| Message ID | 20240208123527.19725-1-quic_audityab@quicinc.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v3] soc: qcom: mdt_loader: Add Upperbounds check for program header access | expand |
On 2/8/2024 6:05 PM, Auditya Bhattaram wrote: > hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH > is found. Add an upperbound check to phdrs to access within elf size. > > Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment") > Cc: <stable@vger.kernel.org> > Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> > --- > Changes in v3: > - Corrected wrong patch versioning in the Subject. > - Added error prints for Invalid access. > Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@quicinc.com/T/#t > Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t > --- > drivers/soc/qcom/mdt_loader.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c > index 6f177e46fa0f..61e2377cc5c3 100644 > --- a/drivers/soc/qcom/mdt_loader.c > +++ b/drivers/soc/qcom/mdt_loader.c > @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, > if (phdrs[0].p_type == PT_LOAD) > return ERR_PTR(-EINVAL); > > + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { This change is valid only if somehow, ehdr->e_phnum gets corrupted or changed via some engineering means and results in out-of-bounds access. Acked-by: Mukesh Ojha <quic_mojha@quicinc.com> > + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); Should it print ehdr->e_phnum as well to be more valid? -Mukesh > + return ERR_PTR(-EINVAL); > + } > + > for (i = 1; i < ehdr->e_phnum; i++) { > if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { > hash_segment = i; > -- > 2.17.1 > >
On 2/8/2024 7:59 PM, Mukesh Ojha wrote: > > > On 2/8/2024 6:05 PM, Auditya Bhattaram wrote: >> hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH >> is found. Add an upperbound check to phdrs to access within elf size. >> >> Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in >> any segment") >> Cc: <stable@vger.kernel.org> >> Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> >> --- >> Changes in v3: >> - Corrected wrong patch versioning in the Subject. >> - Added error prints for Invalid access. >> Link to v2 >> https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@quicinc.com/T/#t >> Link to v1 >> https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t >> --- >> drivers/soc/qcom/mdt_loader.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/soc/qcom/mdt_loader.c >> b/drivers/soc/qcom/mdt_loader.c >> index 6f177e46fa0f..61e2377cc5c3 100644 >> --- a/drivers/soc/qcom/mdt_loader.c >> +++ b/drivers/soc/qcom/mdt_loader.c >> @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct >> firmware *fw, size_t *data_len, >> if (phdrs[0].p_type == PT_LOAD) >> return ERR_PTR(-EINVAL); >> >> + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { > > This change is valid only if somehow, ehdr->e_phnum gets corrupted or > changed via some engineering means and results in out-of-bounds access. > > Acked-by: Mukesh Ojha <quic_mojha@quicinc.com> > >> + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); > > Should it print ehdr->e_phnum as well to be more valid? > > -Mukesh > Sure, planning to add fw->size as well. dev_err(dev, "Invalid phdrs access for fw: %s, e_phnum: %hu, fw->size: %zu \n", fw_name, ehdr->e_phnum, fw->size); >> + return ERR_PTR(-EINVAL); >> + } >> + >> for (i = 1; i < ehdr->e_phnum; i++) { >> if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == >> QCOM_MDT_TYPE_HASH) { >> hash_segment = i; >> -- >> 2.17.1 >> >>
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 6f177e46fa0f..61e2377cc5c3 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, if (phdrs[0].p_type == PT_LOAD) return ERR_PTR(-EINVAL); + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); + return ERR_PTR(-EINVAL); + } + for (i = 1; i < ehdr->e_phnum; i++) { if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { hash_segment = i;
hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH is found. Add an upperbound check to phdrs to access within elf size. Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment") Cc: <stable@vger.kernel.org> Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> --- Changes in v3: - Corrected wrong patch versioning in the Subject. - Added error prints for Invalid access. Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@quicinc.com/T/#t Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t --- drivers/soc/qcom/mdt_loader.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.17.1