From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A827C5B552 for ; Mon, 9 Jun 2025 11:25:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9EF326B0095; Mon, 9 Jun 2025 07:25:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9A3556B0096; Mon, 9 Jun 2025 07:25:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8B5EE6B0098; Mon, 9 Jun 2025 07:25:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 6B4E86B0095 for ; Mon, 9 Jun 2025 07:25:22 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 08FBD1419E4 for ; Mon, 9 Jun 2025 11:25:22 +0000 (UTC) X-FDA: 83535631284.28.EA395FD Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf01.hostedemail.com (Postfix) with ESMTP id 9B05F40007 for ; Mon, 9 Jun 2025 11:25:19 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=SHBQQjq0; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VoLZ4iyh; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=SHBQQjq0; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VoLZ4iyh; dmarc=none; spf=pass (imf01.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749468320; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=hsBQltkCVe5D2i0wiUV1DVAyAaiF31Q0/ZQK/fFHigE=; b=ysDBJfwIuVDsYBcy6/fD8pDD/WHTCujAHLJV2OO3TVOub3zC2ad0yu2aXOjXNdYtqpH102 B6g+u06cKlDnIXqc2S3Ibt5z0ykVftardzxtsJ1cwu02hYTlB1ch7LrABsfSr5yMuyhvNo DKTfR4TYcBrsC3OuSJO+8bJuqSF/AOU= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=SHBQQjq0; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VoLZ4iyh; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=SHBQQjq0; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VoLZ4iyh; dmarc=none; spf=pass (imf01.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749468320; a=rsa-sha256; cv=none; b=BYhG1SVYuksBxZj2TKbV39hIGe6J9oBM8cr2bbkjrB2VFDmsaM0KnlaI6ce2L+XJhYqI80 JDaTMfIG/BjishOR/p6gZEczHDhlibB525LS4MtaH7weB/TTWIHdYFSGiYkkj5EtigTDE+ 7QoIQybKdG31MN7KS1AzN1sdl9WhnxE= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 021A721182; Mon, 9 Jun 2025 11:25:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749468318; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hsBQltkCVe5D2i0wiUV1DVAyAaiF31Q0/ZQK/fFHigE=; b=SHBQQjq0Xd/pKI4LTO6+4uuqxy4pMrq1JxxfGlhBzcvE4WlBFlkUpz+WXuv/fNE8MC4Zku +UrT1+04+4HLjSijs028c/igQ398jYXydf78Wl1KHKXZj8NPTr0O/MUhQd604jIBvO7SZG E4eh2S34IKKWGEZo8IiB0rCDTzKaBPc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749468318; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hsBQltkCVe5D2i0wiUV1DVAyAaiF31Q0/ZQK/fFHigE=; b=VoLZ4iyh6N6pIX+VgRHdtXvf+a08nglTf6SQ4S11geiXHgyExZKl9DAr/gcMkvklvh8Fov twVHak2Trn6e1dCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749468318; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hsBQltkCVe5D2i0wiUV1DVAyAaiF31Q0/ZQK/fFHigE=; b=SHBQQjq0Xd/pKI4LTO6+4uuqxy4pMrq1JxxfGlhBzcvE4WlBFlkUpz+WXuv/fNE8MC4Zku +UrT1+04+4HLjSijs028c/igQ398jYXydf78Wl1KHKXZj8NPTr0O/MUhQd604jIBvO7SZG E4eh2S34IKKWGEZo8IiB0rCDTzKaBPc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749468318; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hsBQltkCVe5D2i0wiUV1DVAyAaiF31Q0/ZQK/fFHigE=; b=VoLZ4iyh6N6pIX+VgRHdtXvf+a08nglTf6SQ4S11geiXHgyExZKl9DAr/gcMkvklvh8Fov twVHak2Trn6e1dCA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E79A0137FE; Mon, 9 Jun 2025 11:25:17 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 5pY5OJ3ERmg0OwAAD6G6ig (envelope-from ); Mon, 09 Jun 2025 11:25:17 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id A046DA094C; Mon, 9 Jun 2025 13:25:17 +0200 (CEST) Date: Mon, 9 Jun 2025 13:25:17 +0200 From: Jan Kara To: Pranav Tyagi Cc: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, kees@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev Subject: Re: [PATCH] binfmt_elf: use check_mul_overflow() for size calc Message-ID: References: <20250607082844.8779-1-pranav.tyagi03@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250607082844.8779-1-pranav.tyagi03@gmail.com> X-Rspamd-Action: no action X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 9B05F40007 X-Stat-Signature: 8ekyj6q1ia79afjojjnq8f353ezerbuz X-Rspam-User: X-HE-Tag: 1749468319-997405 X-HE-Meta: U2FsdGVkX19YoALIMcorFV8bS6Wqf82vdkEjl5aaPEudo9ErarKdU7nj9FAAbbGhPaQ2b6xfMk4quu2l1IeTP5GiwGbPA3RZ8pXVWv+A68Kzqb1hLTu1gTOCESRMvYElaY/XIOyZAcz6oIWwG4Ig5s/l1orq406jUjQYnA4lquU8SAJdvU8ZaHK1/+X4TFScndB713NOTYvzI/INE2Nj+MEJSKIC7se3bNa2QVJRmEJ4ItWAfB/pJ8RLgESPlIfBIUjh+bmGuv3bC08fU1FZT/WDk+cVqBKNGwmoV0FET8INqhbg0sYmepTjSrMtl1nflH7/3JzgAYGf18+7xDHiiVif1eNRO0CKucBr4O5L+OkrK+vbjtvvxKn/0UdwSsWs7VCovkYTL6S7pU2yxy2SAgt6VPrn6CCznVd/rkRsgbovfpuMaaL6kJw/7tsx9UMfWewg9meKSXC+ls8DI5t61by9eu0ch3jz9buZPAhF+kOzZYjoT9U6L5fyh0j5A1qe5SMyjMzni6GqNQDwTsq2HFD9/iGkdvwtCIh7xtOz60OcHKnSmNsHbQakp4e2gUFTzmbiZkQK/5PDXGomREiUx3ealfqUw3Xk28AUVlbZ2TmnIFSP18wKU5eC5uXXkHDnpPBFYKDayQRwFuv/FeeC13wzkhJLQjxvKoLx6b0ypc85TyKl7Z7tgtrfLyu1vIiQpHTilJUKmE1rqUUlUXCOejhFKs4XqMDfjExaSx3nebRa0lcJdI6pvy4kI8fWY2trg4/03fvvXkNwsrRljcqVkXSK8QTotKwZmUooPNKeyCVDpW+7WtwN8LlGPO5+AvO1L+puXgltZoxhO8lDRJF2H8B+LeGirSpvWuGeGTT7In8heC8hoQnhC/2yqhumOB2dbhlb8Fc9iwICpNGNeTXDtuAnTqMsEwADbg26tsLSqiqnvGbujfKiK/iBswor0TLmKrsYFj8AC97O3EczeIv 1TpCr47j R+yOzzVs5+tnCTx/KCV+VseFFCaw2csRjR5yMJEX3KkJeQp5mXeEpfkG7+XbFz6bf5rG0NKpFGfx5Rgod5/Z4RSS5rHFFsxWpvyq2kDSKvs2UEygC4g95cXwZezelQ52eVsgli2uJ5Z/QWJwB0VIShjl+ohTG5OPCM7dhOww3jbn3X8T4X51vlp6SszbDgPMqkx/ugA3y7BN6Vd9TTRCtTyDcZoj9nn8WUeNhtEm1DK+C7ZcmCUJv9tDGF3l51N7yYuU0IVJ3ai1GA7MIBoX6l083fhTxEMyVpp4Q2cweixa9K81tu2wdgGMYG7OPwrnb5bcrro64eqgEEDc5kQh4q91xEAO23bNcLLc0QSahfXS/MFrEdDSzPUIbYF3CFt68s+QnkOfWhe4EiP5jdRYaCfhbmw1cGKoAS/YKWzNBZ61+nPIQGu03ktRcRbCCIQrfJiQ7loogmhjuxUG8NlM2/eRYh1NoEHMiRe538R6KO4cVH0Eyj50QBc6oLHP+Wi+TedPv X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat 07-06-25 13:58:44, Pranav Tyagi wrote: > Use check_mul_overflow() to safely compute the total size of ELF program > headers instead of relying on direct multiplication. > > Directly multiplying sizeof(struct elf_phdr) with e_phnum risks integer > overflow, especially on 32-bit systems or with malformed ELF binaries > crafted to trigger wrap-around. If an overflow occurs, kmalloc() could > allocate insufficient memory, potentially leading to out-of-bound > accesses, memory corruption or security vulnerabilities. > > Using check_mul_overflow() ensures the multiplication is performed > safely and detects overflows before memory allocation. This change makes > the function more robust when handling untrusted or corrupted binaries. > > Signed-off-by: Pranav Tyagi > Link: https://github.com/KSPP/linux/issues/92 Looks good. Feel free to add: Reviewed-by: Jan Kara Honza > --- > fs/binfmt_elf.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index a43363d593e5..774e705798b8 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -518,7 +518,10 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex, > > /* Sanity check the number of program headers... */ > /* ...and their total size. */ > - size = sizeof(struct elf_phdr) * elf_ex->e_phnum; > + > + if (check_mul_overflow(sizeof(struct elf_phdr), elf_ex->e_phnum, &size)) > + goto out; > + > if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) > goto out; > > -- > 2.49.0 > -- Jan Kara SUSE Labs, CR