diff options
author | Alexey Dobriyan <adobriyan@gmail.com> | 2019-03-07 16:28:56 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-03-07 18:32:01 -0800 |
commit | faf1c3152032275370f35dc757501ae0c47ded53 (patch) | |
tree | e1475c6f6c72d43053927fb430894d0157a155e3 /fs/binfmt_elf.c | |
parent | a218cc4914209ac14476cb32769b31a556355b22 (diff) | |
download | lwn-faf1c3152032275370f35dc757501ae0c47ded53.tar.gz lwn-faf1c3152032275370f35dc757501ae0c47ded53.zip |
fs/binfmt_elf.c: don't be afraid of overflow
Number of ELF program headers is 16-bit by spec, so total size
comfortably fits into "unsigned int".
Space savings: 7 bytes!
add/remove: 0/0 grow/shrink: 0/1 up/down: 0/-7 (-7)
Function old new delta
load_elf_phdrs 137 130 -7
Link: http://lkml.kernel.org/r/20190204202715.GA27482@avx2
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/binfmt_elf.c')
-rw-r--r-- | fs/binfmt_elf.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 54207327f98f..fd4b618c412e 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -418,8 +418,9 @@ static struct elf_phdr *load_elf_phdrs(struct elfhdr *elf_ex, struct file *elf_file) { struct elf_phdr *elf_phdata = NULL; - int retval, size, err = -1; + int retval, err = -1; loff_t pos = elf_ex->e_phoff; + unsigned int size; /* * If the size of this structure has changed, then punt, since @@ -429,13 +430,9 @@ static struct elf_phdr *load_elf_phdrs(struct elfhdr *elf_ex, goto out; /* Sanity check the number of program headers... */ - if (elf_ex->e_phnum < 1 || - elf_ex->e_phnum > 65536U / sizeof(struct elf_phdr)) - goto out; - /* ...and their total size. */ size = sizeof(struct elf_phdr) * elf_ex->e_phnum; - if (size > ELF_MIN_ALIGN) + if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN) goto out; elf_phdata = kmalloc(size, GFP_KERNEL); |