From b5149b265346c55994c7ebaab2a6a6fd1bd6fe5e Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Wed, 23 Oct 2024 16:54:56 +0000 Subject: [PATCH] linker: Handle a truncated hints file properly If vattr.va_size is 0, we will end up accessing invalid memory. This is mostly harmless (because malloc(0) still allocates some memory), but it triggers a KASAN report. PR: 282268 Reviewed by: christos, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D47240 --- sys/kern/kern_linker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 3f34bb12aeaa..f388ac8a583a 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -2030,6 +2030,10 @@ linker_hints_lookup(const char *path, int pathlen, const char *modname, printf("linker.hints file too large %ld\n", (long)vattr.va_size); goto bad; } + if (vattr.va_size < sizeof(ival)) { + printf("linker.hints file truncated\n"); + goto bad; + } hints = malloc(vattr.va_size, M_TEMP, M_WAITOK); error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)hints, vattr.va_size, 0, UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &reclen, td);