security: fix ELF loader p_filesz > p_memsz validation (C1)

author Tulio A M Mendes <[email protected]>

Tue, 26 May 2026 04:52:46 +0000 (01:52 -0300)

committer Tulio A M Mendes <[email protected]>

Wed, 3 Jun 2026 04:02:35 +0000 (01:02 -0300)
author Tulio A M Mendes <[email protected]>
Tue, 26 May 2026 04:52:46 +0000 (01:52 -0300)
committer Tulio A M Mendes <[email protected]>
Wed, 3 Jun 2026 04:02:35 +0000 (01:02 -0300)
diff --git a/src/arch/x86/elf.c b/src/arch/x86/elf.c

index 288426552261eadcc80857e6d47ad2f67e0eec64..cbba992f087e8b8bed7ab6027c5bbd1237b229aa 100644 (file)
--- a/src/arch/x86/elf.c
+++ b/src/arch/x86/elf.c
@@ -144,6 +144,16 @@ static int elf32_load_segments(const uint8_t* file, uint32_t file_len,
          if ((uint64_t)ph[i].p_offset + (uint64_t)ph[i].p_filesz > (uint64_t)file_len)
              return -EINVAL;
  
+        /* Reject p_filesz > p_memsz - would write beyond mapped region */
+        if (ph[i].p_filesz > ph[i].p_memsz)
+            return -EINVAL;
+
+        /* Validate p_align is power of 2 and reasonable */
+        if (ph[i].p_align == 0 || (ph[i].p_align & (ph[i].p_align - 1)) != 0)
+            return -EINVAL;
+        if (ph[i].p_align > 0x10000) /* Max 64KB alignment */
+            return -EINVAL;
+
          /* Map as RW initially so we can write segment data.
           * Final permissions are applied by elf32_reprotect_segments
           * after relocations are processed. */
author	Tulio A M Mendes <[email protected]>
	Tue, 26 May 2026 04:52:46 +0000 (01:52 -0300)
committer	Tulio A M Mendes <[email protected]>
	Wed, 3 Jun 2026 04:02:35 +0000 (01:02 -0300)