From owner-svn-src-stable-8@FreeBSD.ORG  Fri Mar 29 13:23:43 2013
Return-Path: <owner-svn-src-stable-8@FreeBSD.ORG>
Delivered-To: svn-src-stable-8@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id D1F23AAE;
 Fri, 29 Mar 2013 13:23:43 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id B57C7319;
 Fri, 29 Mar 2013 13:23:43 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2TDNhQT097356;
 Fri, 29 Mar 2013 13:23:43 GMT (envelope-from tijl@svn.freebsd.org)
Received: (from tijl@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2TDNhmi097355;
 Fri, 29 Mar 2013 13:23:43 GMT (envelope-from tijl@svn.freebsd.org)
Message-Id: <201303291323.r2TDNhmi097355@svn.freebsd.org>
From: Tijl Coosemans <tijl@FreeBSD.org>
Date: Fri, 29 Mar 2013 13:23:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject: svn commit: r248880 - stable/8/sys/kern
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-8@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for only the 8-stable src tree
 <svn-src-stable-8.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-8>
List-Post: <mailto:svn-src-stable-8@freebsd.org>
List-Help: <mailto:svn-src-stable-8-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 13:23:43 -0000

Author: tijl
Date: Fri Mar 29 13:23:43 2013
New Revision: 248880
URL: http://svnweb.freebsd.org/changeset/base/248880

Log:
  MFC r248256:
  
  - Fix two possible overflows when testing if ELF program headers are on
    the first page:
    1. Cast uint16_t operands in a multiplication to unsigned int because
       otherwise the implicit promotion to int results in a signed
       multiplication that can overflow and the behaviour on integer
       overflow is undefined.
    2. Replace (offset + size > PAGE_SIZE) with (size > PAGE_SIZE - offset)
       because the sum may overflow.
  - Use the same tests to see if the path to the interpreter is on the first
    page. There's no overflow here because size is already limited by
    MAXPATHLEN, but the compiler optimises the new tests better. Also fix an
    off-by-one error.
  - Simplify tests to see if an ELF note program header is on the first page.
    This also fixes an off-by-one error.
  
  Reviewed by:	kib

Modified:
  stable/8/sys/kern/imgact_elf.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/kern/   (props changed)

Modified: stable/8/sys/kern/imgact_elf.c
==============================================================================
--- stable/8/sys/kern/imgact_elf.c	Fri Mar 29 13:17:34 2013	(r248879)
+++ stable/8/sys/kern/imgact_elf.c	Fri Mar 29 13:23:43 2013	(r248880)
@@ -629,9 +629,8 @@ __elfN(load_file)(struct proc *p, const 
 	}
 
 	/* Only support headers that fit within first page for now      */
-	/*    (multiplication of two Elf_Half fields will not overflow) */
 	if ((hdr->e_phoff > PAGE_SIZE) ||
-	    (hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE - hdr->e_phoff) {
+	    (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) {
 		error = ENOEXEC;
 		goto fail;
 	}
@@ -713,7 +712,7 @@ __CONCAT(exec_, __elfN(imgact))(struct i
 	 */
 
 	if ((hdr->e_phoff > PAGE_SIZE) ||
-	    (hdr->e_phoff + hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE) {
+	    (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) {
 		/* Only support headers in first page for now */
 		return (ENOEXEC);
 	}
@@ -732,8 +731,8 @@ __CONCAT(exec_, __elfN(imgact))(struct i
 		if (phdr[i].p_type == PT_INTERP) {
 			/* Path to interpreter */
 			if (phdr[i].p_filesz > MAXPATHLEN ||
-			    phdr[i].p_offset >= PAGE_SIZE ||
-			    phdr[i].p_offset + phdr[i].p_filesz >= PAGE_SIZE)
+			    phdr[i].p_offset > PAGE_SIZE ||
+			    phdr[i].p_filesz > PAGE_SIZE - phdr[i].p_offset)
 				return (ENOEXEC);
 			interp = imgp->image_header + phdr[i].p_offset;
 			interp_name_len = phdr[i].p_filesz;
@@ -1417,9 +1416,8 @@ __elfN(parse_notes)(struct image_params 
 	const char *note_name;
 	int i;
 
-	if (pnote == NULL || pnote->p_offset >= PAGE_SIZE ||
-	    pnote->p_filesz > PAGE_SIZE ||
-	    pnote->p_offset + pnote->p_filesz >= PAGE_SIZE)
+	if (pnote == NULL || pnote->p_offset > PAGE_SIZE ||
+	    pnote->p_filesz > PAGE_SIZE - pnote->p_offset)
 		return (FALSE);
 
 	note = note0 = (const Elf_Note *)(imgp->image_header + pnote->p_offset);