In gen-vdso we load in a file and assume it's a valid ELF file.  In
particular we assume it's big enough to be able to read the ELF
information in e_ident in the ELF header.

Add a check that the total file length is at least big enough for all
the e_ident bytes, which is good enough for the code in gen-vdso.c.
This will catch the most obvious possible bad input file (truncated)
and allow us to run the sanity checks like "not actually an ELF file"
without potentially crashing.

The code in elf32_process() and elf64_process() still makes
assumptions about the file being well-formed, but this is OK because
we only run it on the vdso binaries that we create ourselves in the
build process by running the compiler.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Hardening all of elf*_process() seems like overkill, but this is
an easy check to add.
---
 linux-user/gen-vdso.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/linux-user/gen-vdso.c b/linux-user/gen-vdso.c
index 1c406d1b10f..aeaa927db8f 100644
--- a/linux-user/gen-vdso.c
+++ b/linux-user/gen-vdso.c
@@ -124,6 +124,11 @@ int main(int argc, char **argv)
         goto perror_inf;
     }
 
+    if (total_len < EI_NIDENT) {
+        fprintf(stderr, "%s: file too small (truncated?)\n", inf_name);
+        return EXIT_FAILURE;
+    }
+
     buf = malloc(total_len);
     if (buf == NULL) {
         goto perror_inf;
-- 
2.43.0

On Thu, 10 Jul 2025 at 18:07, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> In gen-vdso we load in a file and assume it's a valid ELF file.  In
> particular we assume it's big enough to be able to read the ELF
> information in e_ident in the ELF header.
>
> Add a check that the total file length is at least big enough for all
> the e_ident bytes, which is good enough for the code in gen-vdso.c.
> This will catch the most obvious possible bad input file (truncated)
> and allow us to run the sanity checks like "not actually an ELF file"
> without potentially crashing.
>
> The code in elf32_process() and elf64_process() still makes
> assumptions about the file being well-formed, but this is OK because
> we only run it on the vdso binaries that we create ourselves in the
> build process by running the compiler.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> Hardening all of elf*_process() seems like overkill, but this is
> an easy check to add.

Subject line should say "read off the end", of course.

-- PMM

On 7/10/25 11:07, Peter Maydell wrote:
> In gen-vdso we load in a file and assume it's a valid ELF file.  In
> particular we assume it's big enough to be able to read the ELF
> information in e_ident in the ELF header.
> 
> Add a check that the total file length is at least big enough for all
> the e_ident bytes, which is good enough for the code in gen-vdso.c.
> This will catch the most obvious possible bad input file (truncated)
> and allow us to run the sanity checks like "not actually an ELF file"
> without potentially crashing.
> 
> The code in elf32_process() and elf64_process() still makes
> assumptions about the file being well-formed, but this is OK because
> we only run it on the vdso binaries that we create ourselves in the
> build process by running the compiler.
> 
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> Hardening all of elf*_process() seems like overkill, but this is
> an easy check to add.
> ---
>   linux-user/gen-vdso.c | 5 +++++
>   1 file changed, 5 insertions(+)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~