From 1655f5846115c6ce0ef194e22e1879701db80df0 Mon Sep 17 00:00:00 2001
From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Tue, 26 May 2026 01:52:46 -0300
Subject: [PATCH] security: fix ELF loader p_filesz > p_memsz validation (C1)

---
 src/arch/x86/elf.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/arch/x86/elf.c b/src/arch/x86/elf.c
index 28842655..cbba992f 100644
--- a/src/arch/x86/elf.c
+++ b/src/arch/x86/elf.c
@@ -144,6 +144,16 @@ static int elf32_load_segments(const uint8_t* file, uint32_t file_len,
         if ((uint64_t)ph[i].p_offset + (uint64_t)ph[i].p_filesz > (uint64_t)file_len)
             return -EINVAL;
 
+        /* Reject p_filesz > p_memsz - would write beyond mapped region */
+        if (ph[i].p_filesz > ph[i].p_memsz)
+            return -EINVAL;
+
+        /* Validate p_align is power of 2 and reasonable */
+        if (ph[i].p_align == 0 || (ph[i].p_align & (ph[i].p_align - 1)) != 0)
+            return -EINVAL;
+        if (ph[i].p_align > 0x10000) /* Max 64KB alignment */
+            return -EINVAL;
+
         /* Map as RW initially so we can write segment data.
          * Final permissions are applied by elf32_reprotect_segments
          * after relocations are processed. */
-- 
2.43.0