BgcCv7AbKaa/GWniaT6S27FFY/ZAT4GCcHE1XfE4gYVgPzGMZUVxwrOrAMuK0YNxnnk7koM/7I7DZm7tzO1Rp2p8ApGQWgeQvoifNgdnV8pLeTcw+dqqaQvNN2n8CKcw0VdHp0IUDwujfOJ0vkwoXLH7xJ7B0HrmUlKsNMz7WBCwspwH3t2lNrlNptDhONL60rDA92Tob+YoxoSNpOQ0H+Xi7tqOoDVdCKcQ6pFWy8KV9spyu6Bn4nOTopHzz+JklerCT7aRrB0KsD/ihtknUPN2AhGDEdg0Fn92pazX6h8YRnqwQbPzDakilAOfN34MB2Hj9yGQLRF3/UHVgKrZucxEqMx5yLxa8mS6SRVgcT85feUibaGS2nD4ISaAcS8g9+6PaXbKUKiMyZrDGE8SUk695M6BOrpyAMw1K7gWazkmLvXtsNKF6WRJVhP4i4R2PfcC2D4shEfq6aftJ4lh2E/Ki8UVuGOCGOFlSDhKe5iZPJdJFjZPzjrdHSrMC7k2ABQALOF65K97CgUfW7TyK38+L2VWt754z1Dqx EDh1Nqf5 GEWgH7flC2SRSTShGzc3PEFAPjcEf4gHp4GcEMOacQ3T6t0R6ogqsmEy1bblr8QQvKtjN/zkO0PMZNdY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon 09-06-25 21:04:36, Kees Cook wrote: > On Sat, Jun 07, 2025 at 01:58:44PM +0530, Pranav Tyagi wrote: > > Use check_mul_overflow() to safely compute the total size of ELF program > > headers instead of relying on direct multiplication. > > > > Directly multiplying sizeof(struct elf_phdr) with e_phnum risks integer > > overflow, especially on 32-bit systems or with malformed ELF binaries > > crafted to trigger wrap-around. If an overflow occurs, kmalloc() could > > allocate insufficient memory, potentially leading to out-of-bound > > accesses, memory corruption or security vulnerabilities. > > > > Using check_mul_overflow() ensures the multiplication is performed > > safely and detects overflows before memory allocation. This change makes > > the function more robust when handling untrusted or corrupted binaries. > > > > Signed-off-by: Pranav Tyagi > > Link: https://github.com/KSPP/linux/issues/92 > > --- > > fs/binfmt_elf.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > > index a43363d593e5..774e705798b8 100644 > > --- a/fs/binfmt_elf.c > > +++ b/fs/binfmt_elf.c > > @@ -518,7 +518,10 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, > > > > /* Sanity check the number of program headers... */ > > /* ...and their total size. */ > > - size = sizeof(struct elf_phdr) * elf_ex->e_phnum; > > size is unsigned int, which has a maximum value of 4,294,967,295. > > elf_ex->e_phnum is a u16 (2 bytes) and will not be changing: > > $ pahole -C elf64_hdr */fs/binfmt_elf.o > struct elf64_hdr { > ... > Elf64_Half e_phnum; /* 56 2 */ > ... Ah, what confused me was that I somehow thought Elf64_Half is u32 without checking it's definition which clearly shows its actually u16. Thanks for checking it! You're right that the patch is pointless then. Honza -- Jan Kara SUSE Labs, CR