elf-ops.h: fix int overflow in load_elf()

This patch fixes a possible integer overflow when we calculate the total size of ELF segments loaded. Reported-by: Coverity (CID 1405299) Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20190910124828.39794-1-sgarzare@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Stefano Garzarella <sgarzare@redhat.com> 2019-09-10 16:22:23 +0200
committer: Paolo Bonzini <pbonzini@redhat.com> 2019-09-16 12:32:21 +0200
commit: 41a2635124117d1fac7e45b3cafa2c1ac68417fd (patch)
tree: 9672ab00b04fc3e7720aeb1a99574b883bb6f87a /include/hw/elf_ops.h
parent: 709ebb905491258676776c78ca38a61563e59aac (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index 1496d7e753..e07d276df7 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -485,6 +485,11 @@ static int glue(load_elf, SZ)(const char *name, int fd,
                 }
             }
 
+            if (mem_size > INT_MAX - total_size) {
+                ret = ELF_LOAD_TOO_BIG;
+                goto fail;
+            }
+
             /* address_offset is hack for kernel images that are
                linked at the wrong physical address.  */
             if (translate_fn) {
author	Stefano Garzarella <sgarzare@redhat.com>	2019-09-10 16:22:23 +0200
committer	Paolo Bonzini <pbonzini@redhat.com>	2019-09-16 12:32:21 +0200
commit	41a2635124117d1fac7e45b3cafa2c1ac68417fd (patch)
tree	9672ab00b04fc3e7720aeb1a99574b883bb6f87a /include/hw/elf_ops.h
parent	709ebb905491258676776c78ca38a61563e59aac (diff)