Commit 04d0fed1 authored Feb 21, 2025 by Dan Carpenter Committed by Tengda Wu Feb 21, 2025

binfmt_flat: Fix integer overflow bug on 32 bit systems

stable inclusion
from stable-v6.6.78
commit d17ca8f2dfcf423c439859995910a20e38b86f00
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBNTYM

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d17ca8f2dfcf423c439859995910a20e38b86f00



--------------------------------

commit 55cf2f4b945f6a6416cc2524ba740b83cc9af25a upstream.

Most of these sizes and counts are capped at 256MB so the math doesn't
result in an integer overflow.  The "relocs" count needs to be checked
as well.  Otherwise on 32bit systems the calculation of "full_data"
could be wrong.

	full_data = data_len + relocs * sizeof(unsigned long);

Fixes: c995ee28 ("binfmt_flat: prevent kernel dammage from corrupted executable headers")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Nicolas Pitre <npitre@baylibre.com>
Link: https://lore.kernel.org/r/5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain


Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tengda Wu <wutengda2@huawei.com>

parent 7925d525

fs/binfmt_flat.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -478,7 +478,7 @@ static int load_flat_file(struct linux_binprm *bprm,
		* 28 bits (256 MB) is way more than reasonable in this case.
		* If some top bits are set we have probable binary corruption.
		*/
		if ((text_len \| data_len \| bss_len \| stack_len \| full_data) >> 28) {
		if ((text_len \| data_len \| bss_len \| stack_len \| relocs \| full_data) >> 28) {
		pr_err("bad header\n");
		ret = -ENOEXEC;
		goto err;