OpenBIOS ELF Loader Buffer Overflow
Continuing to look at OpenBIOS. Here is a classic integer overflow leading to a heap based buffer overflow. nhdr->n_descsz is 32-bits. So we on x86 (32-bit), if we make it UINT_MAX, we cause ob_malloc to allocate 0 bytes. This returns a pointer. The memcpy causes memory corruption. Even if ob_calloc returned NULL, there is no error checking. if (nhdr->n_namesz==sizeof(ELF_NOTE_BOOT) && memcmp(name, ELF_NOTE_BOOT, sizeof(ELF_NOTE_BOOT))==0) { if (nhdr->n_type == EIN_PROGRAM_NAME) { image_name = ob_calloc(1, nhdr->n_descsz + 1); memcpy(image_name, desc, nhdr->n_descsz); } And to see what ob_calloc does: static void *ob_calloc(size_t nmemb, size_t size) { size_t alloc_size = nmemb * size; void *mem; if (alloc_size < nmemb || alloc_size < size) { printf("calloc overflow: %u, %u\n", nmemb, size); return NULL; }