Message ID | 20240202063919.23780-1-quic_audityab@quicinc.com (mailing list archive) |
---|---|
State | Superseded, archived |
Headers | show |
Series | [v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access | expand |
This should be v2., first time patches is always counted as v1 On 2/2/2024 12:09 PM, Auditya Bhattaram wrote: > hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH > is found. Add an upperbound check to phdrs to access within elf size. > > Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> > --- > Added error prints for Invalid access. > Link for previous discussion https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t Would be better if you take reference from other patches, Like above can be done as, Changes in v2: - ... - ,,, > --- > drivers/soc/qcom/mdt_loader.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c > index 6f177e46fa0f..61e2377cc5c3 100644 > --- a/drivers/soc/qcom/mdt_loader.c > +++ b/drivers/soc/qcom/mdt_loader.c > @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, > if (phdrs[0].p_type == PT_LOAD) > return ERR_PTR(-EINVAL); > > + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { > + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); > + return ERR_PTR(-EINVAL); > + } > + Should this not be marked for stable kernel ? as without this it could be accessing beyond fw_size for uncertain scenario. -Mukesh > for (i = 1; i < ehdr->e_phnum; i++) { > if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { > hash_segment = i; > -- > 2.17.1 > >
On 2/2/2024 1:34 PM, Mukesh Ojha wrote: > > This should be v2., first time patches is always counted as v1 > > On 2/2/2024 12:09 PM, Auditya Bhattaram wrote: >> hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH >> is found. Add an upperbound check to phdrs to access within elf size. >> >> Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> > --- >> Added error prints for Invalid access. >> Link for previous discussion >> https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t > > Would be better if you take reference from other patches, > > Like above can be done as, > > Changes in v2: > - ... > - ,,, >> --- >> drivers/soc/qcom/mdt_loader.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/soc/qcom/mdt_loader.c >> b/drivers/soc/qcom/mdt_loader.c >> index 6f177e46fa0f..61e2377cc5c3 100644 >> --- a/drivers/soc/qcom/mdt_loader.c >> +++ b/drivers/soc/qcom/mdt_loader.c >> @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct >> firmware *fw, size_t *data_len, >> if (phdrs[0].p_type == PT_LOAD) >> return ERR_PTR(-EINVAL); >> >> + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { >> + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); >> + return ERR_PTR(-EINVAL); >> + } >> + > > Should this not be marked for stable kernel ? as without this it could > be accessing beyond fw_size for uncertain scenario. > > -Mukesh Yes This should be marked for stable. > >> for (i = 1; i < ehdr->e_phnum; i++) { >> if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == >> QCOM_MDT_TYPE_HASH) { >> hash_segment = i; >> -- >> 2.17.1 >> >>
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 6f177e46fa0f..61e2377cc5c3 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, if (phdrs[0].p_type == PT_LOAD) return ERR_PTR(-EINVAL); + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); + return ERR_PTR(-EINVAL); + } + for (i = 1; i < ehdr->e_phnum; i++) { if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { hash_segment = i;
hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH is found. Add an upperbound check to phdrs to access within elf size. Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> --- Added error prints for Invalid access. Link for previous discussion https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t --- drivers/soc/qcom/mdt_loader.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.17.1