From 41a2635124117d1fac7e45b3cafa2c1ac68417fd Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Tue, 10 Sep 2019 16:22:23 +0200 Subject: elf-ops.h: fix int overflow in load_elf() This patch fixes a possible integer overflow when we calculate the total size of ELF segments loaded. Reported-by: Coverity (CID 1405299) Reviewed-by: Alex Bennée Signed-off-by: Stefano Garzarella Message-Id: <20190910124828.39794-1-sgarzare@redhat.com> Signed-off-by: Paolo Bonzini --- include/hw/elf_ops.h | 5 +++++ include/hw/loader.h | 1 + 2 files changed, 6 insertions(+) (limited to 'include') diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h index 1496d7e753..e07d276df7 100644 --- a/include/hw/elf_ops.h +++ b/include/hw/elf_ops.h @@ -485,6 +485,11 @@ static int glue(load_elf, SZ)(const char *name, int fd, } } + if (mem_size > INT_MAX - total_size) { + ret = ELF_LOAD_TOO_BIG; + goto fail; + } + /* address_offset is hack for kernel images that are linked at the wrong physical address. */ if (translate_fn) { diff --git a/include/hw/loader.h b/include/hw/loader.h index 07fd9286e7..48a96cd559 100644 --- a/include/hw/loader.h +++ b/include/hw/loader.h @@ -89,6 +89,7 @@ int load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz); #define ELF_LOAD_NOT_ELF -2 #define ELF_LOAD_WRONG_ARCH -3 #define ELF_LOAD_WRONG_ENDIAN -4 +#define ELF_LOAD_TOO_BIG -5 const char *load_elf_strerror(int error); /** load_elf_ram_sym: -- cgit v1.2.3-55-g7522