git: b541e44b7c30 - stable/12 - ldd: guard against stack overflow reading corrupted files.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Oct 2022 21:10:11 UTC
The branch stable/12 has been updated by sjg: URL: https://cgit.FreeBSD.org/src/commit/?id=b541e44b7c30d56b445dd91c8e03cc11488faf48 commit b541e44b7c30d56b445dd91c8e03cc11488faf48 Author: Simon J. Gerraty <sjg@FreeBSD.org> AuthorDate: 2022-10-19 21:08:43 +0000 Commit: Simon J. Gerraty <sjg@FreeBSD.org> CommitDate: 2022-10-19 21:08:43 +0000 ldd: guard against stack overflow reading corrupted files. Reviewed by: imp, emaste Reported by: UK National Cyber Security Centre (NCSC) Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D37010 --- usr.bin/ldd/ldd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr.bin/ldd/ldd.c b/usr.bin/ldd/ldd.c index d237850be765..7db8875ed2e3 100644 --- a/usr.bin/ldd/ldd.c +++ b/usr.bin/ldd/ldd.c @@ -335,6 +335,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type) warnx("%s: header too short", fname); return (0); } + if (hdr.elf32.e_phentsize != sizeof(phdr32)) { + warnx("%s: corrupt header", fname); + return (0); + } for (i = 0; i < hdr.elf32.e_phnum; i++) { if (read(fd, &phdr32, hdr.elf32.e_phentsize) != sizeof(phdr32)) { @@ -403,6 +407,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type) warnx("%s: header too short", fname); return (0); } + if (hdr.elf.e_phentsize != sizeof(phdr)) { + warnx("%s: corrupt header", fname); + return (0); + } for (i = 0; i < hdr.elf.e_phnum; i++) { if (read(fd, &phdr, hdr.elf.e_phentsize) != sizeof(phdr)) {