mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-05 18:20:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

kernel_loader: check phdr memory size addition

Browse source 
The mem_offset + phdr.memsz addition is using untrusted input
(phdr.memsz) and can overflow; add an explicit check to avoid panics on
invalid values.

BUG=None
TEST=/usr/libexec/fuzzers/crosvm_zimage_fuzzer in cros_fuzz shell

Change-Id: Ie6f7f27bd00958ff85201cecaa75ce2b19779b8b
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1674664
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This commit is contained in:
Daniel Verkamp 2019-06-24 15:12:10 -07:00 committed by Commit Bot
parent 6b51bd334f
commit 76199b4a05
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
kernel_loader/src/lib.rs
View file

@ -26,6 +26,7 @@ pub enum Error {
InvalidProgramHeaderSize, InvalidProgramHeaderSize,
InvalidProgramHeaderOffset, InvalidProgramHeaderOffset,
InvalidProgramHeaderAddress, InvalidProgramHeaderAddress,
InvalidProgramHeaderMemSize,
ReadElfHeader, ReadElfHeader,
ReadKernelImage, ReadKernelImage,
ReadProgramHeader, ReadProgramHeader,
@ -49,6 +50,7 @@ impl Display for Error {
InvalidProgramHeaderSize => "invalid program header size", InvalidProgramHeaderSize => "invalid program header size",
InvalidProgramHeaderOffset => "invalid program header offset", InvalidProgramHeaderOffset => "invalid program header offset",
InvalidProgramHeaderAddress => "invalid Program Header Address", InvalidProgramHeaderAddress => "invalid Program Header Address",
InvalidProgramHeaderMemSize => "invalid Program Header memory size",
ReadElfHeader => "unable to read elf header", ReadElfHeader => "unable to read elf header",
ReadKernelImage => "unable to read kernel image", ReadKernelImage => "unable to read kernel image",
ReadProgramHeader => "unable to read program header", ReadProgramHeader => "unable to read program header",
@ -132,7 +134,10 @@ where
.read_to_memory(mem_offset, kernel_image, phdr.p_filesz as usize) .read_to_memory(mem_offset, kernel_image, phdr.p_filesz as usize)
.map_err(|_| Error::ReadKernelImage)?; .map_err(|_| Error::ReadKernelImage)?;
kernel_end = mem_offset.offset() + phdr.p_memsz; kernel_end = mem_offset
.offset()
.checked_add(phdr.p_memsz)
.ok_or(Error::InvalidProgramHeaderMemSize)?;
} }
Ok(kernel_end) Ok(kernel_end)