The branch stable/12 has been updated by sjg:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b541e44b7c30d56b445dd91c8e03cc11488faf48
commit b541e44b7c30d56b445dd91c8e03cc11488faf48
Author: Simon J. Gerraty <s...@freebsd.org>
AuthorDate: 2022-10-19 21:08:43 +0000
Commit: Simon J. Gerraty <s...@freebsd.org>
CommitDate: 2022-10-19 21:08:43 +0000
ldd: guard against stack overflow reading corrupted files.
Reviewed by: imp, emaste
Reported by: UK National Cyber Security Centre (NCSC)
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D37010
---
usr.bin/ldd/ldd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/usr.bin/ldd/ldd.c b/usr.bin/ldd/ldd.c
index d237850be765..7db8875ed2e3 100644
--- a/usr.bin/ldd/ldd.c
+++ b/usr.bin/ldd/ldd.c
@@ -335,6 +335,10 @@ is_executable(const char *fname, int fd, int *is_shlib,
int *type)
warnx("%s: header too short", fname);
return (0);
}
+ if (hdr.elf32.e_phentsize != sizeof(phdr32)) {
+ warnx("%s: corrupt header", fname);
+ return (0);
+ }
for (i = 0; i < hdr.elf32.e_phnum; i++) {
if (read(fd, &phdr32, hdr.elf32.e_phentsize) !=
sizeof(phdr32)) {
@@ -403,6 +407,10 @@ is_executable(const char *fname, int fd, int *is_shlib,
int *type)
warnx("%s: header too short", fname);
return (0);
}
+ if (hdr.elf.e_phentsize != sizeof(phdr)) {
+ warnx("%s: corrupt header", fname);
+ return (0);
+ }
for (i = 0; i < hdr.elf.e_phnum; i++) {
if (read(fd, &phdr, hdr.elf.e_phentsize)
!= sizeof(phdr)) {
