| Message ID | 20210107233119.717173-1-bjorn.andersson@linaro.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 84168d1b54e76a1bcb5192991adde5176abe02e3 |
| Headers | show |
| Series | soc: qcom: mdt_loader: Validate that p_filesz < p_memsz | expand |
Hey Bjorn, Thanks for the patch! On 1/8/21 5:01 AM, Bjorn Andersson wrote: > The code validates that segments of p_memsz bytes of a segment will fit > in the provided memory region, but does not validate that p_filesz bytes > will, which means that an incorrectly crafted ELF header might write > beyond the provided memory region. > > Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") > Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> > --- > drivers/soc/qcom/mdt_loader.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c > index e01d18e9ad2b..5180b5996830 100644 > --- a/drivers/soc/qcom/mdt_loader.c > +++ b/drivers/soc/qcom/mdt_loader.c > @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, > break; > } > > + if (phdr->p_filesz > phdr->p_memsz) { > + dev_err(dev, > + "refusing to load segment %d with p_filesz > p_memsz\n", > + i); > + ret = -EINVAL; > + break; > + } > + Reviewed-by: Sibi Sankar <sibis@codeaurora.org> > ptr = mem_region + offset; > > if (phdr->p_filesz && phdr->p_offset < fw->size) { >
Hello: This patch was applied to qcom/linux.git (refs/heads/for-next): On Thu, 7 Jan 2021 15:31:19 -0800 you wrote: > The code validates that segments of p_memsz bytes of a segment will fit > in the provided memory region, but does not validate that p_filesz bytes > will, which means that an incorrectly crafted ELF header might write > beyond the provided memory region. > > Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") > Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> > > [...] Here is the summary with links: - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz https://git.kernel.org/qcom/c/84168d1b54e7 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index e01d18e9ad2b..5180b5996830 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, break; } + if (phdr->p_filesz > phdr->p_memsz) { + dev_err(dev, + "refusing to load segment %d with p_filesz > p_memsz\n", + i); + ret = -EINVAL; + break; + } + ptr = mem_region + offset; if (phdr->p_filesz && phdr->p_offset < fw->size) {
The code validates that segments of p_memsz bytes of a segment will fit in the provided memory region, but does not validate that p_filesz bytes will, which means that an incorrectly crafted ELF header might write beyond the provided memory region. Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> --- drivers/soc/qcom/mdt_loader.c | 8 ++++++++ 1 file changed, 8 insertions(+)