From patchwork Wed Dec 4 12:07:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13893638 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29F3FE7716D for ; Wed, 4 Dec 2024 12:07:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AC8E76B009C; Wed, 4 Dec 2024 07:07:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A784F6B009E; Wed, 4 Dec 2024 07:07:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 966EB6B00A0; Wed, 4 Dec 2024 07:07:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 76DAE6B009C for ; Wed, 4 Dec 2024 07:07:26 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 222F780F3C for ; Wed, 4 Dec 2024 12:07:26 +0000 (UTC) X-FDA: 82857150642.20.CF80E0E Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by imf10.hostedemail.com (Postfix) with ESMTP id E8358C000E for ; Wed, 4 Dec 2024 12:07:16 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=linaro.org header.s=google header.b=R0ULANQW; spf=pass (imf10.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.128.45 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org; dmarc=pass (policy=none) header.from=linaro.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733314029; a=rsa-sha256; cv=none; b=RQZHbk8o8ZhqX8mN6XRRiLgOGWInbQQyCwRMxWo+txy7p1rc2gcXXlFfvppAvFTvCFPpl+ Jza9lCys74G3rawtlr9PMkodi0h17xpaArV+RjyAhU6sKX74qxxz7JCYZ6x7eastgMsDlE d+mhJ3vDrcTtDmt0joIosL0/rOzOwMQ= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=linaro.org header.s=google header.b=R0ULANQW; spf=pass (imf10.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.128.45 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org; dmarc=pass (policy=none) header.from=linaro.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733314029; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=h210QoOSRhdPOVfbdTSglVOfvi7IBDHS6sm3Gy55HvY=; b=xP7y4N+7PlvAKzx41cA2+G7U75PyiGm+6UofnUeDu1ELkywdTrm7TyxC9SzBBWPmpWlQ9m nX7hPktgbduCbn2ATw7+3y2/WuMQQXD12hSd/0TEyA32XLpRnqihU9zhCaNMO8LdRURDJu F87SroGb091meXi5koORQaqCV+7rIZM= Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-434acf1f9abso61628395e9.2 for ; Wed, 04 Dec 2024 04:07:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1733314042; x=1733918842; darn=kvack.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=h210QoOSRhdPOVfbdTSglVOfvi7IBDHS6sm3Gy55HvY=; b=R0ULANQWMByd+upJ3LOdD6fVBuXXeW3FpMOSfad0RbdnDcl9KdhtZM+/HjYTXqJJDH N2YizN8TMZn2M6AI9fGnSjNiQM3JlwHMalEO7qhNME9mSzSRfS5lmWCJ/FZbM7fP6+rs 1lwmA6v3MAeZ1Uv41vdN0xS1Dqs7fyj0/c+q+PIsE5GxvvOuzV2etBY7DHIBaeWv6qxL lpSWHUtlDW36BuhL764F/p4G+4sbZH07CKU+CzShy3xCePR4Mk8+cDlG77gcM+MFBEok vkeHJ2+3TzKqYSe34ccQv0hgmUb3uWuinavBhGENFYhBidrbMfI/jgQWdPy5NT1gAh0I 7fKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733314042; x=1733918842; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=h210QoOSRhdPOVfbdTSglVOfvi7IBDHS6sm3Gy55HvY=; b=AiYsyruFVR6VMkVQ/PpANEJdIN3sCp+jT7jRMlMSl4TfOkQTFHJc6YCjt9+0Qi8cFK UEgS4yNFkPxsfNYrH2yE/5AZl6cMjbYPCY8ZMFyntMUUWT0A+HB9ujDTzbfLUXtqQAHX NZhFpONF1gJbXDF3WlR5WqdoU3N+tAjZ/j+uB5RJOrAYjoP8gsH0jJSXOy8B9w3k5sdU vSRIxxWUVit9szK3EH9vi2v+WS3pBRpuG8m62FzD1YwfXavcHFjUzwYnuzOsxq+dYbB8 qO/eIJkPgMMO/tG9NuFGZc/MKLWFKud3a755TUZaCvnS+I8b1KPl1BNdUpOCYiXTwFoc Podw== X-Forwarded-Encrypted: i=1; AJvYcCU+Ytrp7F63tAIzYDjPWK2dgjJX0LFt38x24pBBFea6hfsPd0KH9xfWd8pBQGK4MUfsWO1CZhZFsQ==@kvack.org X-Gm-Message-State: AOJu0Yw9SdSFnFJJNraa9CAUg6skwXkVdYRw1+pkRwkRfmbu6yovi+ir YluxSyKJlLhor0Mnidkz5qFnDZohWfb2GzxmTjMl/Srblcon1UMEj7tbU841jnUjvHA7k3KzYH9 j X-Gm-Gg: ASbGncvTEr3bvOqEkCz6hpzCtdpF65kgQcwLykUnl410ZmSnrV4Uvxbbd53XBu+j6m2 qW4vptg6Ml8OnpmjW645WITYVv+kUEaTlWvE0Z0AAmv6kFcxqgvefY8KwjeLKTRcZP4Vplk3o7+ V6ghjFma369uZcVfwiu3c92SHzf5EZQ8kU4UNtWcce4V8t1O5vpvI5Wdca1k1HLOWIGlfRVlHXd RAzqO4df93mLII4OOLOftIPda0EDZdGvIbZg0pQ1pKpPM57lMxv5SQ= X-Google-Smtp-Source: AGHT+IEMOOOmz0PjNc5gkcjsABrK46MDH+6JTcOtcJN37eRjlQ+sir8R5ollqwe8lrVAPHvlPmBp4g== X-Received: by 2002:a05:600c:3b8c:b0:42c:b52b:4335 with SMTP id 5b1f17b1804b1-434d09c0b53mr62649135e9.10.1733314041606; Wed, 04 Dec 2024 04:07:21 -0800 (PST) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434d526b14csm23020975e9.2.2024.12.04.04.07.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2024 04:07:19 -0800 (PST) Date: Wed, 4 Dec 2024 15:07:15 +0300 From: Dan Carpenter To: Nicolas Pitre Cc: Alexander Viro , Christian Brauner , Jan Kara , Kees Cook , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] binfmt_flat: Fix integer overflow bug on 32 bit systems Message-ID: <5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-Rspamd-Queue-Id: E8358C000E X-Stat-Signature: jgaw7trp43zn9ucobmikmcq7ebnqc9zj X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1733314036-594498 X-HE-Meta: U2FsdGVkX18vMPHYNYBzn0KN1EqqsrxtkBVFPkvAq4bLR6DxGiTn235QBhHE7hc0MxfsG11DpgdxO35SjB7Yc0BOxDQmaW60w8SuTiZOWW39pN0KuHRznuCfYRlKVxP6yDKU76g5oa/7ijSZDav83QS0Xj+0EKkX2exqeAE9zGvo9okkWzi1aEpdTuysuhSnNLQJRw888qYzI0WdS2dGw4MhNNJbkCzFnOzAWEcb4kxHCGZGfwLNYdrChSot+1OEbJ7JsfXHOqTDupVy5MUgICc5j4mnqe6I+tlFsp0Pb0i9lwXGq28oNCRQ+LhalyCTNeKVsqUk5Hl5qEhkOr/Zc95HGWKBL9PsePlRqT6wQjC7C9RHfZknaDKmsc7RBjH0ttYEhNNhIXAh5zL5xBN1wBpw0JPaLXzjmJZyOJqq74XkgQwOdxh7XFJaXvGbpeXLLKbzHSk95SCA2/MVcFkim4IlAbBgoagBtq0iIvGq8L4zTBAMSshVVzz0LYCpX/rBjr+9pbyoTa2vKgOq2WpqxCsJH7F0Y5sCBq2NbwtKdgs0RVMQTRvaJwtNH2R3q5jLQIioqUZCyOB7SGhKVbihXsza2Mh726qUKZaE4OWBqUOLo2Y2//HXCrJCWS7Kxi5rBvaVwFt/S8u9550zmKQ484d5Pj9gPIQr0oHdlau/cD2o1rjqYMShVXtgN2AlsIlf9HJ/nKkX1HlAZ0zg0t7KKQ3ZB2zDv401TEJgnRShaE2ZOAab/GSMz/BzyJ5ke2Ibjv8ugNP0nhM56YY/+ZmtlHM2tW4mKkFPiQetD5cUvLWKrA9KPk773ilKOaEMi4d+OGzJOEawLg3RT+z/JE3yVq8Tto+fA7aHAXTbUwDRswIPdf/ekcXxUyYNtkgsEDXAEfJUvou+PBSKf0A8dyGE3wC9so6QPgNgzC/sgqM79Tk5HhSVMlzPAZk16SPe47Wt1vCknYcMsvGryPnDRVj RkRsWrKf o1ZlT+TscbA2p+Ko/l6U9i2J25Ax6bkgmG983q5nkR5C9qP+UhlZSBE75JJvsm4ji2k2HHP/elPgD91p33wgiWjX4cwt8EW/+6nn8cOQQ/Qi4MqSlQdLqwk/l/8NUgINAX1xlih5KGOuUE4YAOXmhYkxSkHocmhtq/9lAHDkaS1aEqAOB0Psb0QP592RjyChwF7eZpPxNxiKg5O60Lk+BAYBSDl0Vks1Iz9GHNDTnt2kGTP/K9INJ01HtZQHJrFIR8z0B8mIGxCUjoPF3eO+ztJ+8/MkO83/YrsaX1rLHeAsdoMSWlHF6ijxBVf5mAZHz4p+h4DDAx+n2pEPG+Ie7QqsejsldW39mIe20lsSKeUuJs0k3nkHgTajrIG8RioDC0FAWdWTZ0TOhOHGb1USAKl2LtA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Most of these sizes and counts are capped at 256MB so the math doesn't result in an integer overflow. The "relocs" count needs to be checked as well. Otherwise on 32bit systems the calculation of "full_data" could be wrong. full_data = data_len + relocs * sizeof(unsigned long); Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter --- fs/binfmt_flat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index 390808ce935d..b5b5ca1a44f7 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -478,7 +478,7 @@ static int load_flat_file(struct linux_binprm *bprm, * 28 bits (256 MB) is way more than reasonable in this case. * If some top bits are set we have probable binary corruption. */ - if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) { + if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) { pr_err("bad header\n"); ret = -ENOEXEC; goto err;