8 Aug
2024
8 Aug
'24
10:24 p.m.
name_sz = READ_ONCE(nhdr->n_namesz);desc_sz = READ_ONCE(nhdr->n_descsz);new_offs = note_offs + sizeof(Elf32_Nhdr) + ALIGN(name_sz, 4) + ALIGN(desc_sz, 4);
Don't you need to check the name_sz and desc_sz overflows separately?
Otherwise name_sz could be ~0 and desc_sz small (or reversed) and the check below wouldn't trigger, but still bad things could happen.
if (new_offs <= note_offs /* overflow */ || new_offs > note_size)break;
-Andi