fix potential undefined behavior condition

Fixed an unchecked arithmetic operation that could cause
undefined behavior. Attempting to load a malformed ELF
kernel image which contains a large enough entry address
in the ELF header, or a valid ELF image at a large enough
offset in guest memory, can lead to arithmetic overflow,
causing the result to wrap around. The result is meant to
be used as the value for the instruction pointer where the
guest will start booting from. This can result in the guest
executing code from undefined locations in guest memory
when the vCPUs start.

Signed-off-by: Alexandra Iordache <[email protected]>

Author: Alexandra Iordache

src/loader/x86_64/elf/mod.rs

@@ -223,7 +223,12 @@ impl KernelLoader for Elf {
 
         // Address where the kernel will be loaded.
         loader_result.kernel_load = match kernel_offset {
-            Some(k_offset) => GuestAddress(k_offset.raw_value() + (ehdr.e_entry as u64)),
+            Some(k_offset) => GuestAddress(
+                k_offset
+                    .raw_value()
+                    .checked_add(ehdr.e_entry as u64)
+                    .ok_or(Error::Overflow)?,
+            ),
             None => GuestAddress(ehdr.e_entry as u64),
         };
 
@@ -566,4 +571,20 @@ mod tests {
             Elf::load(&gm, None, &mut Cursor::new(&bad_align_image), None).err()
         );
     }
+
+    #[test]
+    fn test_overflow_loadaddr() {
+        let gm = create_guest_mem();
+        let image = make_elf_bin();
+        assert_eq!(
+            Some(KernelLoaderError::Elf(Error::Overflow)),
+            Elf::load(
+                &gm,
+                Some(GuestAddress(u64::MAX)),
+                &mut Cursor::new(&image),
+                None
+            )
+            .err()
+        );
+    }
 }