git: b5149b265346 - main - linker: Handle a truncated hints file properly
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 23 Oct 2024 22:13:20 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e commit b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-10-23 16:54:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-10-23 22:12:45 +0000 linker: Handle a truncated hints file properly If vattr.va_size is 0, we will end up accessing invalid memory. This is mostly harmless (because malloc(0) still allocates some memory), but it triggers a KASAN report. PR: 282268 Reviewed by: christos, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D47240 --- sys/kern/kern_linker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 3f34bb12aeaa..f388ac8a583a 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -2030,6 +2030,10 @@ linker_hints_lookup(const char *path, int pathlen, const char *modname, printf("linker.hints file too large %ld\n", (long)vattr.va_size); goto bad; } + if (vattr.va_size < sizeof(ival)) { + printf("linker.hints file truncated\n"); + goto bad; + } hints = malloc(vattr.va_size, M_TEMP, M_WAITOK); error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)hints, vattr.va_size, 0, UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &reclen, td);