libkmod: Avoid OOB with huge ELF files

On 32 bit systems it is possible to trigger an out of boundary write with excessively huge ELF files. The calculation of required memory for char pointer vector and strings might overflow, leading to an allocation which is too small. Subsequent memcpy leads to an out of boundary write. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> Link: https://github.com/kmod-project/kmod/pull/149 Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
2026-01-26 07:37:54 +00:00 · 2024-09-23 21:22:00 +02:00 · 2024-09-23 21:22:00 +02:00 · a31b8ecd5d
commit a31b8ecd5d
parent 9626e13572
1 changed files with 9 additions and 1 deletions
--- a/libkmod/libkmod-elf.c
+++ b/libkmod/libkmod-elf.c
@ -6,6 +6,7 @@
 #include <assert.h>
 #include <elf.h>
 #include <errno.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>

@ -428,6 +429,7 @@ int kmod_elf_get_section(const struct kmod_elf *elf, const char *section,
 int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char ***array)
 {
 	size_t i, j, count;
+	size_t vecsz;
 	uint64_t size;
 	const void *buf;
 	const char *strings;
@ -468,7 +470,13 @@ int kmod_elf_get_strings(const struct kmod_elf *elf, const char *section, char *
 	if (strings[i - 1] != '\0')
 		count++;

-	*array = a = malloc(size + 1 + sizeof(char *) * (count + 1));
+	/* make sure that vector and strings fit into memory constraints */
+	vecsz = sizeof(char *) * (count + 1);
+	if (SIZE_MAX / sizeof(char *) - 1 < count || SIZE_MAX - size <= vecsz) {
+		return -ENOMEM;
+	}
+
+	*array = a = malloc(vecsz + size + 1);
 	if (*array == NULL)
 		return -errno;