From 01fc56b28fa59106683a49562b8b182cc3eac835 Mon Sep 17 00:00:00 2001 From: Alex Zenla Date: Tue, 30 Jun 2026 11:38:45 -0700 Subject: [PATCH 1/2] fix(signature): prevent underflow panic on malformed signatures The bounds check omitted the header size, so a crafted signature length could pass validation and underflow the slice offsets. --- src/signature/raw.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/signature/raw.rs b/src/signature/raw.rs index d852095..65963b5 100644 --- a/src/signature/raw.rs +++ b/src/signature/raw.rs @@ -67,8 +67,10 @@ impl RawKernelObjectSignature { let header = bytemuck::try_pod_read_unaligned::(header) .map_err(Error::DataDecodeError)?; let signature_length = header.signature_length() as usize; - let total_length = - signature_length + header.signer_length as usize + header.key_id_length as usize; + let total_length = signature_length + + header.signer_length as usize + + header.key_id_length as usize + + size_of::(); if signature_length == 0 || (total_length > before_magic.len()) { return Ok(Some(RawKernelObjectSignature { header, From 885c0a61f87f4dc391de0c284293e6243586362c Mon Sep 17 00:00:00 2001 From: Alex Zenla Date: Tue, 30 Jun 2026 11:38:59 -0700 Subject: [PATCH 2/2] fix(object): bounds-check e_ident before reading ELF header check_elf indexed bytes 4-6 after only verifying the 4-byte magic, panicking on files shorter than 7 bytes. --- src/object/content.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/object/content.rs b/src/object/content.rs index d7a0065..aa25c9c 100644 --- a/src/object/content.rs +++ b/src/object/content.rs @@ -44,6 +44,11 @@ impl KernelObjectContent { return false; } + // Need at least the e_ident fields read below (EI_CLASS, EI_DATA, EI_VERSION). + if self.bytes.len() < 7 { + return false; + } + // Byte 5: EI_CLASS, 0x1 = 32-bit, 0x2 = 64-bit module if self.bytes[4] != 1 && self.bytes[4] != 2 { return false;