ldelf: check against section headers size overflow

Adds a check in copy_section_headers() to guard against overflow in the e_shnum * e_shentsize multiplication. Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> Reported-by: Martijn Bogaard <martijn@riscure.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
author: Jens Wiklander <jens.wiklander@linaro.org> 2020-03-04 11:39:18 +0100
committer: Jérôme Forissier <jerome@forissier.org> 2020-03-06 10:42:04 +0100
commit: cfd9b9f7e8ff6baa705a66dc9c56fd2941079cd6 (patch)
tree: 211825063725acef847de4555ba9c953b85a6179 /ldelf
parent: 5c0860db3f473f43b18f0ec6c84ff020b6bb85b4 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/ldelf/ta_elf.c b/ldelf/ta_elf.c
index 93208809..d42bf07d 100644
--- a/ldelf/ta_elf.c
+++ b/ldelf/ta_elf.c
@@ -815,9 +815,12 @@ static void add_dependencies(struct ta_elf *elf)
 static void copy_section_headers(struct ta_elf *elf)
 {
 	TEE_Result res = TEE_SUCCESS;
-	size_t sz = elf->e_shnum * elf->e_shentsize;
+	size_t sz = 0;
 	size_t offs = 0;
 
+	if (MUL_OVERFLOW(elf->e_shnum, elf->e_shentsize, &sz))
+		err(TEE_ERROR_BAD_FORMAT, "Shdr size overflow");
+
 	elf->shdr = malloc(sz);
 	if (!elf->shdr)
 		err(TEE_ERROR_OUT_OF_MEMORY, "malloc");
author	Jens Wiklander <jens.wiklander@linaro.org>	2020-03-04 11:39:18 +0100
committer	Jérôme Forissier <jerome@forissier.org>	2020-03-06 10:42:04 +0100
commit	cfd9b9f7e8ff6baa705a66dc9c56fd2941079cd6 (patch)
tree	211825063725acef847de4555ba9c953b85a6179 /ldelf
parent	5c0860db3f473f43b18f0ec6c84ff020b6bb85b4 (diff)