fix potential hang condition in Elf::load

Alexandra Iordache · Samuel Ortiz · commit d72752a53d1e · 2021-02-25T10:26:46.000+01:00
Fixed an unchecked arithmetic operation that could cause a
hang. Attempting to load a malformed ELF kernel image which
contains large enough numbers in the `n_namesz` and
`n_descsz` fields of ELFNOTE headers can lead to arithmetic
overflow, causing the `read_size` accumulator to wrap around
and never exceed the maximum size condition of a while loop.

Signed-off-by: Alexandra Iordache &lt;aghecen@amazon.com&gt;
Signed-off-by: Andreea Florescu &lt;fandree@amazon.com&gt;
diff --git a/src/loader/x86_64/elf/mod.rs b/src/loader/x86_64/elf/mod.rs
@@ -44,6 +44,8 @@ pub enum Error {
     InvalidProgramHeaderAddress,
     /// Invalid entry address.
     InvalidEntryAddress,
+    /// Overflow occurred during an arithmetic operation.
+    Overflow,
     /// Unable to read ELF header.
     ReadElfHeader,
     /// Unable to read kernel image.
@@ -76,6 +78,7 @@ impl fmt::Display for Error {
             Error::InvalidProgramHeaderOffset => "Invalid program header offset",
             Error::InvalidProgramHeaderAddress => "Invalid Program Header Address",
             Error::InvalidEntryAddress => "Invalid entry address",
+            Error::Overflow => "Overflow occurred during an arithmetic operation",
             Error::ReadElfHeader => "Unable to read elf header",
             Error::ReadKernelImage => "Unable to read kernel image",
             Error::ReadProgramHeader => "Unable to read program header",
@@ -335,9 +338,13 @@ where
         }
 
         // Skip the note header plus the size of its fields (with alignment).
-        read_size += nhdr_sz
-            + align_up(u64::from(nhdr.n_namesz), n_align)?
-            + align_up(u64::from(nhdr.n_descsz), n_align)?;
+        let namesz_aligned = align_up(u64::from(nhdr.n_namesz), n_align)?;
+        let descsz_aligned = align_up(u64::from(nhdr.n_descsz), n_align)?;
+        read_size = read_size
+            .checked_add(nhdr_sz)
+            .and_then(|read_size| read_size.checked_add(namesz_aligned))
+            .and_then(|read_size| read_size.checked_add(descsz_aligned))
+            .ok_or(Error::Overflow)?;
 
         kernel_image
             .seek(SeekFrom::Start(phdr.p_offset + read_size as u64))
