From nobody Fri Mar 29 05:27:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1568120217; cv=none; d=zoho.com; s=zohoarc; b=lpM+tqIxlu5itz2BQJpZ/GG7G8BvgJywA4OLtfSmDm0uu33k4DjGje+ucnHCQ0Xq6l3hhqTzTAGDkuIGnYe6MJWshE8XD5YpblSEWRoMYGxs2Fp/v8DXcYXdnlf46AR11SNrsWQXvgByz3f8+2ed/muzURLAtNi4gLgZyOPdrE0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1568120217; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=2a0T+w+QasdkCAuODhDlkPfLboq+3iVC1J1ko6tdbXQ=; b=orPFBHAzNuIdwNOurH1tCU806pC2LFgpEbITNi71qi9FTwKswVR7znsZaA5XwYn2G8t3WcEUsNEC4Cw3qWUGn+ErZaAvhK4dZIHzsGNhatCtDQRpsmxKp6nTbHeuZm+mnk8uFskeiO38mFJEEuXtNXLD7tzELpasq3Neno823SU= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 156812021728742.69236558970306; Tue, 10 Sep 2019 05:56:57 -0700 (PDT) Received: from localhost ([::1]:39492 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i7fhX-0006NE-PO for importer@patchew.org; Tue, 10 Sep 2019 08:56:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60816) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i7fZQ-00081Q-Nd for qemu-devel@nongnu.org; Tue, 10 Sep 2019 08:48:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i7fZP-0008JQ-EQ for qemu-devel@nongnu.org; Tue, 10 Sep 2019 08:48:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33974) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1i7fZP-0008J3-9S for qemu-devel@nongnu.org; Tue, 10 Sep 2019 08:48:31 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 884CAA2FC4E; Tue, 10 Sep 2019 12:48:30 +0000 (UTC) Received: from steredhat.redhat.com (ovpn-117-150.ams2.redhat.com [10.36.117.150]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1469F5D6B2; Tue, 10 Sep 2019 12:48:28 +0000 (UTC) From: Stefano Garzarella To: qemu-devel@nongnu.org Date: Tue, 10 Sep 2019 14:48:28 +0200 Message-Id: <20190910124828.39794-1-sgarzare@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.68]); Tue, 10 Sep 2019 12:48:30 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v2] elf-ops.h: fix int overflow in load_elf() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Paolo Bonzini , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Stefano Garzarella Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" This patch fixes a possible integer overflow when we calculate the total size of ELF segments loaded. Reported-by: Coverity (CID 1405299) Reviewed-by: Alex Benn=C3=A9e Signed-off-by: Stefano Garzarella --- v2: - not use error_report in load_elf() [Peter] - return ELF_LOAD_TOO_BIG - add Alex's R-b --- include/hw/elf_ops.h | 5 +++++ include/hw/loader.h | 1 + hw/core/loader.c | 2 ++ 3 files changed, 8 insertions(+) diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h index 1496d7e753..e07d276df7 100644 --- a/include/hw/elf_ops.h +++ b/include/hw/elf_ops.h @@ -485,6 +485,11 @@ static int glue(load_elf, SZ)(const char *name, int fd, } } =20 + if (mem_size > INT_MAX - total_size) { + ret =3D ELF_LOAD_TOO_BIG; + goto fail; + } + /* address_offset is hack for kernel images that are linked at the wrong physical address. */ if (translate_fn) { diff --git a/include/hw/loader.h b/include/hw/loader.h index 07fd9286e7..48a96cd559 100644 --- a/include/hw/loader.h +++ b/include/hw/loader.h @@ -89,6 +89,7 @@ int load_image_gzipped(const char *filename, hwaddr addr,= uint64_t max_sz); #define ELF_LOAD_NOT_ELF -2 #define ELF_LOAD_WRONG_ARCH -3 #define ELF_LOAD_WRONG_ENDIAN -4 +#define ELF_LOAD_TOO_BIG -5 const char *load_elf_strerror(int error); =20 /** load_elf_ram_sym: diff --git a/hw/core/loader.c b/hw/core/loader.c index 32f7cc7c33..75eb56ddbb 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -338,6 +338,8 @@ const char *load_elf_strerror(int error) return "The image is from incompatible architecture"; case ELF_LOAD_WRONG_ENDIAN: return "The image has incorrect endianness"; + case ELF_LOAD_TOO_BIG: + return "The image segments are too big to load"; default: return "Unknown error"; } --=20 2.21.0