From patchwork Thu Apr 28 09:28:30 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Russell King <rmk+kernel@arm.linux.org.uk>
X-Patchwork-Id: 8967401
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 830E4BF29F
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 28 Apr 2016 09:35:27 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id B4B252028D
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 28 Apr 2016 09:35:26 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.9])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id E0FFB20109
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 28 Apr 2016 09:35:24 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1aviKp-0004Ih-AS; Thu, 28 Apr 2016 09:34:11 +0000
Received: from pandora.arm.linux.org.uk
	([2001:4d48:ad52:3201:214:fdff:fe10:1be6])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1aviKl-0003gk-Rv
	for linux-arm-kernel@lists.infradead.org;
	Thu, 28 Apr 2016 09:34:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=arm.linux.org.uk; s=pandora-2014;
	h=Date:Sender:Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Subject:Cc:To:From:References:In-Reply-To;
	bh=um4hAhkFnXcefxfDjAY5AjD5NKidB2fFcLPyRKiCd28=;
	b=MwpzWeyqjlNFUbSCBGRb+SNHkcTJnYQQ47/0xVtgzqhGJsQSqUQYXgYcx2oAdK/2WLJgLWBVCuPI1G+c9uzNA/ugL71YMQ6U7l8O9opsdQ6ZmvM+Vv37+UjOo1Vq+qeFgSjV03gELmcvnIHVdAXxveMs8vrgwtQiMIY95XEvm9o=;
Received: from e0022681537dd.dyn.arm.linux.org.uk
	([2001:4d48:ad52:3201:222:68ff:fe15:37dd]:33332
	helo=rmk-PC.arm.linux.org.uk)
	by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.82_1-5b7a7c0-XX) (envelope-from <rmk@arm.linux.org.uk>)
	id 1aviFY-0004Bd-7l; Thu, 28 Apr 2016 10:28:44 +0100
Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim
	4.82_1-5b7a7c0-XX) (envelope-from <rmk@arm.linux.org.uk>)
	id 1aviFK-0000jY-1S; Thu, 28 Apr 2016 10:28:30 +0100
In-Reply-To: <20160428092644.GX19428@n2100.arm.linux.org.uk>
References: <20160428092644.GX19428@n2100.arm.linux.org.uk>
From: Russell King <rmk+kernel@arm.linux.org.uk>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 09/12] kexec: ensure user memory sizes do not wrap
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <E1aviFK-0000jY-1S@rmk-PC.arm.linux.org.uk>
Date: Thu, 28 Apr 2016 10:28:30 +0100
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160428_023408_258519_B7A95458 
X-CRM114-Status: UNSURE (   9.98  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -5.3 (-----)
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Mark Rutland <mark.rutland@arm.com>, devicetree@vger.kernel.org,
	Tony Luck <tony.luck@intel.com>, linux-ia64@vger.kernel.org,
	linux-doc@vger.kernel.org, Pawel Moll <pawel.moll@arm.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Ian Campbell <ijc+devicetree@hellion.org.uk>,
	kexec@lists.infradead.org, Fenghua Yu <fenghua.yu@intel.com>,
	Haren Myneni <hbabu@us.ibm.com>, Rob Herring <robh+dt@kernel.org>,
	Eric Biederman <ebiederm@xmission.com>,
	Santosh Shilimkar <ssantosh@kernel.org>,
	Kumar Gala <galak@codeaurora.org>, Vivek Goyal <vgoyal@redhat.com>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Ensure that user memory sizes do not wrap around when validating the
user input, which can lead to the following input validation working
incorrectly.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Reviewed-by: Pratyush Anand <panand@redhat.com>
---
 kernel/kexec_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index 8d34308ea449..d719a4d0ef55 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -169,6 +169,8 @@ int sanity_check_segment_list(struct kimage *image)
 
 		mstart = image->segment[i].mem;
 		mend   = mstart + image->segment[i].memsz;
+		if (mstart > mend)
+			return result;
 		if ((mstart & ~PAGE_MASK) || (mend & ~PAGE_MASK))
 			return result;
 		if (mend >= KEXEC_DESTINATION_MEMORY_LIMIT)