8 Aug
2024
8 Aug
'24
10:44 p.m.
On Thu, Aug 8, 2024 at 3:24 PM Andi Kleen ak@linux.intel.com wrote:
name_sz = READ_ONCE(nhdr->n_namesz);desc_sz = READ_ONCE(nhdr->n_descsz);new_offs = note_offs + sizeof(Elf32_Nhdr) + ALIGN(name_sz, 4) + ALIGN(desc_sz, 4);Don't you need to check the name_sz and desc_sz overflows separately?
Otherwise name_sz could be ~0 and desc_sz small (or reversed) and the check below wouldn't trigger, but still bad things could happen.
Yes, both sizes are full u32, so yes, they could technically both overflow resulting in final non-overflown new_offs. I'll switch the additions to be done step by step.
if (new_offs <= note_offs /* overflow */ || new_offs > note_size)break;-Andi