git: b5149b265346 - main - linker: Handle a truncated hints file properly

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 23 Oct 2024 22:13:20 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e

commit b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-10-23 16:54:56 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-10-23 22:12:45 +0000

    linker: Handle a truncated hints file properly
    
    If vattr.va_size is 0, we will end up accessing invalid memory.  This is
    mostly harmless (because malloc(0) still allocates some memory), but it
    triggers a KASAN report.
    
    PR:             282268
    Reviewed by:    christos, imp
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D47240
---
 sys/kern/kern_linker.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index 3f34bb12aeaa..f388ac8a583a 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -2030,6 +2030,10 @@ linker_hints_lookup(const char *path, int pathlen, const char *modname,
 		printf("linker.hints file too large %ld\n", (long)vattr.va_size);
 		goto bad;
 	}
+	if (vattr.va_size < sizeof(ival)) {
+		printf("linker.hints file truncated\n");
+		goto bad;
+	}
 	hints = malloc(vattr.va_size, M_TEMP, M_WAITOK);
 	error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)hints, vattr.va_size, 0,
 	    UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &reclen, td);